Bug 1141861 - (CVE-2019-9849) VUL-1: CVE-2019-9849: libreoffice: remote bullet graphics retrieved in 'stealth mode'
(CVE-2019-9849)
VUL-1: CVE-2019-9849: libreoffice: remote bullet graphics retrieved in 'steal...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/237497/
CVSSv3:SUSE:CVE-2019-9849:4.0:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-17 13:04 UTC by Alexander Bergmann
Modified: 2020-02-05 07:47 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-07-17 13:04:33 UTC
Title: CVE-2019-9849 remote bullet graphics retrieved in 'stealth mode'

Announced: July 16, 2019

Fixed in: 6.2.5

Description:

LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5.

Credits:

Thanks to Matei "Mal" Badanoiu for discovering and reporting this problem

References:
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9849
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9849
http://www.debian.org/security/2019/dsa-4483
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9849.html
Comment 2 Swamp Workflow Management 2019-07-25 08:20:22 UTC
This is an autogenerated message for OBS integration:
This bug (1141861) was mentioned in
https://build.opensuse.org/request/show/718458 Factory / libreoffice
Comment 3 Swamp Workflow Management 2019-08-01 15:50:13 UTC
This is an autogenerated message for OBS integration:
This bug (1141861) was mentioned in
https://build.opensuse.org/request/show/720252 Factory / libreoffice
Comment 4 Tomáš Chvátal 2019-08-02 08:44:51 UTC
All the codestreams should have the fix.
Comment 5 Swamp Workflow Management 2019-08-08 09:10:12 UTC
This is an autogenerated message for OBS integration:
This bug (1141861) was mentioned in
https://build.opensuse.org/request/show/721691 Factory / libreoffice
Comment 8 Swamp Workflow Management 2019-08-28 13:14:29 UTC
SUSE-SU-2019:2231-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    libreoffice-6.2.6.2-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-09-02 22:11:22 UTC
openSUSE-SU-2019:2057-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852
Sources used:
openSUSE Leap 15.0 (src):    libreoffice-6.2.6.2-lp150.2.16.1
Comment 11 Swamp Workflow Management 2019-09-18 16:12:43 UTC
SUSE-SU-2019:2401-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107,1149943,1149944
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852,CVE-2019-9854,CVE-2019-9855
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    libreoffice-6.2.7.1-43.56.3
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libreoffice-6.2.7.1-43.56.3
SUSE Linux Enterprise Desktop 12-SP4 (src):    libreoffice-6.2.7.1-43.56.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-09-18 16:14:41 UTC
SUSE-SU-2019:2402-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107,1149943,1149944
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852,CVE-2019-9854,CVE-2019-9855
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    libreoffice-6.2.7.1-8.10.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libreoffice-6.2.7.1-8.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-09-25 10:10:55 UTC
openSUSE-SU-2019:2183-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1133534,1141861,1141862,1146098,1146105,1146107,1149943,1149944
CVE References: CVE-2019-9848,CVE-2019-9849,CVE-2019-9850,CVE-2019-9851,CVE-2019-9852,CVE-2019-9854,CVE-2019-9855
Sources used:
openSUSE Leap 15.1 (src):    libreoffice-6.2.7.1-lp151.3.6.1
Comment 14 Marcus Meissner 2020-02-05 07:47:50 UTC
done