Title: CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution

Announced: September 6, 2019

Fixed in: 6.2.7/6.3.1


LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc

Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym

In the fixed versions, such paths are rejected


Thanks to alex (@insertscript) for reporting this issue