Bug 1171997 - (CVE-2020-12801) VUL-1: CVE-2020-12801: libreoffice: user accidentally saving a MSOffice file format document unencrypted
(CVE-2020-12801)
VUL-1: CVE-2020-12801: libreoffice: user accidentally saving a MSOffice file ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/259682/
CVSSv3.1:SUSE:CVE-2020-12801:4.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-22 12:26 UTC by Robert Frohl
Modified: 2020-08-04 07:46 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-05-22 12:26:04 UTC
CVE-2020-12801

If LibreOffice has an encrypted document open and crashes, that document is
auto-saved encrypted. On restart, LibreOffice offers to restore the
document and prompts for the password to decrypt it. If the recovery is
successful, and if the file format of the recovered document was not
LibreOffice's default ODF file format, then affected versions of
LibreOffice default that subsequent saves of the document are unencrypted.
This may lead to a user accidentally saving a MSOffice file format document
unencrypted while believing it to be encrypted. This issue affects:
LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior
to 6.4.3.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12801
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12801.html
Comment 1 Robert Frohl 2020-05-22 12:27:35 UTC
affects these codestreams SUSE:SLE-12-SP3:Update and SUSE:SLE-15-SP1:Update
Comment 2 Tomáš Chvátal 2020-05-22 12:51:33 UTC
Well we planned 6.4.4 update anyway so I submitted that to 12sp3 and 15sp1.
Comment 3 OBSbugzilla Bot 2020-05-22 13:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1171997) was mentioned in
https://build.opensuse.org/request/show/808231 Factory / libreoffice
Comment 5 Swamp Workflow Management 2020-06-04 13:14:18 UTC
SUSE-SU-2020:1530-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1160687,1165870,1167463,1171997
CVE References: CVE-2020-12801
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    libreoffice-6.4.4.2-8.19.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-06-08 13:24:31 UTC
openSUSE-SU-2020:0786-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1160687,1165870,1167463,1171997
CVE References: CVE-2020-12801
Sources used:
openSUSE Leap 15.1 (src):    libreoffice-6.4.4.2-lp151.3.15.1
Comment 7 Swamp Workflow Management 2020-06-24 13:13:50 UTC
SUSE-SU-2020:1731-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1160687,1165870,1167463,1171997
CVE References: CVE-2020-12801
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    libreoffice-6.4.4.2-43.65.5
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    libreoffice-6.4.4.2-43.65.5
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libreoffice-6.4.4.2-43.65.5
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libreoffice-6.4.4.2-43.65.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Alexandros Toptsoglou 2020-08-04 07:46:32 UTC
Done