CVE-2019-9850 (retired)

LibreOffice is typically bundled with LibreLogo, a programmable turtle
vector graphics script, which can execute arbitrary python commands
contained with the document it is launched from. LibreOffice also has a
feature where documents can specify that pre-installed scripts can be
executed on various document script events such as mouse-over, etc.
Protection was added, to address CVE-2019-9848, to block calling LibreLogo
from script event handers. However an insufficient url validation
vulnerability in LibreOffice allowed malicious to bypass that protection
and again trigger calling LibreLogo from script event handlers. This issue
affects: Document Foundation LibreOffice versions prior to 6.2.6.
Upstream:released (1:6.3.0-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (1:5.1.6~rc2-0ubuntu1~xenial9)
Ubuntu 18.04 LTS (Bionic Beaver):released (1:6.0.7-0ubuntu0.18.04.9)
Ubuntu 19.04 (Disco Dingo):released (1:6.2.6-0ubuntu0.19.04.1)
Ubuntu 19.10 (Eoan):released (1:6.3.0-0ubuntu1)
More Information

Updated: 2019-09-19 16:07:41 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)