Title: CVE-2018-16858 Directory traversal flaw in script execution

Announced: Feb 1, 2019

Fixed in: 6.0.7/6.1.3


LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various document events such as mouse-over, etc.

Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set of known scripts at a known relative file system location to work with.

In the 6.1 series, the problem was compounded by an additional feature which enables specifying in the document arguments to pass to the python method (Earlier series only allow a method to be called with no argument). The bundled python happens to include a method which executes via os.system one of its arguments, providing a simple route in 6.1 to execute arbitrary commands via such a crafted document.

In the fixed versions, the relative directory flaw is fixed, and access is restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install


Thanks to alex (@insertscript) for reporting this issue