Does anyone know what the threat model is for LibreOffice?
For Microsoft Office, VBA Macros are allowed to execute arbitrary code. I assume it's the same for LibreOffice Basic. For files without macros (like this exploit) what are the boundaries that should be enforced? It looks like Excel supports reading data from named files by design.[1] Is it ever safe to open a partially-trusted file in LibreOffice?
Edit: Some quick testing reveals that external links do work in LibreOffice Calc. If you answer "Yes" to "This file contains links to other files. Should they be updated?" on startup, it can read any file (and presumably use WEBSERVICE to upload the contents via query string).
So LibreOffice can still make arbitrary HTTP/HTTPS connections without the users knowledge? Unless WEBSERVICE URLs are disabled by default, this doesn't sound like a complete fix.
10 comments
[ 2.5 ms ] story [ 34.2 ms ] threadFor Microsoft Office, VBA Macros are allowed to execute arbitrary code. I assume it's the same for LibreOffice Basic. For files without macros (like this exploit) what are the boundaries that should be enforced? It looks like Excel supports reading data from named files by design.[1] Is it ever safe to open a partially-trusted file in LibreOffice?
Edit: Some quick testing reveals that external links do work in LibreOffice Calc. If you answer "Yes" to "This file contains links to other files. Should they be updated?" on startup, it can read any file (and presumably use WEBSERVICE to upload the contents via query string).
1. https://support.office.com/en-us/article/create-an-external-...
Sounds like using WEBSERVICE should trigger a warning, although I'm not sure if that is what "link management" means.
b) the URL is shown under menu Edit -> Links...