Bug 1172796 - (CVE-2020-12802) VUL-1: CVE-2020-12802: libreoffice: 'stealth mode' remote resource restrictions bypass
(CVE-2020-12802)
VUL-1: CVE-2020-12802: libreoffice: 'stealth mode' remote resource restrictio...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/260932/
CVSSv3.1:SUSE:CVE-2020-12802:3.9:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-10 13:04 UTC by Wolfgang Frisch
Modified: 2020-08-27 13:16 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-06-10 13:04:19 UTC
CVE-2020-12802

LibreOffice has a 'stealth mode' in which only documents from locations deemed
'trusted' are allowed to retrieve remote resources. This mode is not the default
mode, but can be enabled by users who want to disable LibreOffice's ability to
include remote resources within a document. A flaw existed where remote graphic
links loaded from docx documents were omitted from this protection prior to
version 6.4.4. This issue affects: The Document Foundation LibreOffice versions
prior to 6.4.4.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12802
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12802.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12802
https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802
Comment 1 Tomáš Chvátal 2020-06-11 07:50:53 UTC
I've reflected the bug in the changelog and will include it in next sle update.
Comment 2 OBSbugzilla Bot 2020-06-11 08:20:23 UTC
This is an autogenerated message for OBS integration:
This bug (1172796) was mentioned in
https://build.opensuse.org/request/show/813407 Factory / libreoffice
Comment 4 Swamp Workflow Management 2020-08-12 16:21:21 UTC
SUSE-SU-2020:2217-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1062631,1146025,1157627,1165849,1172053,1172189,1172795,1172796
CVE References: CVE-2020-12802,CVE-2020-12803
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    libreoffice-6.4.5.2-8.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2020-08-13 13:21:10 UTC
SUSE-SU-2020:2235-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1062631,1146025,1157627,1165849,1172053,1172189,1172795,1172796
CVE References: CVE-2020-12802,CVE-2020-12803
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    libreoffice-6.4.5.2-13.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-08-16 16:14:40 UTC
openSUSE-SU-2020:1222-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1062631,1146025,1157627,1165849,1172053,1172189,1172795,1172796
CVE References: CVE-2020-12802,CVE-2020-12803
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    libreoffice-6.4.5.2-lp151.3.18.1
Comment 7 Swamp Workflow Management 2020-08-20 16:14:13 UTC
SUSE-SU-2020:2283-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1062631,1146025,1157627,1165849,1172053,1172189,1172795,1172796
CVE References: CVE-2020-12802,CVE-2020-12803
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    libreoffice-6.4.5.2-43.68.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libreoffice-6.4.5.2-43.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-08-26 22:18:56 UTC
openSUSE-SU-2020:1261-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1062631,1146025,1157627,1165849,1172053,1172189,1172795,1172796
CVE References: CVE-2020-12802,CVE-2020-12803
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libreoffice-6.4.5.2-lp152.2.3.1
Comment 9 Alexandros Toptsoglou 2020-08-27 13:16:38 UTC
Done