Vulnerabilities > CVE-2019-9855 - Channel and Path Errors vulnerability in multiple products
Summary
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2183.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129346 published 2019-09-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129346 title openSUSE Security Update : libreoffice (openSUSE-2019-2183) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2361.NASL description This update for libreoffice fixes the following issues: 	 Updated to version 6.2.7.1. Security issues fixed : - CVE-2019-9854: Fixed unsafe URL assembly flaw (bsc#1149944). - CVE-2019-9855: Fixed path equivalence handling flaw (bsc#1149943) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 130143 published 2019-10-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130143 title openSUSE Security Update : libreoffice (openSUSE-2019-2361) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2402-1.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129046 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129046 title SUSE SLED15 / SLES15 Security Update : libreoffice (SUSE-SU-2019:2402-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2401-1.NASL description This update for libreoffice to version 6.2.7.1 fixes the following issues : Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129045 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129045 title SUSE SLED12 Security Update : libreoffice (SUSE-SU-2019:2401-1) NASL family Windows NASL id LIBREOFFICE_631.NASL description The version of LibreOffice installed on the remote Windows host is prior to 6.2.7 or 6.3.x prior to 6.3.1. It is, therefore, affected by the following vulnerabilities: - A directory traversal vulnerability resulting from a feature in LibreOffice which allows documents to specify pre-installed macros that can be executed on various script events. Only scripts under the last seen 2020-06-01 modified 2020-06-02 plugin id 129535 published 2019-10-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129535 title LibreOffice < 6.2.7 / 6.3.x < 6.3.1 Multiple Vulnerabilities (Windows)