QID 356235

Date Published: 2023-09-28

QID 356235: Amazon Linux Security Advisory for libreoffice : ALASLIBREOFFICE-2023-002

libreoffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc.
Libreoffice is typically also bundled with librelogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.
By using the document event feature to trigger librelogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.
In the fixed versions, librelogo cannot be called from a document event handler.
This issue affects: document foundation libreoffice versions prior to 6.2.5. (
( CVE-2019-9848) libreoffice has a stealth mode in which only documents from locations deemed trusted are allowed to retrieve remote resources.
This mode is not the default mode, but can be enabled by users who want to disable libreoffices ability to include remote resources within a document.
A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5.
( CVE-2019-9849) libreoffice is typically bundled with librelogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.
Libreoffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc.
Protection was added, to address( CVE-2019-9848, to block calling librelogo from script event handers.
This issue affects: document foundation libreoffice versions prior to 6.2.6. (
However this new protection could be bypassed by a url encoding attack.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
    • Solution
    Please refer to Amazon advisory: ALASLIBREOFFICE-2023-002 for affected packages and patching details, or update with your package manager.
    Vendor References

    CVEs related to QID 356235

    CVE-2019-9848 | CVE-2019-9849 | CVE-2019-9854 | CVE-2019-9851 | CVE-2019-9850 | CVE-2019-9852 | CVE-2019-9853 |
    Software Advisories
    Advisory ID Software Component Link
    ALASLIBREOFFICE-2023-002 amazon linux 2 URL Logo alas.aws.amazon.com/AL2/ALASLIBREOFFICE-2023-002.html
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].