Your message dated Sun, 14 Mar 2021 10:02:09 +0000 with message-id <E1lLNZZ-000CvJ-Nk@fasolo.debian.org> and subject line Bug#984703: fixed in libreoffice 1:6.1.5-3+deb10u7 has caused the Debian Bug report #984703, regarding libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 984703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984703 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Debian Security Team <team@security.debian.org>, Salvatore Bonaccorso <carnil@debian.org>
- Subject: libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv
- From: Milko Krachounov <bugsbunny@milko.3mhz.net>
- Date: Sun, 07 Mar 2021 14:34:53 +0200
- Message-id: <[🔎] 2241475.zvpgPdVmxh@obelix>
- In-reply-to: <YETEmeNzj0Xx7fz9@eldamar.lan>
- References: <1817975.75tnzI3NuF@obelix> <YETEmeNzj0Xx7fz9@eldamar.lan>
Package: libreoffice-calc Version: 1:6.1.5-3+deb10u6 Severity: grave Tags: security Justification: user security hole Dear Maintainer, When opening any CSV file with LibreOffice Calc, Calc opens and executes encodings.py from the current working directory. That presumably happens because Some file managers, including Krusader and mc, would launch localc in the current directory, as would running it from the command line (such as `localc file.csv'), thereby running encodings.py from the directory containing the file. The issue is not present when LibreOffice is launched through the application launcher, and the file is opened later through whatever means (neither Open file, nor through a file manager or the command line, since localc already operates in one's $HOME in that instance) To reproduce the issue, one needs to: 1. Close LibreOffice *completely* 2. In an empty directory, create "encodings.py" which raises an exception 3. In the same directory (for simplicity), create "file.csv" with some rows. 4. Open "file.csv" with `localc ./file.csv' using the directory containing "encodings.py" (double clicking in krusader and mc leads to the same result) The result is that LibreOffice crashes with the Python exception raised by the rogue encodings.py, and then exits with an error that reads: Fatal Python error: initfsencoding: Unable to get the locale encoding An offer is made to recover the unsaved file (but the list is empty), relaunching LO sometimes leads to new crashes. This is NOT the only way the issue happens, I was able to get the same crash while clicking through the menus or editing an .ods which initially didn't cause a crash, but those aren't deterministically reproduced, whereas the .csv route seems to guarantee a crash for me even when the .csv is ASCII. The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed by apt are present on either machine (on the one with 6.1.5 I never installed any, and on the 7.0.4 I'm trusting what the LO extension manager is telling me, since I cannot recall for sure) Here's the console chatter: # Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored milko@host2 ~/Временна/LOSecurity $ cat > encodings.py raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a bar") milko@host2 ~/Временна/LOSecurity $ cat > test.csv Column 1;Column 2;Column 3 текст;ຂໍ້ຄວາມ;text milko@host2 ~/Временна/LOSecurity $ localc test.csv Fatal Python error: initfsencoding: Unable to get the locale encoding Traceback (most recent call last): File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module> NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar Fatal Python error: initfsencoding: Unable to get the locale encoding Traceback (most recent call last): File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module> NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar milko@host2 ~/Временна/LOSecurity $ cat > test2.csv Column 1;Column 2;Column 3 text1;text2;text3 milko@host2 ~/Временна/LOSecurity $ localc test2.csv Fatal Python error: initfsencoding: Unable to get the locale encoding Traceback (most recent call last): File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module> NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar Application Error milko@host2 ~/Временна/LOSecurity $ # Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored # The encodings.py and test.csv were copied from host2 milko@host1 ~/Временни/LOSecurity $ localc test2.csv Fatal Python error: initfsencoding: Unable to get the locale encoding Traceback (most recent call last): File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module> NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar milko@host1 ~/Временни/LOSecurity $ lowriter Fatal Python error: initfsencoding: Unable to get the locale encoding Traceback (most recent call last): File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module> NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar ^C milko@host1 ~/Временни/LOSecurity $ LO packages installed on host1 and host2. I do apologize for the untidy mess with transitional and unpurged packages and leftover from the dawn of time (especially on host2) -- I didn't expect someone to be looking through my messy house -- but I have to leave them here in case one of them comes responsible. milko@host2 ~ $ dpkg -l | grep -i -e libreoffice -e 1:7.0.4~rc2-1~bpo10+2 ii hyphen-ru 20030310-1 all Russian hyphenation patterns for LibreOffice/OpenOffice.org ii jabref-plugin-oo 2.10+ds-3 all LibreOffice plugin for JabRef (transitional dummy package) ii libjuh-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java Uno helper (compatibility library) ii libjurt-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java Uno Runtime (compatibility library) ii liblibreoffice-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java library ii libreoffice 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite (metapackage) ii libreoffice-avmedia-backend-gstreamer 1:7.0.4~rc2-1~bpo10+2 amd64 transitional package for GStreamer backend for LibreOffice ii libreoffice-base 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- database ii libreoffice-base-core 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- shared library ii libreoffice-base-drivers 1:7.0.4~rc2-1~bpo10+2 amd64 Database connectivity drivers for LibreOffice ii libreoffice-calc 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- spreadsheet ii libreoffice-common 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- arch-independent files ii libreoffice-core 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- arch-dependent files ii libreoffice-draw 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- drawing rc libreoffice-filter-binfilter 1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity suite -- legacy filters (e.g. StarOffice 5.2) ii libreoffice-gnome 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- GNOME integration rc libreoffice-gtk 1:5.2.7-1+deb9u10 all transitional package to upgrade to libreoffice-gtk2/-systray ii libreoffice-gtk3 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- GTK+ 3 integration ii libreoffice-help-common 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- common files for LibreOffice help ii libreoffice-help-en-us 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- English_american help ii libreoffice-impress 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- presentation ii libreoffice-java-common 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- arch-independent Java support files ii libreoffice-kde5 1:7.0.4~rc2-1~bpo10+2 amd64 transitional package for LibreOffice "KDE 5" integration ii libreoffice-kf5 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- KDE Frameworks 5 integration ii libreoffice-l10n-bg 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Bulgarian language package ii libreoffice-librelogo 1:7.0.4~rc2-1~bpo10+2 all Logo-like programming language for LibreOffice ii libreoffice-lightproof-en 0.4.3+1.5+git20140515-2 all Lightproof grammar checker for LibreOffice (English) ii libreoffice-math 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- equation editor ii libreoffice-mysql-connector 1:7.0.4~rc2-1~bpo10+2 amd64 transitional package for MariaDB/MySQL Connector extension for LibreOffice ii libreoffice-nlpsolver 0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear Programming" extension for LibreOffice ii libreoffice-plasma 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- some Plasma integration ii libreoffice-presentation-minimizer 1:4.3.3-2+deb8u12 all transitional package for the LibreOffice presentation minimizer ii libreoffice-presenter-console 1:4.3.3-2+deb8u12 all transitional package for the LibreOffice presenter console ii libreoffice-qt5 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- Qt 5 integration ii libreoffice-report-builder 1:7.0.4~rc2-1~bpo10+2 all LibreOffice component for building database reports ii libreoffice-report-builder-bin 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice component for building database reports -- libraries ii libreoffice-script-provider-bsh 1:7.0.4~rc2-1~bpo10+2 all BeanShell script support provider for LibreOffice scripting framework ii libreoffice-script-provider-js 1:7.0.4~rc2-1~bpo10+2 all JavaScript script support provider for LibreOffice scripting framework ii libreoffice-script-provider-python 1:7.0.4~rc2-1~bpo10+2 all Python script support provider for LibreOffice scripting framework ii libreoffice-sdbc-firebird 1:7.0.4~rc2-1~bpo10+2 amd64 Firebird SDBC driver for LibreOffice ii libreoffice-sdbc-hsqldb 1:7.0.4~rc2-1~bpo10+2 amd64 HSQLDB SDBC driver for LibreOffice ii libreoffice-sdbc-mysql 1:7.0.4~rc2-1~bpo10+2 amd64 MariaDB/MySQL SDBC driver for LibreOffice ii libreoffice-sdbc-postgresql 1:7.0.4~rc2-1~bpo10+2 amd64 PostgreSQL SDBC driver for LibreOffice ii libreoffice-style-breeze 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Breeze symbol style ii libreoffice-style-colibre 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- colibre symbol style ii libreoffice-style-elementary 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Elementary symbol style rc libreoffice-style-galaxy 1:5.2.7-1+deb9u10 all office productivity suite -- Galaxy (Default) symbol style rc libreoffice-style-hicontrast 1:5.2.7-1+deb9u10 all office productivity suite -- Hicontrast symbol style ii libreoffice-style-karasa-jaga 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Karasa Jaga symbol style rc libreoffice-style-oxygen 1:5.2.7-1+deb9u10 all office productivity suite -- Oxygen symbol style ii libreoffice-style-sifr 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Sifr symbol style ii libreoffice-style-sukapura 1:7.0.4~rc2-1~bpo10+2 all office productivity suite -- Sukapura symbol style ii libreoffice-wiki-publisher 1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension for working with MediaWiki articles ii libreoffice-writer 1:7.0.4~rc2-1~bpo10+2 amd64 office productivity suite -- word processor ii libreoffice-writer2latex 1.4-8 all Writer/Calc to LaTeX converter extension for LibreOffice ii libreoffice-writer2xhtml 1.4-8 all Writer/Calc to XHTML converter extension for LibreOffice ii libridl-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- Java Uno runtime and base types and types access library (compatibility library) ii libuno-cppu3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- CPPU public library ii libuno-cppuhelpergcc3-3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- CPPU helper library ii libuno-purpenvhelpergcc3-3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- "purpose environment" helper ii libuno-sal3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- SAL public library ii libuno-salhelpergcc3-3 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- SAL helpers for C++ library ii libunoil-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- UNO interface library (compatibility library) ii libunoloader-java 1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO runtime environment -- (Java) UNO loader ii mythes-bg 1:6.2.0-1 all Bulgarian Thesaurus for LibreOffice ii mythes-de 20160424-3 all German Thesaurus for OpenOffice.org/LibreOffice ii mythes-en-us 1:6.2.0-1 all English (USA) Thesaurus for LibreOffice ii mythes-fr 1:6.2.0-1 all French Thesaurus for LibreOffice ii mythes-ru 1:6.2.0-1 all Russian Thesaurus for LibreOffice ii python3-uno 1:7.0.4~rc2-1~bpo10+2 amd64 Python-UNO bridge ii uno-libs-private 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment -- private libraries used by public ones ii unoconv 0.7-1.1 all converter between LibreOffice document formats ii ure 1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO runtime environment milko@host1 ~ $ dpkg -l | grep libreoffice ii libreoffice 1:6.1.5-3+deb10u6 amd64 office productivity suite (metapackage) ii libreoffice-avmedia-backend-gstreamer 1:6.1.5-3+deb10u6 amd64 GStreamer backend for LibreOffice ii libreoffice-base 1:6.1.5-3+deb10u6 amd64 office productivity suite -- database ii libreoffice-base-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- shared library ii libreoffice-base-drivers 1:6.1.5-3+deb10u6 amd64 Database connectivity drivers for LibreOffice ii libreoffice-calc 1:6.1.5-3+deb10u6 amd64 office productivity suite -- spreadsheet ii libreoffice-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent files ii libreoffice-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- arch-dependent files ii libreoffice-draw 1:6.1.5-3+deb10u6 amd64 office productivity suite -- drawing ii libreoffice-emailmerge 1:4.3.3-2+deb8u7 all transitional package for LibreOffices email mail merge rc libreoffice-filter-binfilter 1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity suite -- legacy filters (e.g. StarOffice 5.2) ii libreoffice-gtk2 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 2 integration ii libreoffice-gtk3 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 3 integration ii libreoffice-impress 1:6.1.5-3+deb10u6 amd64 office productivity suite -- presentation ii libreoffice-java-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent Java support files ii libreoffice-kde5 1:6.1.5-3+deb10u6 amd64 office productivity suite -- KDE 5 integration ii libreoffice-l10n-bg 1:6.1.5-3+deb10u6 all office productivity suite -- Bulgarian language package ii libreoffice-librelogo 1:6.1.5-3+deb10u6 all Logo-like progamming language for LibreOffice ii libreoffice-lightproof-en 0.4.3+1.5+git20140515-2 all Lightproof grammar checker for LibreOffice (English) ii libreoffice-math 1:6.1.5-3+deb10u6 amd64 office productivity suite -- equation editor ii libreoffice-nlpsolver 0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear Programming" extension for LibreOffice ii libreoffice-ogltrans 1:6.1.5-3+deb10u6 all transitional package for libreoffice-ogltrans ii libreoffice-pdfimport 1:6.1.5-3+deb10u6 all transitional package for PDF Import component for LibreOffice ii libreoffice-report-builder 1:6.1.5-3+deb10u6 all LibreOffice component for building database reports ii libreoffice-report-builder-bin 1:6.1.5-3+deb10u6 amd64 LibreOffice component for building database reports -- libraries ii libreoffice-script-provider-bsh 1:6.1.5-3+deb10u6 all BeanShell script support provider for LibreOffice scripting framework ii libreoffice-script-provider-js 1:6.1.5-3+deb10u6 all JavaScript script support provider for LibreOffice scripting framework ii libreoffice-script-provider-python 1:6.1.5-3+deb10u6 all Python script support provider for LibreOffice scripting framework ii libreoffice-sdbc-firebird 1:6.1.5-3+deb10u6 amd64 Firebird SDBC driver for LibreOffice ii libreoffice-sdbc-hsqldb 1:6.1.5-3+deb10u6 amd64 HSQLDB SDBC driver for LibreOffice ii libreoffice-sdbc-postgresql 1:6.1.5-3+deb10u6 amd64 PostgreSQL SDBC driver for LibreOffice ii libreoffice-style-breeze 1:6.1.5-3+deb10u6 all office productivity suite -- Breeze symbol style ii libreoffice-style-colibre 1:6.1.5-3+deb10u6 all office productivity suite -- colibre symbol style ii libreoffice-style-elementary 1:6.1.5-3+deb10u6 all office productivity suite -- Elementary symbol style ii libreoffice-style-sifr 1:6.1.5-3+deb10u6 all office productivity suite -- Sifr symbol style ii libreoffice-style-tango 1:6.1.5-3+deb10u6 all office productivity suite -- Tango symbol style ii libreoffice-wiki-publisher 1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension for working with MediaWiki articles ii libreoffice-writer 1:6.1.5-3+deb10u6 amd64 office productivity suite -- word processor milko@milko-desktop ~ $ dpkg -l | grep -i -e libreoffice -e 1:6.1.5-3+deb10u6 ii libreoffice 1:6.1.5-3+deb10u6 amd64 office productivity suite (metapackage) ii libreoffice-avmedia-backend-gstreamer 1:6.1.5-3+deb10u6 amd64 GStreamer backend for LibreOffice ii libreoffice-base 1:6.1.5-3+deb10u6 amd64 office productivity suite -- database ii libreoffice-base-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- shared library ii libreoffice-base-drivers 1:6.1.5-3+deb10u6 amd64 Database connectivity drivers for LibreOffice ii libreoffice-calc 1:6.1.5-3+deb10u6 amd64 office productivity suite -- spreadsheet ii libreoffice-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent files ii libreoffice-core 1:6.1.5-3+deb10u6 amd64 office productivity suite -- arch-dependent files ii libreoffice-draw 1:6.1.5-3+deb10u6 amd64 office productivity suite -- drawing ii libreoffice-emailmerge 1:4.3.3-2+deb8u7 all transitional package for LibreOffices email mail merge rc libreoffice-filter-binfilter 1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity suite -- legacy filters (e.g. StarOffice 5.2) ii libreoffice-gtk2 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 2 integration ii libreoffice-gtk3 1:6.1.5-3+deb10u6 amd64 office productivity suite -- GTK+ 3 integration ii libreoffice-impress 1:6.1.5-3+deb10u6 amd64 office productivity suite -- presentation ii libreoffice-java-common 1:6.1.5-3+deb10u6 all office productivity suite -- arch-independent Java support files ii libreoffice-kde5 1:6.1.5-3+deb10u6 amd64 office productivity suite -- KDE 5 integration ii libreoffice-l10n-bg 1:6.1.5-3+deb10u6 all office productivity suite -- Bulgarian language package ii libreoffice-librelogo 1:6.1.5-3+deb10u6 all Logo-like progamming language for LibreOffice ii libreoffice-lightproof-en 0.4.3+1.5+git20140515-2 all Lightproof grammar checker for LibreOffice (English) ii libreoffice-math 1:6.1.5-3+deb10u6 amd64 office productivity suite -- equation editor ii libreoffice-nlpsolver 0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear Programming" extension for LibreOffice ii libreoffice-ogltrans 1:6.1.5-3+deb10u6 all transitional package for libreoffice-ogltrans ii libreoffice-pdfimport 1:6.1.5-3+deb10u6 all transitional package for PDF Import component for LibreOffice ii libreoffice-report-builder 1:6.1.5-3+deb10u6 all LibreOffice component for building database reports ii libreoffice-report-builder-bin 1:6.1.5-3+deb10u6 amd64 LibreOffice component for building database reports -- libraries ii libreoffice-script-provider-bsh 1:6.1.5-3+deb10u6 all BeanShell script support provider for LibreOffice scripting framework ii libreoffice-script-provider-js 1:6.1.5-3+deb10u6 all JavaScript script support provider for LibreOffice scripting framework ii libreoffice-script-provider-python 1:6.1.5-3+deb10u6 all Python script support provider for LibreOffice scripting framework ii libreoffice-sdbc-firebird 1:6.1.5-3+deb10u6 amd64 Firebird SDBC driver for LibreOffice ii libreoffice-sdbc-hsqldb 1:6.1.5-3+deb10u6 amd64 HSQLDB SDBC driver for LibreOffice ii libreoffice-sdbc-postgresql 1:6.1.5-3+deb10u6 amd64 PostgreSQL SDBC driver for LibreOffice ii libreoffice-style-breeze 1:6.1.5-3+deb10u6 all office productivity suite -- Breeze symbol style ii libreoffice-style-colibre 1:6.1.5-3+deb10u6 all office productivity suite -- colibre symbol style ii libreoffice-style-elementary 1:6.1.5-3+deb10u6 all office productivity suite -- Elementary symbol style ii libreoffice-style-sifr 1:6.1.5-3+deb10u6 all office productivity suite -- Sifr symbol style ii libreoffice-style-tango 1:6.1.5-3+deb10u6 all office productivity suite -- Tango symbol style ii libreoffice-wiki-publisher 1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension for working with MediaWiki articles ii libreoffice-writer 1:6.1.5-3+deb10u6 amd64 office productivity suite -- word processor ii mythes-de 20160424-3 all German Thesaurus for OpenOffice.org/LibreOffice ii mythes-en-us 1:6.2.0-1 all English (USA) Thesaurus for LibreOffice ii mythes-fr 1:6.2.0-1 all French Thesaurus for LibreOffice ii mythes-ru 1:6.2.0-1 all Russian Thesaurus for LibreOffice ii python3-uno 1:6.1.5-3+deb10u6 amd64 Python-UNO bridge ii uno-libs3 6.1.5-3+deb10u6 amd64 LibreOffice UNO runtime environment -- public shared libraries ii ure 6.1.5-3+deb10u6 amd64 LibreOffice UNO runtime environment -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-13-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8), LANGUAGE=bg_BG.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libreoffice-calc depends on: ii coinor-libcbc3 2.9.9+repack1-1 ii coinor-libcoinmp1v5 1.8.3-2+b11 ii coinor-libcoinutils3v5 2.10.14+repack1-1 ii libatlas3-base [liblapack.so.3] 3.10.3-8 ii libblas3 [libblas.so.3] 3.8.0-2 ii libboost-filesystem1.67.0 1.67.0-13+deb10u1 ii libboost-iostreams1.67.0 1.67.0-13+deb10u1 ii libbz2-1.0 1.0.6-9.2~deb10u1 ii libc6 2.28-10 ii libetonyek-0.1-1 0.1.9-1 ii libgcc1 1:8.3.0-6 ii libicu63 63.1-6+deb10u1 ii liblapack3 [liblapack.so.3] 3.8.0-2 ii liblcms2-2 2.9-3 ii libmwaw-0.3-3 0.3.14-1 ii libodfgen-0.1-1 0.1.7-1 ii liborcus-0.14-0 0.14.1-6 ii libreoffice-base-core 1:6.1.5-3+deb10u6 ii libreoffice-core 1:6.1.5-3+deb10u6 ii librevenge-0.0-0 0.0.4-6 ii libstaroffice-0.0-0 0.0.6-1 ii libstdc++6 8.3.0-6 ii libwps-0.4-4 0.4.10-1 ii libxml2 2.9.4+dfsg1-7+deb10u1 ii lp-solve 5.5.0.15-4+b1 ii uno-libs3 6.1.5-3+deb10u6 ii ure 6.1.5-3+deb10u6 ii zlib1g 1:1.2.11.dfsg-1 libreoffice-calc recommends no packages. Versions of packages libreoffice-calc suggests: ii mesa-opencl-icd 18.3.6-2+deb10u1 ii ocl-icd-libopencl1 2.2.12-2 Versions of packages libreoffice-core depends on: ii fontconfig 2.13.1-2 ii fonts-opensymbol 2:102.10+LibO6.1.5-3+deb10u6 ii libboost-date-time1.67.0 1.67.0-13+deb10u1 ii libboost-locale1.67.0 1.67.0-13+deb10u1 ii libc6 2.28-10 ii libcairo2 1.16.0-4+deb10u1 ii libclucene-contribs1v5 2.3.3.4+dfsg-1 ii libclucene-core1v5 2.3.3.4+dfsg-1 ii libcmis-0.5-5v5 0.5.2-1 ii libcups2 2.2.10-6+deb10u4 ii libcurl3-gnutls 7.64.0-4+deb10u1 ii libdbus-1-3 1.12.20-0+deb10u1 ii libdbus-glib-1-2 0.110-4 ii libdconf1 0.30.1-2 ii libeot0 0.01-5 ii libepoxy0 1.5.3-0.1 ii libexpat1 2.2.6-2+deb10u1 ii libexttextcat-2.0-0 3.4.5-1 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3+deb10u2 ii libgcc1 1:8.3.0-6 ii libglib2.0-0 2.58.3-2+deb10u2 ii libgpgmepp6 1.12.0-6 ii libgraphite2-3 1.3.13-7 ii libharfbuzz-icu0 2.3.1-1 ii libharfbuzz0b 2.3.1-1 ii libhunspell-1.7-0 1.7.0-2 ii libhyphen0 2.8.8-7 ii libice6 2:1.0.9-2 ii libicu63 63.1-6+deb10u1 ii libjpeg62-turbo 1:1.5.2-2+deb10u1 ii liblcms2-2 2.9-3 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u6 ii libmythes-1.2-0 2:1.2.4-3 ii libneon27-gnutls 0.30.2-3 ii libnspr4 2:4.20-1 ii libnss3 2:3.42.1-1+deb10u3 ii libnumbertext-1.0-0 1.0.5-1 ii libodfgen-0.1-1 0.1.7-1 ii liborcus-0.14-0 0.14.1-6 ii libpng16-16 1.6.36-6 ii libpoppler82 0.71.0-5 ii librdf0 1.0.17-1.1+b1 ii libreoffice-common 1:6.1.5-3+deb10u6 ii librevenge-0.0-0 0.0.4-6 ii libsm6 2:1.2.3-1 ii libstdc++6 8.3.0-6 ii libx11-6 2:1.6.7-1+deb10u1 ii libxext6 2:1.3.3-1+b2 ii libxinerama1 2:1.1.4-2 ii libxml2 2.9.4+dfsg1-7+deb10u1 ii libxmlsec1 1.2.27-2 ii libxmlsec1-nss 1.2.27-2 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii libxslt1.1 1.1.32-2.2~deb10u1 ii uno-libs3 6.1.5-3+deb10u6 ii ure 6.1.5-3+deb10u6 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages libreoffice-core recommends: ii libpaper-utils 1.1.28 -- no debconf information On Sunday, 7 March 2021, 14:18:33 EET Salvatore Bonaccorso wrote: > Hi Milko, > > On Sat, Feb 27, 2021 at 08:36:31PM +0200, Milko Krachounov wrote: > > Package: libreoffice-calc > > Version: 1:6.1.5-3+deb10u6 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Dear Maintainer, > > > > When opening any CSV file with LibreOffice Calc, Calc opens and executes > > encodings.py from the current working directory. That presumably happens > > because > > > > Some file managers, including Krusader and mc, would launch localc in the > > current directory, as would running it from the command line (such as > > `localc file.csv'), thereby running encodings.py from the directory > > containing the file. > > > > The issue is not present when LibreOffice is launched through the > > application launcher, and the file is opened later through whatever > > means (neither Open file, nor through a file manager or the command > > line, since localc already operates in one's $HOME in that instance) > > > > To reproduce the issue, one needs to: > > 1. Close LibreOffice *completely* > > 2. In an empty directory, create "encodings.py" which raises an exception > > 3. In the same directory (for simplicity), create "file.csv" with some > > > > rows. > > > > 4. Open "file.csv" with `localc ./file.csv' using the directory containing > > > > "encodings.py" (double clicking in krusader and mc leads to the same > > result) > > > > The result is that LibreOffice crashes with the Python exception raised > > by the rogue encodings.py, and then exits with an error that reads: > > Fatal Python error: initfsencoding: Unable to get the locale encoding > > > > An offer is made to recover the unsaved file (but the list is empty), > > relaunching LO sometimes leads to new crashes. > > > > This is NOT the only way the issue happens, I was able to get the > > same crash while clicking through the menus or editing an .ods > > which initially didn't cause a crash, but those aren't deterministically > > reproduced, whereas the .csv route seems to guarantee a crash for me > > even when the .csv is ASCII. > > > > The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and > > Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed > > by apt are present on either machine (on the one with 6.1.5 I never > > installed any, and on the 7.0.4 I'm trusting what the LO extension > > manager is telling me, since I cannot recall for sure) > > > > Here's the console chatter: > > > > # Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored > > milko@host2 ~/Временна/LOSecurity $ cat > encodings.py > > raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a > > bar") milko@host2 ~/Временна/LOSecurity $ cat > test.csv > > Column 1;Column 2;Column 3 > > текст;ຂໍ້ຄວາມ;text > > milko@host2 ~/Временна/LOSecurity $ localc test.csv > > Fatal Python error: initfsencoding: Unable to get the locale encoding > > > > Traceback (most recent call last): > > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module> > > > > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar > > Fatal Python error: initfsencoding: Unable to get the locale encoding > > > > Traceback (most recent call last): > > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module> > > > > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar > > milko@host2 ~/Временна/LOSecurity $ cat > test2.csv > > Column 1;Column 2;Column 3 > > text1;text2;text3 > > milko@host2 ~/Временна/LOSecurity $ localc test2.csv > > Fatal Python error: initfsencoding: Unable to get the locale encoding > > > > Traceback (most recent call last): > > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module> > > > > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar > > Application Error > > milko@host2 ~/Временна/LOSecurity $ > > > > > > # Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored > > # The encodings.py and test.csv were copied from host2 > > milko@host1 ~/Временни/LOSecurity $ localc test2.csv > > Fatal Python error: initfsencoding: Unable to get the locale encoding > > > > Traceback (most recent call last): > > File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module> > > > > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar > > milko@host1 ~/Временни/LOSecurity $ lowriter > > Fatal Python error: initfsencoding: Unable to get the locale encoding > > > > Traceback (most recent call last): > > File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module> > > > > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar > > ^C > > milko@host1 ~/Временни/LOSecurity $ > > > > > > LO packages installed on host1 and host2. I do apologize for the untidy > > mess with transitional and unpurged packages and leftover from the dawn of > > time (especially on host2) -- I didn't expect someone to be looking > > through > > my messy house -- but I have to leave them here in case one of them comes > > responsible. > > [...] > > Thanks for the report. > > Can yu pleas make this directly a public report in the Debian BTS? > > Regards, > SalvatoreAttachment: LOSecurity.tar.gz
Description: application/compressed-tar
--- End Message ---
--- Begin Message ---
- To: 984703-close@bugs.debian.org
- Subject: Bug#984703: fixed in libreoffice 1:6.1.5-3+deb10u7
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 14 Mar 2021 10:02:09 +0000
- Message-id: <E1lLNZZ-000CvJ-Nk@fasolo.debian.org>
- Reply-to: Rene Engelhard <rene@debian.org>
Source: libreoffice Source-Version: 1:6.1.5-3+deb10u7 Done: Rene Engelhard <rene@debian.org> We believe that the bug you reported is fixed in the latest version of libreoffice, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984703@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rene Engelhard <rene@debian.org> (supplier of updated libreoffice package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 08 Mar 2021 13:13:24 +0100 Source: libreoffice Architecture: source Version: 1:6.1.5-3+deb10u7 Distribution: buster Urgency: medium Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org> Changed-By: Rene Engelhard <rene@debian.org> Closes: 984703 Changes: libreoffice (1:6.1.5-3+deb10u7) buster; urgency=medium . * debian/patches/fix-PYTHONPATH.diff: backport upstream fix to not leave a bare trailing : in PYTHONPATH as it causes unconditional loading of encodings.py from . (closes: #984703) Checksums-Sha1: cb673c9cd49689434bd03aaa91d32201a225e2a1 27751 libreoffice_6.1.5-3+deb10u7.dsc 9dd9108378a5922a5f8c83db267f66d38976d23e 9979232 libreoffice_6.1.5-3+deb10u7.debian.tar.xz 7c41dc0f6d48adc8bda4c1cc8d828cf35884a8db 44626 libreoffice_6.1.5-3+deb10u7_source.buildinfo Checksums-Sha256: 096f96fa0523b98a94cddc04f1e83b4008442fda514cfee59da2568092a9f370 27751 libreoffice_6.1.5-3+deb10u7.dsc eb0062b9096d80a5a2aeb350990ae98f78e798fa4dadecac750ecfaf9d8db113 9979232 libreoffice_6.1.5-3+deb10u7.debian.tar.xz 49a7f876b84fa0ebb7292acfacab74d4ee8ec1666dcfb9af5b8528289f199693 44626 libreoffice_6.1.5-3+deb10u7_source.buildinfo Files: a5610b0e780f1b1f27e8ea7dc834c8d9 27751 editors optional libreoffice_6.1.5-3+deb10u7.dsc 40aee43b0c1ebfa80c40d485be940e03 9979232 editors optional libreoffice_6.1.5-3+deb10u7.debian.tar.xz 2ce0877ba1e4e48009af5677d81398f8 44626 editors optional libreoffice_6.1.5-3+deb10u7_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCgAuFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAmBGF4QQHHJlbmVAZGVi aWFuLm9yZwAKCRAKoEVx0D4+cDn3D/929nybHFsQiJq8wziHEgUeteaeMeMOmf46 UbskZh37berWcaOI7P/m36za0Mwy4AjvUHEXspECaUqwuHVR9TaYajGZynuTeIf8 JZpjZGM7V1+w4EU9sCUCoLyZvxEkHaeGZMXUQhgS1NKi2q6XjnhOpUst+wt8Ziue yGw35AYdiNYmN2TgZdBzoIIseCouIO12vPkVvv1b0lJZ+5zH062U8k5/DbE7M9ew VR5Hp1ER/AB1UYBolu79AgjfbEN72dnC4FYcBQaHSVCfo8iw8uVuOJjEjRd6CsGA E5+O41N50uaO4b+VGD1JoYJ1yKsqcObninPgUgd/Wjb8vIHmLd4YKiAz8UkLSGZ3 bX02Sb+vC79G3HdB/k5QaWdiyBQdX+qVcHM3VcdGCLkdZ1WObnaWMbx3wfycHtbU f8TGw4dvMtnsGvuDOpd9GYoCDenTKr6WwsTPcBy0oRWdQFQlRHB3ACNDbx1fL7XF bnGADoqPwmNtxz5wqm2WGAfs0qCRTprH6DMd3JkU1EutaBk6svd24CFpi6Y6T2+s 0b4fto6YZ1CCZDsVKNlEFLsF22qc53+7RwqCe29zVnrx9l+7ecGQ77cdmKnPHwUn eqUykaoQdqDukTyGRYJfcL/UMI/84SSNXCkoQx3s7Qa3qpEUt/+PY60sRj2HoTiA nJpsyPHZQw== =Z8vI -----END PGP SIGNATURE-----
--- End Message ---