[Bug 225797] security/vuxml: Document vulnerability in LibreOffice (CVE-2018-6871 / CVE-2018-1055)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Feb 9 23:46:29 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225797
Bug ID: 225797
Summary: security/vuxml: Document vulnerability in LibreOffice
(CVE-2018-6871 / CVE-2018-1055)
Product: Ports & Packages
Version: Latest
Hardware: Any
URL: https://www.libreoffice.org/about-us/security/advisori
es/cve-2018-1055/
OS: Any
Status: New
Keywords: patch, security
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: ports-secteam at FreeBSD.org
Reporter: vlad-fbsd at acheronmedia.com
CC: office at FreeBSD.org
Assignee: ports-secteam at FreeBSD.org
Flags: maintainer-feedback?(ports-secteam at FreeBSD.org)
Created attachment 190471
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=190471&action=edit
Document CVE-2018-6871
"LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL
(e.g file://) which can be used to inject local files into the spreadsheet
without warning the user. Subsequent formulas can operate on that inserted data
and construct a remote URL whose path leaks the local data to a remote
attacker."
"In later versions of LibreOffice without this flaw, WEBSERVICE has now been
limited to accessing http and https URLs along with bringing WEBSERVICE URLs
under LibreOffice Calc's link management infrastructure."
* CVE-2018-6871
* Summary:
https://www.libreoffice.org/about-us/security/advisories/cve-2018-1055/
* NOTE:
This vulnerability has been identified upstream as CVE-2018-1055,
but NVD/Mitre are advising it's a reservation duplicate of
CVE-2018-6871 which should be used instead.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-office
mailing list