Project

General

Profile

Bug #15303

Ensure Tails 3.6 fixes CVE-2018-6871

Added by Dr_Whax almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
02/10/2018
Due date:
% Done:

100%

Feature Branch:
Type of work:
Wait
Blueprint:
Starter:
Affected tool:

Description

Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.

A PoC has been released: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
Debian has not backported the fix to Stretch as of writing: https://security-tracker.debian.org/tracker/CVE-2018-6871

Is there a reason why there isn't an AppArmor profile running containing the libreoffice suite?

How would we feel about disabling macro's that can also possibly run code on your computer?


Related issues

Related to Tails - Bug #15307: Disable non-user macros in Libreoffice Rejected 02/11/2018
Blocks Tails - Feature #13245: Core work 2018Q1: Foundations Team Resolved 06/29/2017

History

#1 Updated by intrigeri almost 2 years ago

  • Subject changed from Decide what to do about CVE-2018-6871 to Ensure Tails 3.6 fixes CVE-2018-6871
  • Assignee set to intrigeri
  • Target version set to Tails_3.6
  • Type of work changed from Discuss to Wait

Dr_Whax wrote:

Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.

Looks like there will be a DSA.

Is there a reason why there isn't an AppArmor profile running containing the libreoffice suite?

WIP for Buster: you can follow along on https://bugs.debian.org/886548.

How would we feel about disabling macro's that can also possibly run code on your computer?

Why not, I guess. If you think it's doable, please file a dedicated ticket about it pointing to any ressource that would help implement this suggestion.

#2 Updated by intrigeri almost 2 years ago

#3 Updated by Dr_Whax almost 2 years ago

intrigeri wrote:

Dr_Whax wrote:

Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.

Looks like there will be a DSA.

Great!

Is there a reason why there isn't an AppArmor profile running containing the libreoffice suite?

WIP for Buster: you can follow along on https://bugs.debian.org/886548.

Cheers!

How would we feel about disabling macro's that can also possibly run code on your computer?

Why not, I guess. If you think it's doable, please file a dedicated ticket about it pointing to any ressource that would help implement this suggestion.

Will do, fwiw, this wouldnt have stopped exploiting this issue.

#4 Updated by Dr_Whax almost 2 years ago

  • Related to Bug #15307: Disable non-user macros in Libreoffice added

#5 Updated by intrigeri almost 2 years ago

This was fixed in stretch-backports (1:6.0.1-1~bpo9+1) already but I'd rather avoid upgrading to LibreOffice 6. So let's wait a bit: a DSA is being prepared for 1:5.2.7-1+deb9u2.

#6 Updated by intrigeri almost 2 years ago

  • Status changed from Confirmed to Resolved
  • % Done changed from 0 to 100

Recent builds have 1:5.2.7-1+deb9u2 (https://security-tracker.debian.org/tracker/DSA-4111-1) that fixes the bug.

Also available in: Atom PDF