Package: libreoffice-calc
Version: 1:6.1.5-3+deb10u6
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
When opening any CSV file with LibreOffice Calc, Calc opens and executes
encodings.py from the current working directory. That presumably happens
because
Some file managers, including Krusader and mc, would launch localc in the
current directory, as would running it from the command line (such as
`localc file.csv'), thereby running encodings.py from the directory
containing the file.
The issue is not present when LibreOffice is launched through the
application launcher, and the file is opened later through whatever
means (neither Open file, nor through a file manager or the command
line, since localc already operates in one's $HOME in that instance)
To reproduce the issue, one needs to:
1. Close LibreOffice *completely*
2. In an empty directory, create "encodings.py" which raises an exception
3. In the same directory (for simplicity), create "file.csv" with some
rows.
4. Open "file.csv" with `localc ./file.csv' using the directory containing
"encodings.py" (double clicking in krusader and mc leads to the same
result)
The result is that LibreOffice crashes with the Python exception raised
by the rogue encodings.py, and then exits with an error that reads:
Fatal Python error: initfsencoding: Unable to get the locale encoding
An offer is made to recover the unsaved file (but the list is empty),
relaunching LO sometimes leads to new crashes.
This is NOT the only way the issue happens, I was able to get the
same crash while clicking through the menus or editing an .ods
which initially didn't cause a crash, but those aren't deterministically
reproduced, whereas the .csv route seems to guarantee a crash for me
even when the .csv is ASCII.
The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and
Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed
by apt are present on either machine (on the one with 6.1.5 I never
installed any, and on the 7.0.4 I'm trusting what the LO extension
manager is telling me, since I cannot recall for sure)
Here's the console chatter:
# Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored
milko@host2 ~/Временна/LOSecurity $ cat > encodings.py
raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a bar")
milko@host2 ~/Временна/LOSecurity $ cat > test.csv
Column 1;Column 2;Column 3
текст;ຂໍ້ຄວາມ;text
milko@host2 ~/Временна/LOSecurity $ localc test.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
milko@host2 ~/Временна/LOSecurity $ cat > test2.csv
Column 1;Column 2;Column 3
text1;text2;text3
milko@host2 ~/Временна/LOSecurity $ localc test2.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
Application Error
milko@host2 ~/Временна/LOSecurity $
# Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored
# The encodings.py and test.csv were copied from host2
milko@host1 ~/Временни/LOSecurity $ localc test2.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
milko@host1 ~/Временни/LOSecurity $ lowriter
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
^C
milko@host1 ~/Временни/LOSecurity $
LO packages installed on host1 and host2. I do apologize for the untidy
mess with transitional and unpurged packages and leftover from the dawn of
time (especially on host2) -- I didn't expect someone to be looking through
my messy house -- but I have to leave them here in case one of them comes
responsible.
milko@host2 ~ $ dpkg -l | grep -i -e libreoffice -e 1:7.0.4~rc2-1~bpo10+2
ii hyphen-ru 20030310-1 all Russian hyphenation patterns for LibreOffice/OpenOffice.org
ii jabref-plugin-oo 2.10+ds-3 all LibreOffice plugin for JabRef (transitional dummy package)
ii libjuh-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java Uno helper (compatibility library)
ii libjurt-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java Uno Runtime (compatibility library)
ii liblibreoffice-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java library
ii libreoffice 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite (metapackage)
ii libreoffice-avmedia-backend-gstreamer 1:7.0.4~rc2-1~bpo10+2 amd64 transitional package for GStreamer backend for LibreOffice
ii libreoffice-base 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- database
ii libreoffice-base-core 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- shared library
ii libreoffice-base-drivers 1:7.0.4~rc2-1~bpo10+2 amd64 Database connectivity drivers for LibreOffice
ii libreoffice-calc 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- spreadsheet
ii libreoffice-common 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- arch-independent files
ii libreoffice-core 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- arch-dependent files
ii libreoffice-draw 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- drawing
rc libreoffice-filter-binfilter 1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity suite -- legacy filters (e.g. StarOffice 5.2)
ii libreoffice-gnome 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- GNOME integration
rc libreoffice-gtk 1:5.2.7-1+deb9u10 all transitional package to upgrade to libreoffice-gtk2/-systray
ii libreoffice-gtk3 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- GTK+ 3 integration
ii libreoffice-help-common 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- common files for LibreOffice help
ii libreoffice-help-en-us 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- English_american help
ii libreoffice-impress 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- presentation
ii libreoffice-java-common 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- arch-independent Java support files
ii libreoffice-kde5 1:7.0.4~rc2-1~bpo10+2 amd64 transitional package for LibreOffice "KDE 5" integration
ii libreoffice-kf5 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- KDE Frameworks 5 integration
ii libreoffice-l10n-bg 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Bulgarian language package
ii libreoffice-librelogo 1:7.0.4~rc2-1~bpo10+2 all Logo-like programming language for LibreOffice
ii libreoffice-lightproof-en 0.4.3+1.5+git20140515-2 all Lightproof grammar checker for LibreOffice (English)
ii libreoffice-math 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- equation editor
ii libreoffice-mysql-connector 1:7.0.4~rc2-1~bpo10+2 amd64 transitional package for MariaDB/MySQL Connector extension for LibreOffice
ii libreoffice-nlpsolver 0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear Programming" extension for LibreOffice
ii libreoffice-plasma 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- some Plasma integration
ii libreoffice-presentation-minimizer 1:4.3.3-2+deb8u12 all transitional package for the LibreOffice presentation minimizer
ii libreoffice-presenter-console 1:4.3.3-2+deb8u12 all transitional package for the LibreOffice presenter console
ii libreoffice-qt5 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- Qt 5 integration
ii libreoffice-report-builder 1:7.0.4~rc2-1~bpo10+2 all LibreOffice component for building database reports
ii libreoffice-report-builder-bin 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice component for building database reports -- libraries
ii libreoffice-script-provider-bsh 1:7.0.4~rc2-1~bpo10+2 all BeanShell script support provider for LibreOffice scripting framework
ii libreoffice-script-provider-js 1:7.0.4~rc2-1~bpo10+2 all JavaScript script support provider for LibreOffice scripting framework
ii libreoffice-script-provider-python 1:7.0.4~rc2-1~bpo10+2 all Python script support provider for LibreOffice scripting framework
ii libreoffice-sdbc-firebird 1:7.0.4~rc2-1~bpo10+2 amd64 Firebird SDBC driver for LibreOffice
ii libreoffice-sdbc-hsqldb 1:7.0.4~rc2-1~bpo10+2 amd64 HSQLDB SDBC driver for LibreOffice
ii libreoffice-sdbc-mysql 1:7.0.4~rc2-1~bpo10+2 amd64 MariaDB/MySQL SDBC driver for LibreOffice
ii libreoffice-sdbc-postgresql 1:7.0.4~rc2-1~bpo10+2 amd64 PostgreSQL SDBC driver for LibreOffice
ii libreoffice-style-breeze 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Breeze symbol style
ii libreoffice-style-colibre 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- colibre symbol style
ii libreoffice-style-elementary 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Elementary symbol style
rc libreoffice-style-galaxy 1:5.2.7-1+deb9u10 all office productivity suite -- Galaxy (Default) symbol style
rc libreoffice-style-hicontrast 1:5.2.7-1+deb9u10 all office productivity suite -- Hicontrast symbol style
ii libreoffice-style-karasa-jaga 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Karasa Jaga symbol style
rc libreoffice-style-oxygen 1:5.2.7-1+deb9u10 all office productivity suite -- Oxygen symbol style
ii libreoffice-style-sifr 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Sifr symbol style
ii libreoffice-style-sukapura 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Sukapura symbol style
ii libreoffice-wiki-publisher 1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension for working with MediaWiki articles
ii libreoffice-writer 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- word processor
ii libreoffice-writer2latex 1.4-8 all Writer/Calc to LaTeX converter extension for LibreOffice
ii libreoffice-writer2xhtml 1.4-8 all Writer/Calc to XHTML converter extension for LibreOffice
ii libridl-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java Uno runtime and base types and types access library (compatibility library)
ii libuno-cppu3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- CPPU public library
ii libuno-cppuhelpergcc3-3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- CPPU helper library
ii libuno-purpenvhelpergcc3-3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- "purpose environment" helper
ii libuno-sal3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- SAL public library
ii libuno-salhelpergcc3-3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- SAL helpers for C++ library
ii libunoil-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- UNO interface library (compatibility library)
ii libunoloader-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- (Java) UNO loader
ii mythes-bg 1:6.2.0-1 all Bulgarian Thesaurus for LibreOffice
ii mythes-de 20160424-3 all German Thesaurus for OpenOffice.org/LibreOffice
ii mythes-en-us 1:6.2.0-1 all English (USA) Thesaurus for LibreOffice
ii mythes-fr 1:6.2.0-1 all French Thesaurus for LibreOffice
ii mythes-ru 1:6.2.0-1 all Russian Thesaurus for LibreOffice
ii python3-uno 1:7.0.4~rc2-1~bpo10+2 amd64 Python-UNO bridge
ii uno-libs-private 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- private libraries used by public ones
ii unoconv 0.7-1.1 all converter between LibreOffice document formats
ii ure 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment
milko@host1 ~ $ dpkg -l | grep libreoffice
ii libreoffice 1:6.1.5-3+deb10u6 amd64 office productivity suite (metapackage)
ii libreoffice-avmedia-backend-gstreamer 1:6.1.5-3+deb10u6 amd64 GStreamer backend for LibreOffice
ii libreoffice-base 1:6.1.5-3+deb10u6 amd64 office productivity suite -- database
ii libreoffice-base-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- shared library
ii libreoffice-base-drivers 1:6.1.5-3+deb10u6 amd64 Database connectivity drivers for LibreOffice
ii libreoffice-calc 1:6.1.5-3+deb10u6 amd64 office productivity suite -- spreadsheet
ii libreoffice-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent files
ii libreoffice-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- arch-dependent files
ii libreoffice-draw 1:6.1.5-3+deb10u6 amd64 office productivity suite -- drawing
ii libreoffice-emailmerge 1:4.3.3-2+deb8u7 all transitional package for LibreOffices email mail merge
rc libreoffice-filter-binfilter 1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity suite -- legacy filters (e.g. StarOffice 5.2)
ii libreoffice-gtk2 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 2 integration
ii libreoffice-gtk3 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 3 integration
ii libreoffice-impress 1:6.1.5-3+deb10u6 amd64 office productivity suite -- presentation
ii libreoffice-java-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent Java support files
ii libreoffice-kde5 1:6.1.5-3+deb10u6 amd64 office productivity suite -- KDE 5 integration
ii libreoffice-l10n-bg 1:6.1.5-3+deb10u6 all office productivity suite -- Bulgarian language package
ii libreoffice-librelogo 1:6.1.5-3+deb10u6 all Logo-like progamming language for LibreOffice
ii libreoffice-lightproof-en 0.4.3+1.5+git20140515-2 all Lightproof grammar checker for LibreOffice (English)
ii libreoffice-math 1:6.1.5-3+deb10u6 amd64 office productivity suite -- equation editor
ii libreoffice-nlpsolver 0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear Programming" extension for LibreOffice
ii libreoffice-ogltrans 1:6.1.5-3+deb10u6 all transitional package for libreoffice-ogltrans
ii libreoffice-pdfimport 1:6.1.5-3+deb10u6 all transitional package for PDF Import component for LibreOffice
ii libreoffice-report-builder 1:6.1.5-3+deb10u6 all LibreOffice component for building database reports
ii libreoffice-report-builder-bin 1:6.1.5-3+deb10u6 amd64 LibreOffice component for building database reports -- libraries
ii libreoffice-script-provider-bsh 1:6.1.5-3+deb10u6 all BeanShell script support provider for LibreOffice scripting framework
ii libreoffice-script-provider-js 1:6.1.5-3+deb10u6 all JavaScript script support provider for LibreOffice scripting framework
ii libreoffice-script-provider-python 1:6.1.5-3+deb10u6 all Python script support provider for LibreOffice scripting framework
ii libreoffice-sdbc-firebird 1:6.1.5-3+deb10u6 amd64 Firebird SDBC driver for LibreOffice
ii libreoffice-sdbc-hsqldb 1:6.1.5-3+deb10u6 amd64 HSQLDB SDBC driver for LibreOffice
ii libreoffice-sdbc-postgresql 1:6.1.5-3+deb10u6 amd64 PostgreSQL SDBC driver for LibreOffice
ii libreoffice-style-breeze 1:6.1.5-3+deb10u6 all office productivity suite -- Breeze symbol style
ii libreoffice-style-colibre 1:6.1.5-3+deb10u6 all office productivity suite -- colibre symbol style
ii libreoffice-style-elementary 1:6.1.5-3+deb10u6 all office productivity suite -- Elementary symbol style
ii libreoffice-style-sifr 1:6.1.5-3+deb10u6 all office productivity suite -- Sifr symbol style
ii libreoffice-style-tango 1:6.1.5-3+deb10u6 all office productivity suite -- Tango symbol style
ii libreoffice-wiki-publisher 1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension for working with MediaWiki articles
ii libreoffice-writer 1:6.1.5-3+deb10u6 amd64 office productivity suite -- word processor
milko@milko-desktop ~ $ dpkg -l | grep -i -e libreoffice -e 1:6.1.5-3+deb10u6
ii libreoffice 1:6.1.5-3+deb10u6 amd64 office productivity suite (metapackage)
ii libreoffice-avmedia-backend-gstreamer 1:6.1.5-3+deb10u6 amd64 GStreamer backend for LibreOffice
ii libreoffice-base 1:6.1.5-3+deb10u6 amd64 office productivity suite -- database
ii libreoffice-base-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- shared library
ii libreoffice-base-drivers 1:6.1.5-3+deb10u6 amd64 Database connectivity drivers for LibreOffice
ii libreoffice-calc 1:6.1.5-3+deb10u6 amd64 office productivity suite -- spreadsheet
ii libreoffice-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent files
ii libreoffice-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- arch-dependent files
ii libreoffice-draw 1:6.1.5-3+deb10u6 amd64 office productivity suite -- drawing
ii libreoffice-emailmerge 1:4.3.3-2+deb8u7 all transitional package for LibreOffices email mail merge
rc libreoffice-filter-binfilter 1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity suite -- legacy filters (e.g. StarOffice 5.2)
ii libreoffice-gtk2 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 2 integration
ii libreoffice-gtk3 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 3 integration
ii libreoffice-impress 1:6.1.5-3+deb10u6 amd64 office productivity suite -- presentation
ii libreoffice-java-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent Java support files
ii libreoffice-kde5 1:6.1.5-3+deb10u6 amd64 office productivity suite -- KDE 5 integration
ii libreoffice-l10n-bg 1:6.1.5-3+deb10u6 all office productivity suite -- Bulgarian language package
ii libreoffice-librelogo 1:6.1.5-3+deb10u6 all Logo-like progamming language for LibreOffice
ii libreoffice-lightproof-en 0.4.3+1.5+git20140515-2 all Lightproof grammar checker for LibreOffice (English)
ii libreoffice-math 1:6.1.5-3+deb10u6 amd64 office productivity suite -- equation editor
ii libreoffice-nlpsolver 0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear Programming" extension for LibreOffice
ii libreoffice-ogltrans 1:6.1.5-3+deb10u6 all transitional package for libreoffice-ogltrans
ii libreoffice-pdfimport 1:6.1.5-3+deb10u6 all transitional package for PDF Import component for LibreOffice
ii libreoffice-report-builder 1:6.1.5-3+deb10u6 all LibreOffice component for building database reports
ii libreoffice-report-builder-bin 1:6.1.5-3+deb10u6 amd64 LibreOffice component for building database reports -- libraries
ii libreoffice-script-provider-bsh 1:6.1.5-3+deb10u6 all BeanShell script support provider for LibreOffice scripting framework
ii libreoffice-script-provider-js 1:6.1.5-3+deb10u6 all JavaScript script support provider for LibreOffice scripting framework
ii libreoffice-script-provider-python 1:6.1.5-3+deb10u6 all Python script support provider for LibreOffice scripting framework
ii libreoffice-sdbc-firebird 1:6.1.5-3+deb10u6 amd64 Firebird SDBC driver for LibreOffice
ii libreoffice-sdbc-hsqldb 1:6.1.5-3+deb10u6 amd64 HSQLDB SDBC driver for LibreOffice
ii libreoffice-sdbc-postgresql 1:6.1.5-3+deb10u6 amd64 PostgreSQL SDBC driver for LibreOffice
ii libreoffice-style-breeze 1:6.1.5-3+deb10u6 all office productivity suite -- Breeze symbol style
ii libreoffice-style-colibre 1:6.1.5-3+deb10u6 all office productivity suite -- colibre symbol style
ii libreoffice-style-elementary 1:6.1.5-3+deb10u6 all office productivity suite -- Elementary symbol style
ii libreoffice-style-sifr 1:6.1.5-3+deb10u6 all office productivity suite -- Sifr symbol style
ii libreoffice-style-tango 1:6.1.5-3+deb10u6 all office productivity suite -- Tango symbol style
ii libreoffice-wiki-publisher 1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension for working with MediaWiki articles
ii libreoffice-writer 1:6.1.5-3+deb10u6 amd64 office productivity suite -- word processor
ii mythes-de 20160424-3 all German Thesaurus for OpenOffice.org/LibreOffice
ii mythes-en-us 1:6.2.0-1 all English (USA) Thesaurus for LibreOffice
ii mythes-fr 1:6.2.0-1 all French Thesaurus for LibreOffice
ii mythes-ru 1:6.2.0-1 all Russian Thesaurus for LibreOffice
ii python3-uno 1:6.1.5-3+deb10u6 amd64 Python-UNO bridge
ii uno-libs3 6.1.5-3+deb10u6 amd64 LibreOffice UNO runtime environment -- public shared libraries
ii ure 6.1.5-3+deb10u6 amd64 LibreOffice UNO runtime environment
-- System Information:
Debian Release: 10.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-13-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8), LANGUAGE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libreoffice-calc depends on:
ii coinor-libcbc3 2.9.9+repack1-1
ii coinor-libcoinmp1v5 1.8.3-2+b11
ii coinor-libcoinutils3v5 2.10.14+repack1-1
ii libatlas3-base [liblapack.so.3] 3.10.3-8
ii libblas3 [libblas.so.3] 3.8.0-2
ii libboost-filesystem1.67.0 1.67.0-13+deb10u1
ii libboost-iostreams1.67.0 1.67.0-13+deb10u1
ii libbz2-1.0 1.0.6-9.2~deb10u1
ii libc6 2.28-10
ii libetonyek-0.1-1 0.1.9-1
ii libgcc1 1:8.3.0-6
ii libicu63 63.1-6+deb10u1
ii liblapack3 [liblapack.so.3] 3.8.0-2
ii liblcms2-2 2.9-3
ii libmwaw-0.3-3 0.3.14-1
ii libodfgen-0.1-1 0.1.7-1
ii liborcus-0.14-0 0.14.1-6
ii libreoffice-base-core 1:6.1.5-3+deb10u6
ii libreoffice-core 1:6.1.5-3+deb10u6
ii librevenge-0.0-0 0.0.4-6
ii libstaroffice-0.0-0 0.0.6-1
ii libstdc++6 8.3.0-6
ii libwps-0.4-4 0.4.10-1
ii libxml2 2.9.4+dfsg1-7+deb10u1
ii lp-solve 5.5.0.15-4+b1
ii uno-libs3 6.1.5-3+deb10u6
ii ure 6.1.5-3+deb10u6
ii zlib1g 1:1.2.11.dfsg-1
libreoffice-calc recommends no packages.
Versions of packages libreoffice-calc suggests:
ii mesa-opencl-icd 18.3.6-2+deb10u1
ii ocl-icd-libopencl1 2.2.12-2
Versions of packages libreoffice-core depends on:
ii fontconfig 2.13.1-2
ii fonts-opensymbol 2:102.10+LibO6.1.5-3+deb10u6
ii libboost-date-time1.67.0 1.67.0-13+deb10u1
ii libboost-locale1.67.0 1.67.0-13+deb10u1
ii libc6 2.28-10
ii libcairo2 1.16.0-4+deb10u1
ii libclucene-contribs1v5 2.3.3.4+dfsg-1
ii libclucene-core1v5 2.3.3.4+dfsg-1
ii libcmis-0.5-5v5 0.5.2-1
ii libcups2 2.2.10-6+deb10u4
ii libcurl3-gnutls 7.64.0-4+deb10u1
ii libdbus-1-3 1.12.20-0+deb10u1
ii libdbus-glib-1-2 0.110-4
ii libdconf1 0.30.1-2
ii libeot0 0.01-5
ii libepoxy0 1.5.3-0.1
ii libexpat1 2.2.6-2+deb10u1
ii libexttextcat-2.0-0 3.4.5-1
ii libfontconfig1 2.13.1-2
ii libfreetype6 2.9.1-3+deb10u2
ii libgcc1 1:8.3.0-6
ii libglib2.0-0 2.58.3-2+deb10u2
ii libgpgmepp6 1.12.0-6
ii libgraphite2-3 1.3.13-7
ii libharfbuzz-icu0 2.3.1-1
ii libharfbuzz0b 2.3.1-1
ii libhunspell-1.7-0 1.7.0-2
ii libhyphen0 2.8.8-7
ii libice6 2:1.0.9-2
ii libicu63 63.1-6+deb10u1
ii libjpeg62-turbo 1:1.5.2-2+deb10u1
ii liblcms2-2 2.9-3
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u6
ii libmythes-1.2-0 2:1.2.4-3
ii libneon27-gnutls 0.30.2-3
ii libnspr4 2:4.20-1
ii libnss3 2:3.42.1-1+deb10u3
ii libnumbertext-1.0-0 1.0.5-1
ii libodfgen-0.1-1 0.1.7-1
ii liborcus-0.14-0 0.14.1-6
ii libpng16-16 1.6.36-6
ii libpoppler82 0.71.0-5
ii librdf0 1.0.17-1.1+b1
ii libreoffice-common 1:6.1.5-3+deb10u6
ii librevenge-0.0-0 0.0.4-6
ii libsm6 2:1.2.3-1
ii libstdc++6 8.3.0-6
ii libx11-6 2:1.6.7-1+deb10u1
ii libxext6 2:1.3.3-1+b2
ii libxinerama1 2:1.1.4-2
ii libxml2 2.9.4+dfsg1-7+deb10u1
ii libxmlsec1 1.2.27-2
ii libxmlsec1-nss 1.2.27-2
ii libxrandr2 2:1.5.1-1
ii libxrender1 1:0.9.10-1
ii libxslt1.1 1.1.32-2.2~deb10u1
ii uno-libs3 6.1.5-3+deb10u6
ii ure 6.1.5-3+deb10u6
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages libreoffice-core recommends:
ii libpaper-utils 1.1.28
-- no debconf information
On Sunday, 7 March 2021, 14:18:33 EET Salvatore Bonaccorso wrote:
> Hi Milko,
>
> On Sat, Feb 27, 2021 at 08:36:31PM +0200, Milko Krachounov wrote:
> > Package: libreoffice-calc
> > Version: 1:6.1.5-3+deb10u6
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Dear Maintainer,
> >
> > When opening any CSV file with LibreOffice Calc, Calc opens and executes
> > encodings.py from the current working directory. That presumably happens
> > because
> >
> > Some file managers, including Krusader and mc, would launch localc in the
> > current directory, as would running it from the command line (such as
> > `localc file.csv'), thereby running encodings.py from the directory
> > containing the file.
> >
> > The issue is not present when LibreOffice is launched through the
> > application launcher, and the file is opened later through whatever
> > means (neither Open file, nor through a file manager or the command
> > line, since localc already operates in one's $HOME in that instance)
> >
> > To reproduce the issue, one needs to:
> > 1. Close LibreOffice *completely*
> > 2. In an empty directory, create "encodings.py" which raises an exception
> > 3. In the same directory (for simplicity), create "file.csv" with some
> >
> > rows.
> >
> > 4. Open "file.csv" with `localc ./file.csv' using the directory containing
> >
> > "encodings.py" (double clicking in krusader and mc leads to the same
> > result)
> >
> > The result is that LibreOffice crashes with the Python exception raised
> > by the rogue encodings.py, and then exits with an error that reads:
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > An offer is made to recover the unsaved file (but the list is empty),
> > relaunching LO sometimes leads to new crashes.
> >
> > This is NOT the only way the issue happens, I was able to get the
> > same crash while clicking through the menus or editing an .ods
> > which initially didn't cause a crash, but those aren't deterministically
> > reproduced, whereas the .csv route seems to guarantee a crash for me
> > even when the .csv is ASCII.
> >
> > The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and
> > Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed
> > by apt are present on either machine (on the one with 6.1.5 I never
> > installed any, and on the 7.0.4 I'm trusting what the LO extension
> > manager is telling me, since I cannot recall for sure)
> >
> > Here's the console chatter:
> >
> > # Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored
> > milko@host2 ~/Временна/LOSecurity $ cat > encodings.py
> > raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a
> > bar") milko@host2 ~/Временна/LOSecurity $ cat > test.csv
> > Column 1;Column 2;Column 3
> > текст;ຂໍ້ຄວາມ;text
> > milko@host2 ~/Временна/LOSecurity $ localc test.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > milko@host2 ~/Временна/LOSecurity $ cat > test2.csv
> > Column 1;Column 2;Column 3
> > text1;text2;text3
> > milko@host2 ~/Временна/LOSecurity $ localc test2.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > Application Error
> > milko@host2 ~/Временна/LOSecurity $
> >
> >
> > # Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored
> > # The encodings.py and test.csv were copied from host2
> > milko@host1 ~/Временни/LOSecurity $ localc test2.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > milko@host1 ~/Временни/LOSecurity $ lowriter
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > ^C
> > milko@host1 ~/Временни/LOSecurity $
> >
> >
> > LO packages installed on host1 and host2. I do apologize for the untidy
> > mess with transitional and unpurged packages and leftover from the dawn of
> > time (especially on host2) -- I didn't expect someone to be looking
> > through
> > my messy house -- but I have to leave them here in case one of them comes
> > responsible.
>
> [...]
>
> Thanks for the report.
>
> Can yu pleas make this directly a public report in the Debian BTS?
>
> Regards,
> Salvatore
Attachment:
LOSecurity.tar.gz
Description: application/compressed-tar