Vulnerability CVE-2019-9848: Information

Description

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-9848
Published: July 17, 2019
Modified: Nov. 7, 2023
Error type identifier: CWE-94

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
LibreOfficesisyphus6.3.0.3-alt124.2.3.2-alt1ALT-PU-2019-2380-1235512Fixed
LibreOfficep106.3.0.3-alt17.4.2.3-alt4ALT-PU-2019-2380-1235512Fixed
LibreOfficep96.3.0.3-alt17.1.3.2-alt0.p9.1ALT-PU-2019-2402-1235650Fixed
LibreOfficep86.2.6.2-alt0.M80P.16.2.8.2-alt0.M80P.1ALT-PU-2019-2562-1236314Fixed
LibreOfficec10f16.3.0.3-alt17.4.2.3-alt4ALT-PU-2019-2380-1235512Fixed
LibreOfficec9f26.3.0.3-alt16.3.0.3-alt6.c9.1ALT-PU-2019-2402-1235650Fixed
LibreOfficep116.3.0.3-alt124.2.3.2-alt1ALT-PU-2019-2380-1235512Fixed
LibreOffice-stillsisyphus6.2.6.2-alt17.6.7.2-alt1ALT-PU-2019-2490-1236111Fixed
LibreOffice-stillp106.2.6.2-alt17.6.6.3-alt0.p10.1ALT-PU-2019-2490-1236111Fixed
LibreOffice-stillp96.2.6.2-alt17.0.6.2-alt2ALT-PU-2019-2500-1236299Fixed
LibreOffice-stillc10f16.2.6.2-alt17.5.9.2-alt1.p10.1ALT-PU-2019-2490-1236111Fixed
LibreOffice-stillc9f26.2.6.2-alt16.4.7.2-alt1.c9.1ALT-PU-2019-2500-1236299Fixed
LibreOffice-stillp116.2.6.2-alt17.6.7.2-alt1ALT-PU-2019-2490-1236111Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848
  • Vendor Advisory
USN-4063-1
  • Third Party Advisory
109374
  • Broken Link
GLSA-201908-13
  • Third Party Advisory
20190815 [SECURITY] [DSA 4501-1] libreoffice security update
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2019:2057
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2019:2183
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update
  • Mailing List
  • Third Party Advisory
FEDORA-2019-5561d20558
    FEDORA-2019-2fe22a3a2c

        1. Configuration 1

          cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
          End excliding
          6.2.5

          Configuration 2

          cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
          cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
          cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

          Configuration 3

          cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

          Configuration 4

          cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

          Configuration 5

          cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
          cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.3
      Back to top