10 comments

[ 2.5 ms ] story [ 34.2 ms ] thread
Is this what they fixed in 5.4.5 and 6.0.1 security patch?
Remote arbitrary file disclosure vulnerability. Please fix the submission title.
Ok, we'll take your word for it.
This is a big deal for any systems that use Open Office to convert files to PDF (or otherwise) w/o proper sandboxing :(
Does anyone know what the threat model is for LibreOffice?

For Microsoft Office, VBA Macros are allowed to execute arbitrary code. I assume it's the same for LibreOffice Basic. For files without macros (like this exploit) what are the boundaries that should be enforced? It looks like Excel supports reading data from named files by design.[1] Is it ever safe to open a partially-trusted file in LibreOffice?

Edit: Some quick testing reveals that external links do work in LibreOffice Calc. If you answer "Yes" to "This file contains links to other files. Should they be updated?" on startup, it can read any file (and presumably use WEBSERVICE to upload the contents via query string).

1. https://support.office.com/en-us/article/create-an-external-...

There are more exploits outside VBA than inside it.
So LibreOffice can still make arbitrary HTTP/HTTPS connections without the users knowledge? Unless WEBSERVICE URLs are disabled by default, this doesn't sound like a complete fix.
> bringing WEBSERVICE URLs under LibreOffice Calc's link management infrastructure.

Sounds like using WEBSERVICE should trigger a warning, although I'm not sure if that is what "link management" means.

a) after the document is loaded such use triggers the "links to other documents" warning and linked content is updated only after confirmation

b) the URL is shown under menu Edit -> Links...

Why do they enable such dangerous functions by default?