CVE-2019-9848 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary command execution
Description	An issue has been found in LibreOffice before 6.2.5, where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1010	libreoffice-still	6.1.6-2	6.2.6-1	High	Fixed
AVG-1009	libreoffice-fresh	6.2.4-2	6.2.5-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
16 Aug 2019	ASA-201908-9	AVG-1010	libreoffice-still	High	multiple issues

References
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848 https://github.com/LibreOffice/core/commit/5d47b7b3f6a134037f1f3d8c018505244d7be484 https://github.com/LibreOffice/core/commit/3dd024a28a98a9d4b4efc3c7ec6acaa94d2b25fd

References

https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848
https://github.com/LibreOffice/core/commit/5d47b7b3f6a134037f1f3d8c018505244d7be484
https://github.com/LibreOffice/core/commit/3dd024a28a98a9d4b4efc3c7ec6acaa94d2b25fd