Bug 1149944 (CVE-2019-9854)

Summary: VUL-0: CVE-2019-9854: libreoffice: Unsafe URL assembly flaw in allowed script location check
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: msvec, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241924/
Whiteboard: CVSSv2:NVD:CVE-2019-9854:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2019-9854:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:SUSE:CVE-2019-9854:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-09-09 07:51:20 UTC
CVE-2019-9854

LibreOffice has a feature where documents can specify that pre-installed macros
can be executed on various script events such as mouse-over, document-open etc.
Access is intended to be restricted to scripts under the share/Scripts/python,
user/Scripts/python sub-directories of the LibreOffice install. Protection was
added, to address CVE-2019-9852, to avoid a directory traversal attack where
scripts in arbitrary locations on the file system could be executed by employing
a URL encoding attack to defeat the path verification step. However this
protection could be bypassed by taking advantage of a flaw in how LibreOffice
assembled the final script URL location directly from components of the passed
in path as opposed to solely from the sanitized output of the path verification
step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to
6.2.7; 6.3 versions prior to 6.3.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9854
http://www.debian.org/security/-1/dsa-4519
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9854.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9854
http://www.cvedetails.com/cve/CVE-2019-9854/
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/
Comment 1 Alexandros Toptsoglou 2019-09-09 07:52:52 UTC
Tracked as affected SLE12-SP3 and SLE15 and SLE15-SP1
Comment 2 Tomáš Chvátal 2019-09-09 08:33:06 UTC
Submissions sent to SLE15SP1 SLE15 and SLE12SP3.
Comment 4 Swamp Workflow Management 2019-09-09 14:30:09 UTC
This is an autogenerated message for OBS integration:
This bug (1149944) was mentioned in
https://build.opensuse.org/request/show/729479 Factory / libreoffice
Comment 5 Swamp Workflow Management 2019-09-18 16:13:23 UTC
SUSE-SU-2019:2401-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107,1149943,1149944
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852,CVE-2019-9854,CVE-2019-9855
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    libreoffice-6.2.7.1-43.56.3
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libreoffice-6.2.7.1-43.56.3
SUSE Linux Enterprise Desktop 12-SP4 (src):    libreoffice-6.2.7.1-43.56.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-09-18 16:15:41 UTC
SUSE-SU-2019:2402-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107,1149943,1149944
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852,CVE-2019-9854,CVE-2019-9855
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    libreoffice-6.2.7.1-8.10.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libreoffice-6.2.7.1-8.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-09-19 12:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1149944) was mentioned in
https://build.opensuse.org/request/show/731894 Factory / libreoffice
Comment 8 Swamp Workflow Management 2019-09-25 10:11:37 UTC
openSUSE-SU-2019:2183-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107,1149943,1149944
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852,CVE-2019-9854,CVE-2019-9855
Sources used:
openSUSE Leap 15.1 (src):    libreoffice-6.2.7.1-lp151.3.6.1
Comment 9 Swamp Workflow Management 2019-10-16 19:20:46 UTC
SUSE-SU-2019:2686-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1149943,1149944
CVE References: CVE-2019-9854,CVE-2019-9855
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    libreoffice-6.2.7.1-3.24.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-10-22 04:11:01 UTC
openSUSE-SU-2019:2361-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1149943,1149944
CVE References: CVE-2019-9854,CVE-2019-9855
Sources used:
openSUSE Leap 15.0 (src):    libreoffice-6.2.7.1-lp150.2.19.1
Comment 11 Marcus Meissner 2020-02-05 07:46:35 UTC
done