Date: prev next · Thread: first prev next last
2019 Archives by date, by thread · List index


影響のあるバージョンを利用している方にはLibO 6.0.7または6.1.3に更新する

-- Takeshi Abe

On Fri, 01 Feb 2019 21:46:09 +0000, Caolán McNamara <> wrote:
CVE-2018-16858: Directory traversal flaw in script execution

tl;dr: Fixed in 6.0.7 and 6.1.3

LibreOffice has a feature where documents can specify that pre-
installed macros can be executed on various document events such as
mouse-over, etc.

Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory
traversal attack where it was possible to craft a document which when
opened by LibreOffice would, when such common document events occur,
execute a python method from a script in any arbitrary file system
location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set
of known scripts at a known relative file system location to work with.

In the 6.1 series, the problem was compounded by an additional feature
which enables specifying in the document arguments to pass to the
python method (Earlier series only allow a method to be called with no
argument). The bundled python happens to include a method which
executes via os.system one of its arguments, providing a simple route
in 6.1 to execute arbitrary commands via such a crafted document.

In the fixed versions, the relative directory flaw is fixed, and access
is restricted to scripts under the share/Scripts/python,
user/Scripts/python sub-directories of the LibreOffice install

Thanks to Alex Inführ for reporting this issue

To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
Privacy Policy:

Unsubscribe instructions: E-mail to
Posting guidelines + more:
List archive:
Privacy Policy:


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.