Allele Security Alert
LibreLogo arbitrary script execution
The Document Foundation
LibreOffice versions before 6.2.5
LibreOffice version 6.2.5
Proof of concept
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.
Nils Emmerich (ERNW Research GmbH)
LibreOffice — A Python Interpreter (code execution vulnerability CVE-2019–9848)
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 28, 2019