[tdf-discuss] security related information, CVE-2020-12802, CVE-2020-12803

Caolán McNamara <caolanm -AT- redhat.com>

Mon, 08 Jun 2020 16:08:46 +0100

CVE-2020-12802 remote graphics contained in docx format retrieved in 'stealth mode' If you are using the (off by default) setting to only allow documents in "trusted location" to download remote resources then 6.4.4 fixes a case in the .docx import path where that protection didn't apply. CVE-2020-12803 XForms submissions could overwrite local files ODF documents can contain forms similar to HTML forms where a user typically clicks on a submit button to submit the data to a web server. Prior to 6.4.4 the destination could be a local file, raising the possibility that a malicious document could be constructed to maximize the likelihood that the user could inadvertently overwrite a local file. In 6.4.4 this feature is limited to http[s] URLs. -- To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy

Context

[tdf-discuss] security related information, CVE-2020-12802, CVE-2020-12803 · Caolán McNamara

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.