Bug #15303: Ensure Tails 3.6 fixes CVE-2018-6871

Bug #15303

Ensure Tails 3.6 fixes CVE-2018-6871

Added by Dr_Whax 2018-02-10 21:31:52 . Updated 2018-02-17 19:19:36 .

Status:

Resolved

Priority:

Normal

Assignee:

intrigeri

Category:

Target version:

Tails_3.6

Start date:

2018-02-10

Due date:

% Done:

100%

Feature Branch:

Type of work:

Wait

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.

A PoC has been released: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
Debian has not backported the fix to Stretch as of writing: https://security-tracker.debian.org/tracker/CVE-2018-6871

Is there a reason why there isn’t an AppArmor profile running containing the libreoffice suite?

How would we feel about disabling macro’s that can also possibly run code on your computer?

Subtasks

Related issues

Related to Tails - ~~Bug #15307~~: Disable non-user macros in Libreoffice	Rejected	2018-02-11
Blocks Tails - ~~Feature #13245~~: Core work 2018Q1: Foundations Team	Resolved	2017-06-29

History

#1 Updated by intrigeri 2018-02-11 07:08:34

Subject changed from Decide what to do about CVE-2018-6871 to Ensure Tails 3.6 fixes CVE-2018-6871
Assignee set to intrigeri
Target version set to Tails_3.6
Type of work changed from Discuss to Wait

Dr_Whax wrote:
> Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.

Looks like there will be a DSA.

> Is there a reason why there isn’t an AppArmor profile running containing the libreoffice suite?

WIP for Buster: you can follow along on https://bugs.debian.org/886548.

> How would we feel about disabling macro’s that can also possibly run code on your computer?

Why not, I guess. If you think it’s doable, please file a dedicated ticket about it pointing to any ressource that would help implement this suggestion.

#2 Updated by intrigeri 2018-02-11 09:05:06

blocks ~~Feature #13245~~: Core work 2018Q1: Foundations Team added

#3 Updated by Dr_Whax 2018-02-11 16:33:43

intrigeri wrote:
> Dr_Whax wrote:
> > Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.
>
> Looks like there will be a DSA.
>

Great!

> > Is there a reason why there isn’t an AppArmor profile running containing the libreoffice suite?
>
> WIP for Buster: you can follow along on https://bugs.debian.org/886548.
>

Cheers!

> > How would we feel about disabling macro’s that can also possibly run code on your computer?
>
> Why not, I guess. If you think it’s doable, please file a dedicated ticket about it pointing to any ressource that would help implement this suggestion.

Will do, fwiw, this wouldnt have stopped exploiting this issue.

#4 Updated by Dr_Whax 2018-02-11 16:37:16

related to ~~Bug #15307~~: Disable non-user macros in Libreoffice added

#5 Updated by intrigeri 2018-02-14 08:33:26

This was fixed in stretch-backports (1:6.0.1-1~bpo9+1) already but I’d rather avoid upgrading to LibreOffice 6. So let’s wait a bit: a DSA is being prepared for 1:5.2.7-1+deb9u2.

#6 Updated by intrigeri 2018-02-17 19:19:36

Status changed from Confirmed to Resolved
% Done changed from 0 to 100

Recent builds have 1:5.2.7-1+deb9u2 (https://security-tracker.debian.org/tracker/DSA-4111-1) that fixes the bug.