Found another new bug found in LibreOffice in mouse events

LibreOffice 6.1

Recientemente a bug found in the popular LibreOffice office suite was released This vulnerability was cataloged in CVE-2019-9848. This fault found se can be used to execute arbitrary code when opening pre-prepared documents by the malicious person and then basically distribute them and wait for the victim to execute these documents.

Vulnerability is caused by the fact that the LibreLogo component, dAimed at teaching programming and inserting vector drawings, it translates its operations into Python code. By having the ability to execute LibreLogo instructions, an attacker can execute any Python code in the context of the current user session, using the "run" command provided in LibreLogo. From Python, using system (), in turn, you can call arbitrary system commands.

As described by the person who reported this bug:

Macros shipped with LibreOffice run without prompting the user, even at the highest macro security settings. So if there was a LibreOffice system macro with an error allowing code to run, the user would not even get a warning and the code would run immediately.

About the ruling

LibreLogo is an optional component, but in LibreOffice macros are offered by default, allowing to call LibreLogo and do not require confirmation of the operation and do not display a warning, even when the maximum protection mode for macros is enabled (selecting the "Very high" level).

For an attack, you can attach such a macro to an event handler that fires, for example, when you hover the mouse over a specific area or when you activate input focus on the document (onFocus event).

The big problem here is that the code is not well translated and only provides python codeas script code often results in the same code after translation.

As a result, when you open a document prepared by an attacker, you can achieve hidden execution of Python code, invisible to the user.

For example, in the exploit example demonstrated, when you open a document without warning, the system calculator starts.

And is that not the first reported bug in which events are exploited in the office suite since in months ago another case was announced where in versions 6.1.0- it is shown that the code injection is possible on Linux and Windows versions when a user hovers the mouse over a malicious URL.

Since in the same way when the vulnerability was exploited, it did not generate any type of warning dialog. As soon as the user hovers the mouse over the malicious URL, the code runs immediately.

On the other hand, the use of Python within the suite has also revealed cases of exploitation of bugs where the suite executes arbitrary code without restrictions or warnings.

With this, the people of LibreOffice have a great task to review this part in the suite since there are several known cases that take advantage of this.

The vulnerability was fixed without giving further details about it or about information about it in the update 6.2.5 from LibreOffice, released on July 1, but it turned out that the problem was not completely resolved (only the LibreLogo call from macros was blocked) and some other vectors to carry out the attack remained uncorrected.

Also, the problem is not resolved in version 6.1.6 recommended for corporate users. To completely eliminate the vulnerability is planned in the release of LibreOffice 6.3, which is expected next week.

Before a full update is released, users are advised to explicitly disable the LibreLogo component, which by default is available in many packages. The vulnerability was partially fixed in Debian, Fedora, SUSE / openSUSE, and Ubuntu.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.