On Tue, 6 Aug 2019 08:57:45 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
On 07/31/2019 09:21 AM, Dave Howorth wrote:
There's apparently a bug in LO that can run arbitrary code.
https://www.theregister.co.uk/2019/07/30/libreoffice_macro_virus/
Does anybody know whether this has been or will be patched for Leap 15.0 (LO 6.1.5.2)/ i.e. an openSUSE back patch since LO aren't fixing AIUI.
LibreLogo appears to be part of the libreoffice-pyuno package. Is there any way to disable it, or just remove the /usr/lib64/libreoffice/share/Scripts/python/LibreLogo directory?
And apparently the patch for 6.2.5 didn't actually fix the problem entirely:
LibreOffice handlers defend suite's security after 'unfortunately partial' patch https://www.theregister.co.uk/2019/08/02/document_foundation_libreoffice_sec...
(El Reg has been quite on top of this issues)
Since the fix was only a partial fix on 6.2.5 it will take the smart suse devs to figure out how to backport a total fix. My .02 is to just disable all macro interpretation (both LO provided and user-provided) until they can figure out how to fix it completely.
How do you disable macro interpretation, specifically the automatic kind that executes LibreLogo? FWIW, what I did was to delete the directory that holds the offending item. Unfortunately it's not a separate package in openSUSE though, so I expect it might come back if I update. I suppose I could disable the whole python integration, but I don't know what other effects that might have. https://bugzilla.opensuse.org/show_bug.cgi?id=1144522
Amazing how something as stupid as the LibreLogo feature, which converts simple graphics-drawing instructions in the document into Python to run can allow an attacker to completely fsck your system over.
Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't https://www.theregister.co.uk/2019/07/30/libreoffice_macro_vulnerability/
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org