FEDORA-2018-8d3f4d7b28 created by caolanm 3 years ago for Fedora 28
stable
  • CVE-2018-10583 A LibreOffice document with a linked image, which is on a samba share, will cause LibreOffice to automatically initiate a samba connection to retrieve the image. This is by design. If end users or administrators wish to disable this functionality this can now be disabled via tools->options->security->options->block any links from documents not among the trusted locations.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-8d3f4d7b28

This update has been submitted for testing by caolanm.

3 years ago
User Icon danniel commented & provided feedback 3 years ago
karma

works

Shouldn't it be opt-in by default? And maybe some notification with question weather user want to allow LibreOffice to try to connect to remote samba share?

It seems that this feature (document with attachment on remote share) will more likely be used by an attacker than users.

Wrt notification, right now there is no such notification ui so its not practical to provide one in a timely manner, though some form of infobar notification would be a good idea. Wrt opt in/out out, what we have available is an opt-in/out-out for all links, smb, http, https etc. So opening any html with graphic links in them would auto-fail which is a bit radical, especially in the absence of a ui to explain and rectify it.

Thanks for your answer. Infobar notification is what I've already seen in action and had in mind, just didn't know the official name. Would infobar notification only for SMB links saying 'An image from SMB share (smb://... or file://...) was blocked. If you're sure it's not a rogue SMB server, unlock it' be feasible?

Not right now. Eventually maybe. But wrt smb, there's nothing special about them vs say http/https from LibreOffice's perspective so its a general remote links issue rather than a specific smb links issue.

This update has been pushed to testing.

3 years ago
User Icon bojan commented & provided feedback 3 years ago
karma

No regressions here.

User Icon besser82 commented & provided feedback 3 years ago
karma

Works great! LGTM! =)

This update has been submitted for batched by bodhi.

3 years ago
User Icon imabug provided feedback 3 years ago
karma

This update has been submitted for stable by bodhi.

3 years ago
User Icon ozeszty commented & provided feedback 3 years ago
karma

CVE-2018-10583 seems to be what makes smb links different from http, I think, because for smb the linked file doesn't need to be malicious for attack to succeed - it just exploits default behaviour and is easy to prepare.

No regressions noted with this update.

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
security
Severity
low
Karma
5
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
BZ#1575000 CVE-2018-10583 libreoffice: Information disclosure via SMB connection embedded in malicious file [fedora-all]
0
0

Automated Test Results