Bug 1212444 (CVE-2023-1183) - VUL-0: CVE-2023-1183: libreoffice: Arbitrary File Write in LibreOffice Base
Summary: VUL-0: CVE-2023-1183: libreoffice: Arbitrary File Write in LibreOffice Base
Status: RESOLVED FIXED
Alias: CVE-2023-1183
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/369738/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-1183:5.0:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-16 11:39 UTC by Gabriele Sonnu
Modified: 2024-05-15 19:03 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Gabriele Sonnu 2023-06-27 06:49:37 UTC 
Public now:

Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
database engine, allowed the execution of spurious scripting commands in
.script and .log files. Hsqldb supports a SCRIPT keyword which is normally
used to record the commands input by the database admin to output such a
script. In combination with LibreOffice, an attacker could craft an odb
containing a "database/script" file which itself contained a SCRIPT command
where the contents of the file could be written to a new file whose location
was determined by the attacker.
Comment 10 Maintenance Automation 2023-11-21 12:30:23 UTC 
SUSE-SU-2023:4496-1: An update that solves one vulnerability, contains three features and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1209243, 1212444, 1215595
CVE References: CVE-2023-1183
Jira References: PED-5199, PED-6799, PED-6800
Sources used:
openSUSE Leap 15.4 (src): frozen-1.1.1-150400.9.3.2, liborcus-0.18.1-150400.13.3.2, mdds-2_1-2.1.1-150400.9.3.2, libreoffice-7.6.2.1-150400.17.17.3, libixion-0.18.1-150400.14.3.2
openSUSE Leap 15.5 (src): frozen-1.1.1-150400.9.3.2, liborcus-0.18.1-150400.13.3.2, mdds-2_1-2.1.1-150400.9.3.2, libreoffice-7.6.2.1-150400.17.17.3, libixion-0.18.1-150400.14.3.2
SUSE Package Hub 15 15-SP4 (src): frozen-1.1.1-150400.9.3.2, liborcus-0.18.1-150400.13.3.2, mdds-2_1-2.1.1-150400.9.3.2, libreoffice-7.6.2.1-150400.17.17.3, libixion-0.18.1-150400.14.3.2
SUSE Package Hub 15 15-SP5 (src): frozen-1.1.1-150400.9.3.2, liborcus-0.18.1-150400.13.3.2, mdds-2_1-2.1.1-150400.9.3.2, libreoffice-7.6.2.1-150400.17.17.3, libixion-0.18.1-150400.14.3.2
SUSE Linux Enterprise Workstation Extension 15 SP4 (src): liborcus-0.18.1-150400.13.3.2, libixion-0.18.1-150400.14.3.2, libreoffice-7.6.2.1-150400.17.17.3
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): liborcus-0.18.1-150400.13.3.2, libixion-0.18.1-150400.14.3.2, libreoffice-7.6.2.1-150400.17.17.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-12-06 16:31:00 UTC 
SUSE-SU-2023:4648-1: An update that solves one vulnerability, contains three features and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1209243, 1212444, 1215595
CVE References: CVE-2023-1183
Jira References: PED-5199, PED-6799, PED-6800
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): libetonyek-0.1.10-10.11.2, frozen-1.1.1-8.3.3, liborcus-0.18.1-18.3.3, mdds-2_1-2.1.1-8.3.3, libixion-0.18.1-21.3.3, libreoffice-7.6.2.1-48.47.6
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): libetonyek-0.1.10-10.11.2, libreoffice-7.6.2.1-48.47.6, libixion-0.18.1-21.3.3, liborcus-0.18.1-18.3.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Robert Frohl 2024-05-15 19:03:16 UTC 
done, closing