On 07/31/2019 09:21 AM, Dave Howorth wrote:
There's apparently a bug in LO that can run arbitrary code.
https://www.theregister.co.uk/2019/07/30/libreoffice_macro_virus/
Does anybody know whether this has been or will be patched for Leap 15.0 (LO 6.1.5.2)/ i.e. an openSUSE back patch since LO aren't fixing AIUI.
LibreLogo appears to be part of the libreoffice-pyuno package. Is there any way to disable it, or just remove the /usr/lib64/libreoffice/share/Scripts/python/LibreLogo directory?
And apparently the patch for 6.2.5 didn't actually fix the problem entirely: LibreOffice handlers defend suite's security after 'unfortunately partial' patch https://www.theregister.co.uk/2019/08/02/document_foundation_libreoffice_sec... (El Reg has been quite on top of this issues) Since the fix was only a partial fix on 6.2.5 it will take the smart suse devs to figure out how to backport a total fix. My .02 is to just disable all macro interpretation (both LO provided and user-provided) until they can figure out how to fix it completely. Amazing how something as stupid as the LibreLogo feature, which converts simple graphics-drawing instructions in the document into Python to run can allow an attacker to completely fsck your system over. Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't https://www.theregister.co.uk/2019/07/30/libreoffice_macro_vulnerability/ -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org