Title: CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution
Announced: September 6, 2019
Fixed in: 6.2.7/6.3.1
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.
LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc
Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym
In the fixed versions, such paths are rejected
Thanks to alex (@insertscript) for reporting this issue