CVE-2019-9853

NameCVE-2019-9853
DescriptionLibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1947-1, DSA-4501-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreoffice (PTS)jessie1:4.3.3-2+deb8u11vulnerable
jessie (security)1:4.3.3-2+deb8u13fixed
stretch1:5.2.7-1+deb9u10fixed
stretch (security)1:5.2.7-1+deb9u11fixed
buster1:6.1.5-3+deb10u3fixed
buster (security)1:6.1.5-3+deb10u4fixed
bullseye1:6.3.2-1fixed
sid1:6.3.3~rc1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreofficesource(unstable)1:6.3.0-1medium
libreofficesourcebuster1:6.1.5-3+deb10u3mediumDSA-4501-1
libreofficesourcejessie1:4.3.3-2+deb8u13mediumDLA-1947-1
libreofficesourcestretch1:5.2.7-1+deb9u10mediumDSA-4501-1

Notes

https://www.libreoffice.org/about-us/security/advisories/cve-2019-9853

Search for package or bug name: Reporting problems