Bug#984703: libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv
Hi again,
Am 07.03.21 um 23:08 schrieb Rene Engelhard:
> Am 07.03.21 um 22:45 schrieb Milko Krachounov:
>> After some additional testing, checking my environment and inspecting pyuno/
>> source/loader/pyuno_loader.cxx, I want to amend the report, particularly about
>> 7.0.4 which is not affected (kind of).
>
> Interestingly, in discussion on #debian-devel it is said that it does :/
>
> See below.
[...]
OK, some more discussion sheds some more light on it and would explain
it. From #debian-devel again:
23:10 < _jwilk> OK, I kinda reproduced in buster without setting
PYTHONPATH myself. It doesn't crash for me, but it can't open the CSV file.
23:11 < _jwilk> I had to install libreoffice-lightproof-pt-br to trigger
the bug.
23:13 < _jwilk> So, yay, mystery solved?
23:14 < _rene_> on sid?
23:14 < _rene_> ah, on buster. yes, probably.
23:15 < _rene_> but according to the submitter and the upstream bug it
does not happen on 7.0.x
23:15 < _rene_> guess I need to fire up a buster vm
23:15 < _rene_> (and probably backport the upstream fix to buster. *sigh*)
23:16 < _rene_> yeah, libreoffice-lightproof-* is python. but I have
libreoffice-lightproof-en installed, too
23:16 < bunk> libreoffice-lightproof-en makes it reproducible for me on
buster
23:17 < _rene_> gah. even on my testing, indeed
23:17 < _rene_> no idea what I tested before, probably I didn't do
PYTHONPATH=.
23:17 < _rene_> ok, so it boils down to
23:18 < _rene_> a) buster is affected without interaction (-> bad)
23:18 < _rene_> b) testing/sid is when setting PYTHONPATH=. (-> not
ideal, but one shouldn't do so(tm))
23:21 < _rene_> thus this is something one needs to fix for buster, for
testing/sid it's "user error"
23:21 * _jwilk nods.
23:22 < bunk> I see some similarities between a) and
https://security-tracker.debian.org/tracker/CVE-2016-1238
23:22 < _rene_> indeed
@Salvatore: Want it done via DSA?
Regards,
Rene
Reply to: