[opensuse] libreoffice LibreLogo macro bug
There's apparently a bug in LO that can run arbitrary code. https://www.theregister.co.uk/2019/07/30/libreoffice_macro_virus/ Does anybody know whether this has been or will be patched for Leap 15.0 (LO 6.1.5.2)/ i.e. an openSUSE back patch since LO aren't fixing AIUI. LibreLogo appears to be part of the libreoffice-pyuno package. Is there any way to disable it, or just remove the /usr/lib64/libreoffice/share/Scripts/python/LibreLogo directory? Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/31/2019 09:21 AM, Dave Howorth wrote:
There's apparently a bug in LO that can run arbitrary code.
https://www.theregister.co.uk/2019/07/30/libreoffice_macro_virus/
Does anybody know whether this has been or will be patched for Leap 15.0 (LO 6.1.5.2)/ i.e. an openSUSE back patch since LO aren't fixing AIUI.
LibreLogo appears to be part of the libreoffice-pyuno package. Is there any way to disable it, or just remove the /usr/lib64/libreoffice/share/Scripts/python/LibreLogo directory?
And apparently the patch for 6.2.5 didn't actually fix the problem entirely: LibreOffice handlers defend suite's security after 'unfortunately partial' patch https://www.theregister.co.uk/2019/08/02/document_foundation_libreoffice_sec... (El Reg has been quite on top of this issues) Since the fix was only a partial fix on 6.2.5 it will take the smart suse devs to figure out how to backport a total fix. My .02 is to just disable all macro interpretation (both LO provided and user-provided) until they can figure out how to fix it completely. Amazing how something as stupid as the LibreLogo feature, which converts simple graphics-drawing instructions in the document into Python to run can allow an attacker to completely fsck your system over. Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't https://www.theregister.co.uk/2019/07/30/libreoffice_macro_vulnerability/ -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 6 Aug 2019 08:57:45 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
On 07/31/2019 09:21 AM, Dave Howorth wrote:
There's apparently a bug in LO that can run arbitrary code.
https://www.theregister.co.uk/2019/07/30/libreoffice_macro_virus/
Does anybody know whether this has been or will be patched for Leap 15.0 (LO 6.1.5.2)/ i.e. an openSUSE back patch since LO aren't fixing AIUI.
LibreLogo appears to be part of the libreoffice-pyuno package. Is there any way to disable it, or just remove the /usr/lib64/libreoffice/share/Scripts/python/LibreLogo directory?
And apparently the patch for 6.2.5 didn't actually fix the problem entirely:
LibreOffice handlers defend suite's security after 'unfortunately partial' patch https://www.theregister.co.uk/2019/08/02/document_foundation_libreoffice_sec...
(El Reg has been quite on top of this issues)
Since the fix was only a partial fix on 6.2.5 it will take the smart suse devs to figure out how to backport a total fix. My .02 is to just disable all macro interpretation (both LO provided and user-provided) until they can figure out how to fix it completely.
How do you disable macro interpretation, specifically the automatic kind that executes LibreLogo? FWIW, what I did was to delete the directory that holds the offending item. Unfortunately it's not a separate package in openSUSE though, so I expect it might come back if I update. I suppose I could disable the whole python integration, but I don't know what other effects that might have. https://bugzilla.opensuse.org/show_bug.cgi?id=1144522
Amazing how something as stupid as the LibreLogo feature, which converts simple graphics-drawing instructions in the document into Python to run can allow an attacker to completely fsck your system over.
Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't https://www.theregister.co.uk/2019/07/30/libreoffice_macro_vulnerability/
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/08/2019 15.57, David C. Rankin wrote:
On 07/31/2019 09:21 AM, Dave Howorth wrote:
Amazing how something as stupid as the LibreLogo feature, which converts simple graphics-drawing instructions in the document into Python to run can allow an attacker to completely fsck your system over.
It appears that several graphic formats are dangerous. Postcript (and pdf), for example. As a solution, support for inserting postcript images is bieng removed from LyX packages, IIRC. Once this has been noticed, maybe other hackers are trying to hack other graphic handling applications. Interesting times ahead :-/ -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
participants (3)
-
Carlos E. R. -
Dave Howorth -
David C. Rankin