Your submission was sent successfully! Close

CVE-2019-9855

Published: 6 September 2019

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
libreoffice
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(windows only)
disco Not vulnerable
(windows only)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(windows only)