Bug#984703: marked as done (libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv)

To: Rene Engelhard <rene@debian.org>
Subject: Bug#984703: marked as done (libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 14 Mar 2021 10:06:07 +0000
Message-id: <[🔎] handler.984703.D984703.16157161322084.ackdone@bugs.debian.org>
Reply-to: 984703@bugs.debian.org
References: <E1lLNZZ-000CvJ-Nk@fasolo.debian.org> <[🔎] 2241475.zvpgPdVmxh@obelix>

Your message dated Sun, 14 Mar 2021 10:02:09 +0000
with message-id <E1lLNZZ-000CvJ-Nk@fasolo.debian.org>
and subject line Bug#984703: fixed in libreoffice 1:6.1.5-3+deb10u7
has caused the Debian Bug report #984703,
regarding libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
984703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984703
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Debian Security Team <team@security.debian.org>, Salvatore Bonaccorso <carnil@debian.org>
Subject: libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv
From: Milko Krachounov <bugsbunny@milko.3mhz.net>
Date: Sun, 07 Mar 2021 14:34:53 +0200
Message-id: <[🔎] 2241475.zvpgPdVmxh@obelix>
In-reply-to: <YETEmeNzj0Xx7fz9@eldamar.lan>
References: <1817975.75tnzI3NuF@obelix> <YETEmeNzj0Xx7fz9@eldamar.lan>

Package: libreoffice-calc
Version: 1:6.1.5-3+deb10u6
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

When opening any CSV file with LibreOffice Calc, Calc opens and executes
encodings.py from the current working directory. That presumably happens
because 

Some file managers, including Krusader and mc, would launch localc in the 
current directory, as would running it from the command line (such as
`localc file.csv'), thereby running encodings.py from the directory
containing the file.

The issue is not present when LibreOffice is launched through the 
application launcher, and the file is opened later through whatever 
means (neither Open file, nor through a file manager or the command 
line, since localc already operates in one's $HOME in that instance)

To reproduce the issue, one needs to:
1. Close LibreOffice *completely*
2. In an empty directory, create "encodings.py" which raises an exception
3. In the same directory (for simplicity), create "file.csv" with some 
   rows.
4. Open "file.csv" with `localc ./file.csv' using the directory containing
   "encodings.py" (double clicking in krusader and mc leads to the same
   result)

The result is that LibreOffice crashes with the Python exception raised
by the rogue encodings.py, and then exits with an error that reads:
Fatal Python error: initfsencoding: Unable to get the locale encoding

An offer is made to recover the unsaved file (but the list is empty), 
relaunching LO sometimes leads to new crashes.

This is NOT the only way the issue happens, I was able to get the 
same crash while clicking through the menus or editing an .ods 
which initially didn't cause a crash, but those aren't deterministically
reproduced, whereas the .csv route seems to guarantee a crash for me
even when the .csv is ASCII.

The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and
Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed
by apt are present on either machine (on the one with 6.1.5 I never
installed any, and on the 7.0.4 I'm trusting what the LO extension 
manager is telling me, since I cannot recall for sure)

Here's the console chatter:

# Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored
milko@host2 ~/Временна/LOSecurity $ cat > encodings.py
raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a bar")
milko@host2 ~/Временна/LOSecurity $ cat > test.csv
Column 1;Column 2;Column 3
текст;ຂໍ້ຄວາມ;text
milko@host2 ~/Временна/LOSecurity $ localc test.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
  File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
  File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
milko@host2 ~/Временна/LOSecurity $ cat > test2.csv
Column 1;Column 2;Column 3
text1;text2;text3
milko@host2 ~/Временна/LOSecurity $ localc test2.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
  File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
Application Error
milko@host2 ~/Временна/LOSecurity $

# Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored
# The encodings.py and test.csv were copied from host2
milko@host1 ~/Временни/LOSecurity $ localc test2.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
  File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
milko@host1 ~/Временни/LOSecurity $ lowriter
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
  File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
^C
milko@host1 ~/Временни/LOSecurity $

LO packages installed on host1 and host2. I do apologize for the untidy 
mess with transitional and unpurged packages and leftover from the dawn of 
time (especially on host2) -- I didn't expect someone to be looking through 
my messy house -- but  I have to leave them here in case one of them comes 
responsible.

milko@host2 ~ $ dpkg -l | grep -i -e libreoffice -e 1:7.0.4~rc2-1~bpo10+2
ii  hyphen-ru                                                   20030310-1                                   all          Russian hyphenation patterns for LibreOffice/OpenOffice.org
ii  jabref-plugin-oo                                            2.10+ds-3                                    all          LibreOffice plugin for JabRef (transitional dummy package)
ii  libjuh-java                                                 1:7.0.4~rc2-1~bpo10+2                        all          LibreOffice UNO runtime environment -- Java Uno helper (compatibility library)
ii  libjurt-java                                                1:7.0.4~rc2-1~bpo10+2                        all          LibreOffice UNO runtime environment -- Java Uno Runtime (compatibility library)
ii  liblibreoffice-java                                         1:7.0.4~rc2-1~bpo10+2                        all          LibreOffice UNO runtime environment -- Java library
ii  libreoffice                                                 1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite (metapackage)
ii  libreoffice-avmedia-backend-gstreamer                       1:7.0.4~rc2-1~bpo10+2                        amd64        transitional package for GStreamer backend for LibreOffice
ii  libreoffice-base                                            1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- database
ii  libreoffice-base-core                                       1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- shared library
ii  libreoffice-base-drivers                                    1:7.0.4~rc2-1~bpo10+2                        amd64        Database connectivity drivers for LibreOffice
ii  libreoffice-calc                                            1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- spreadsheet
ii  libreoffice-common                                          1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- arch-independent files
ii  libreoffice-core                                            1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- arch-dependent files
ii  libreoffice-draw                                            1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- drawing
rc  libreoffice-filter-binfilter                                1:3.5.4+dfsg2-0+deb7u2                       amd64        office productivity suite -- legacy filters (e.g. StarOffice 5.2)
ii  libreoffice-gnome                                           1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- GNOME integration
rc  libreoffice-gtk                                             1:5.2.7-1+deb9u10                            all          transitional package to upgrade to libreoffice-gtk2/-systray
ii  libreoffice-gtk3                                            1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- GTK+ 3 integration
ii  libreoffice-help-common                                     1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- common files for LibreOffice help
ii  libreoffice-help-en-us                                      1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- English_american help
ii  libreoffice-impress                                         1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- presentation
ii  libreoffice-java-common                                     1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- arch-independent Java support files
ii  libreoffice-kde5                                            1:7.0.4~rc2-1~bpo10+2                        amd64        transitional package for LibreOffice "KDE 5" integration
ii  libreoffice-kf5                                             1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- KDE Frameworks 5 integration
ii  libreoffice-l10n-bg                                         1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- Bulgarian language package
ii  libreoffice-librelogo                                       1:7.0.4~rc2-1~bpo10+2                        all          Logo-like programming language for LibreOffice
ii  libreoffice-lightproof-en                                   0.4.3+1.5+git20140515-2                      all          Lightproof grammar checker for LibreOffice (English)
ii  libreoffice-math                                            1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- equation editor
ii  libreoffice-mysql-connector                                 1:7.0.4~rc2-1~bpo10+2                        amd64        transitional package for MariaDB/MySQL Connector extension for LibreOffice
ii  libreoffice-nlpsolver                                       0.9+LibO6.1.5-3+deb10u6                      all          "Solver for Nonlinear Programming" extension for LibreOffice
ii  libreoffice-plasma                                          1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- some Plasma integration
ii  libreoffice-presentation-minimizer                          1:4.3.3-2+deb8u12                            all          transitional package for the LibreOffice presentation minimizer
ii  libreoffice-presenter-console                               1:4.3.3-2+deb8u12                            all          transitional package for the LibreOffice presenter console
ii  libreoffice-qt5                                             1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- Qt 5 integration
ii  libreoffice-report-builder                                  1:7.0.4~rc2-1~bpo10+2                        all          LibreOffice component for building database reports
ii  libreoffice-report-builder-bin                              1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice component for building database reports -- libraries
ii  libreoffice-script-provider-bsh                             1:7.0.4~rc2-1~bpo10+2                        all          BeanShell script support provider for LibreOffice scripting framework
ii  libreoffice-script-provider-js                              1:7.0.4~rc2-1~bpo10+2                        all          JavaScript script support provider for LibreOffice scripting framework
ii  libreoffice-script-provider-python                          1:7.0.4~rc2-1~bpo10+2                        all          Python script support provider for LibreOffice scripting framework
ii  libreoffice-sdbc-firebird                                   1:7.0.4~rc2-1~bpo10+2                        amd64        Firebird SDBC driver for LibreOffice
ii  libreoffice-sdbc-hsqldb                                     1:7.0.4~rc2-1~bpo10+2                        amd64        HSQLDB SDBC driver for LibreOffice
ii  libreoffice-sdbc-mysql                                      1:7.0.4~rc2-1~bpo10+2                        amd64        MariaDB/MySQL SDBC driver for LibreOffice
ii  libreoffice-sdbc-postgresql                                 1:7.0.4~rc2-1~bpo10+2                        amd64        PostgreSQL SDBC driver for LibreOffice
ii  libreoffice-style-breeze                                    1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- Breeze symbol style
ii  libreoffice-style-colibre                                   1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- colibre symbol style
ii  libreoffice-style-elementary                                1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- Elementary symbol style
rc  libreoffice-style-galaxy                                    1:5.2.7-1+deb9u10                            all          office productivity suite -- Galaxy (Default) symbol style
rc  libreoffice-style-hicontrast                                1:5.2.7-1+deb9u10                            all          office productivity suite -- Hicontrast symbol style
ii  libreoffice-style-karasa-jaga                               1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- Karasa Jaga symbol style
rc  libreoffice-style-oxygen                                    1:5.2.7-1+deb9u10                            all          office productivity suite -- Oxygen symbol style
ii  libreoffice-style-sifr                                      1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- Sifr symbol style
ii  libreoffice-style-sukapura                                  1:7.0.4~rc2-1~bpo10+2                        all          office productivity suite -- Sukapura symbol style
ii  libreoffice-wiki-publisher                                  1.2.0+LibO6.1.5-3+deb10u6                    all          LibreOffice extension for working with MediaWiki articles
ii  libreoffice-writer                                          1:7.0.4~rc2-1~bpo10+2                        amd64        office productivity suite -- word processor
ii  libreoffice-writer2latex                                    1.4-8                                        all          Writer/Calc to LaTeX converter extension for LibreOffice
ii  libreoffice-writer2xhtml                                    1.4-8                                        all          Writer/Calc to XHTML converter extension for LibreOffice
ii  libridl-java                                                1:7.0.4~rc2-1~bpo10+2                        all          LibreOffice UNO runtime environment -- Java Uno runtime and base types and types access library (compatibility library)
ii  libuno-cppu3                                                1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice UNO runtime environment -- CPPU public library
ii  libuno-cppuhelpergcc3-3                                     1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice UNO runtime environment -- CPPU helper library
ii  libuno-purpenvhelpergcc3-3                                  1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice UNO runtime environment -- "purpose environment" helper
ii  libuno-sal3                                                 1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice UNO runtime environment -- SAL public library
ii  libuno-salhelpergcc3-3                                      1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice UNO runtime environment -- SAL helpers for C++ library
ii  libunoil-java                                               1:7.0.4~rc2-1~bpo10+2                        all          LibreOffice UNO runtime environment -- UNO interface library (compatibility library)
ii  libunoloader-java                                           1:7.0.4~rc2-1~bpo10+2                        all          LibreOffice UNO runtime environment -- (Java) UNO loader
ii  mythes-bg                                                   1:6.2.0-1                                    all          Bulgarian Thesaurus for LibreOffice
ii  mythes-de                                                   20160424-3                                   all          German Thesaurus for OpenOffice.org/LibreOffice
ii  mythes-en-us                                                1:6.2.0-1                                    all          English (USA) Thesaurus for LibreOffice
ii  mythes-fr                                                   1:6.2.0-1                                    all          French Thesaurus for LibreOffice
ii  mythes-ru                                                   1:6.2.0-1                                    all          Russian Thesaurus for LibreOffice
ii  python3-uno                                                 1:7.0.4~rc2-1~bpo10+2                        amd64        Python-UNO bridge
ii  uno-libs-private                                            1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice UNO runtime environment -- private libraries used by public ones
ii  unoconv                                                     0.7-1.1                                      all          converter between LibreOffice document formats
ii  ure                                                         1:7.0.4~rc2-1~bpo10+2                        amd64        LibreOffice UNO runtime environment

milko@host1 ~ $ dpkg -l | grep libreoffice
ii  libreoffice                                                 1:6.1.5-3+deb10u6                            amd64        office productivity suite (metapackage)
ii  libreoffice-avmedia-backend-gstreamer                       1:6.1.5-3+deb10u6                            amd64        GStreamer backend for LibreOffice
ii  libreoffice-base                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- database
ii  libreoffice-base-core                                       1:6.1.5-3+deb10u6                            amd64        office productivity suite -- shared library
ii  libreoffice-base-drivers                                    1:6.1.5-3+deb10u6                            amd64        Database connectivity drivers for LibreOffice
ii  libreoffice-calc                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- spreadsheet
ii  libreoffice-common                                          1:6.1.5-3+deb10u6                            all          office productivity suite -- arch-independent files
ii  libreoffice-core                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- arch-dependent files
ii  libreoffice-draw                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- drawing
ii  libreoffice-emailmerge                                      1:4.3.3-2+deb8u7                             all          transitional package for LibreOffices email mail merge
rc  libreoffice-filter-binfilter                                1:3.5.4+dfsg2-0+deb7u2                       amd64        office productivity suite -- legacy filters (e.g. StarOffice 5.2)
ii  libreoffice-gtk2                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- GTK+ 2 integration
ii  libreoffice-gtk3                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- GTK+ 3 integration
ii  libreoffice-impress                                         1:6.1.5-3+deb10u6                            amd64        office productivity suite -- presentation
ii  libreoffice-java-common                                     1:6.1.5-3+deb10u6                            all          office productivity suite -- arch-independent Java support files
ii  libreoffice-kde5                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- KDE 5 integration
ii  libreoffice-l10n-bg                                         1:6.1.5-3+deb10u6                            all          office productivity suite -- Bulgarian language package
ii  libreoffice-librelogo                                       1:6.1.5-3+deb10u6                            all          Logo-like progamming language for LibreOffice
ii  libreoffice-lightproof-en                                   0.4.3+1.5+git20140515-2                      all          Lightproof grammar checker for LibreOffice (English)
ii  libreoffice-math                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- equation editor
ii  libreoffice-nlpsolver                                       0.9+LibO6.1.5-3+deb10u6                      all          "Solver for Nonlinear Programming" extension for LibreOffice
ii  libreoffice-ogltrans                                        1:6.1.5-3+deb10u6                            all          transitional package for libreoffice-ogltrans
ii  libreoffice-pdfimport                                       1:6.1.5-3+deb10u6                            all          transitional package for PDF Import component for LibreOffice
ii  libreoffice-report-builder                                  1:6.1.5-3+deb10u6                            all          LibreOffice component for building database reports
ii  libreoffice-report-builder-bin                              1:6.1.5-3+deb10u6                            amd64        LibreOffice component for building database reports -- libraries
ii  libreoffice-script-provider-bsh                             1:6.1.5-3+deb10u6                            all          BeanShell script support provider for LibreOffice scripting framework
ii  libreoffice-script-provider-js                              1:6.1.5-3+deb10u6                            all          JavaScript script support provider for LibreOffice scripting framework
ii  libreoffice-script-provider-python                          1:6.1.5-3+deb10u6                            all          Python script support provider for LibreOffice scripting framework
ii  libreoffice-sdbc-firebird                                   1:6.1.5-3+deb10u6                            amd64        Firebird SDBC driver for LibreOffice
ii  libreoffice-sdbc-hsqldb                                     1:6.1.5-3+deb10u6                            amd64        HSQLDB SDBC driver for LibreOffice
ii  libreoffice-sdbc-postgresql                                 1:6.1.5-3+deb10u6                            amd64        PostgreSQL SDBC driver for LibreOffice
ii  libreoffice-style-breeze                                    1:6.1.5-3+deb10u6                            all          office productivity suite -- Breeze symbol style
ii  libreoffice-style-colibre                                   1:6.1.5-3+deb10u6                            all          office productivity suite -- colibre symbol style
ii  libreoffice-style-elementary                                1:6.1.5-3+deb10u6                            all          office productivity suite -- Elementary symbol style
ii  libreoffice-style-sifr                                      1:6.1.5-3+deb10u6                            all          office productivity suite -- Sifr symbol style
ii  libreoffice-style-tango                                     1:6.1.5-3+deb10u6                            all          office productivity suite -- Tango symbol style
ii  libreoffice-wiki-publisher                                  1.2.0+LibO6.1.5-3+deb10u6                    all          LibreOffice extension for working with MediaWiki articles
ii  libreoffice-writer                                          1:6.1.5-3+deb10u6                            amd64        office productivity suite -- word processor
milko@milko-desktop ~ $ dpkg -l | grep -i -e libreoffice -e 1:6.1.5-3+deb10u6
ii  libreoffice                                                 1:6.1.5-3+deb10u6                            amd64        office productivity suite (metapackage)
ii  libreoffice-avmedia-backend-gstreamer                       1:6.1.5-3+deb10u6                            amd64        GStreamer backend for LibreOffice
ii  libreoffice-base                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- database
ii  libreoffice-base-core                                       1:6.1.5-3+deb10u6                            amd64        office productivity suite -- shared library
ii  libreoffice-base-drivers                                    1:6.1.5-3+deb10u6                            amd64        Database connectivity drivers for LibreOffice
ii  libreoffice-calc                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- spreadsheet
ii  libreoffice-common                                          1:6.1.5-3+deb10u6                            all          office productivity suite -- arch-independent files
ii  libreoffice-core                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- arch-dependent files
ii  libreoffice-draw                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- drawing
ii  libreoffice-emailmerge                                      1:4.3.3-2+deb8u7                             all          transitional package for LibreOffices email mail merge
rc  libreoffice-filter-binfilter                                1:3.5.4+dfsg2-0+deb7u2                       amd64        office productivity suite -- legacy filters (e.g. StarOffice 5.2)
ii  libreoffice-gtk2                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- GTK+ 2 integration
ii  libreoffice-gtk3                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- GTK+ 3 integration
ii  libreoffice-impress                                         1:6.1.5-3+deb10u6                            amd64        office productivity suite -- presentation
ii  libreoffice-java-common                                     1:6.1.5-3+deb10u6                            all          office productivity suite -- arch-independent Java support files
ii  libreoffice-kde5                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- KDE 5 integration
ii  libreoffice-l10n-bg                                         1:6.1.5-3+deb10u6                            all          office productivity suite -- Bulgarian language package
ii  libreoffice-librelogo                                       1:6.1.5-3+deb10u6                            all          Logo-like progamming language for LibreOffice
ii  libreoffice-lightproof-en                                   0.4.3+1.5+git20140515-2                      all          Lightproof grammar checker for LibreOffice (English)
ii  libreoffice-math                                            1:6.1.5-3+deb10u6                            amd64        office productivity suite -- equation editor
ii  libreoffice-nlpsolver                                       0.9+LibO6.1.5-3+deb10u6                      all          "Solver for Nonlinear Programming" extension for LibreOffice
ii  libreoffice-ogltrans                                        1:6.1.5-3+deb10u6                            all          transitional package for libreoffice-ogltrans
ii  libreoffice-pdfimport                                       1:6.1.5-3+deb10u6                            all          transitional package for PDF Import component for LibreOffice
ii  libreoffice-report-builder                                  1:6.1.5-3+deb10u6                            all          LibreOffice component for building database reports
ii  libreoffice-report-builder-bin                              1:6.1.5-3+deb10u6                            amd64        LibreOffice component for building database reports -- libraries
ii  libreoffice-script-provider-bsh                             1:6.1.5-3+deb10u6                            all          BeanShell script support provider for LibreOffice scripting framework
ii  libreoffice-script-provider-js                              1:6.1.5-3+deb10u6                            all          JavaScript script support provider for LibreOffice scripting framework
ii  libreoffice-script-provider-python                          1:6.1.5-3+deb10u6                            all          Python script support provider for LibreOffice scripting framework
ii  libreoffice-sdbc-firebird                                   1:6.1.5-3+deb10u6                            amd64        Firebird SDBC driver for LibreOffice
ii  libreoffice-sdbc-hsqldb                                     1:6.1.5-3+deb10u6                            amd64        HSQLDB SDBC driver for LibreOffice
ii  libreoffice-sdbc-postgresql                                 1:6.1.5-3+deb10u6                            amd64        PostgreSQL SDBC driver for LibreOffice
ii  libreoffice-style-breeze                                    1:6.1.5-3+deb10u6                            all          office productivity suite -- Breeze symbol style
ii  libreoffice-style-colibre                                   1:6.1.5-3+deb10u6                            all          office productivity suite -- colibre symbol style
ii  libreoffice-style-elementary                                1:6.1.5-3+deb10u6                            all          office productivity suite -- Elementary symbol style
ii  libreoffice-style-sifr                                      1:6.1.5-3+deb10u6                            all          office productivity suite -- Sifr symbol style
ii  libreoffice-style-tango                                     1:6.1.5-3+deb10u6                            all          office productivity suite -- Tango symbol style
ii  libreoffice-wiki-publisher                                  1.2.0+LibO6.1.5-3+deb10u6                    all          LibreOffice extension for working with MediaWiki articles
ii  libreoffice-writer                                          1:6.1.5-3+deb10u6                            amd64        office productivity suite -- word processor
ii  mythes-de                                                   20160424-3                                   all          German Thesaurus for OpenOffice.org/LibreOffice
ii  mythes-en-us                                                1:6.2.0-1                                    all          English (USA) Thesaurus for LibreOffice
ii  mythes-fr                                                   1:6.2.0-1                                    all          French Thesaurus for LibreOffice
ii  mythes-ru                                                   1:6.2.0-1                                    all          Russian Thesaurus for LibreOffice
ii  python3-uno                                                 1:6.1.5-3+deb10u6                            amd64        Python-UNO bridge
ii  uno-libs3                                                   6.1.5-3+deb10u6                              amd64        LibreOffice UNO runtime environment -- public shared libraries
ii  ure                                                         6.1.5-3+deb10u6                              amd64        LibreOffice UNO runtime environment

-- System Information:
Debian Release: 10.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-13-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8), LANGUAGE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libreoffice-calc depends on:
ii  coinor-libcbc3                   2.9.9+repack1-1
ii  coinor-libcoinmp1v5              1.8.3-2+b11
ii  coinor-libcoinutils3v5           2.10.14+repack1-1
ii  libatlas3-base [liblapack.so.3]  3.10.3-8
ii  libblas3 [libblas.so.3]          3.8.0-2
ii  libboost-filesystem1.67.0        1.67.0-13+deb10u1
ii  libboost-iostreams1.67.0         1.67.0-13+deb10u1
ii  libbz2-1.0                       1.0.6-9.2~deb10u1
ii  libc6                            2.28-10
ii  libetonyek-0.1-1                 0.1.9-1
ii  libgcc1                          1:8.3.0-6
ii  libicu63                         63.1-6+deb10u1
ii  liblapack3 [liblapack.so.3]      3.8.0-2
ii  liblcms2-2                       2.9-3
ii  libmwaw-0.3-3                    0.3.14-1
ii  libodfgen-0.1-1                  0.1.7-1
ii  liborcus-0.14-0                  0.14.1-6
ii  libreoffice-base-core            1:6.1.5-3+deb10u6
ii  libreoffice-core                 1:6.1.5-3+deb10u6
ii  librevenge-0.0-0                 0.0.4-6
ii  libstaroffice-0.0-0              0.0.6-1
ii  libstdc++6                       8.3.0-6
ii  libwps-0.4-4                     0.4.10-1
ii  libxml2                          2.9.4+dfsg1-7+deb10u1
ii  lp-solve                         5.5.0.15-4+b1
ii  uno-libs3                        6.1.5-3+deb10u6
ii  ure                              6.1.5-3+deb10u6
ii  zlib1g                           1:1.2.11.dfsg-1

libreoffice-calc recommends no packages.

Versions of packages libreoffice-calc suggests:
ii  mesa-opencl-icd     18.3.6-2+deb10u1
ii  ocl-icd-libopencl1  2.2.12-2

Versions of packages libreoffice-core depends on:
ii  fontconfig                2.13.1-2
ii  fonts-opensymbol          2:102.10+LibO6.1.5-3+deb10u6
ii  libboost-date-time1.67.0  1.67.0-13+deb10u1
ii  libboost-locale1.67.0     1.67.0-13+deb10u1
ii  libc6                     2.28-10
ii  libcairo2                 1.16.0-4+deb10u1
ii  libclucene-contribs1v5    2.3.3.4+dfsg-1
ii  libclucene-core1v5        2.3.3.4+dfsg-1
ii  libcmis-0.5-5v5           0.5.2-1
ii  libcups2                  2.2.10-6+deb10u4
ii  libcurl3-gnutls           7.64.0-4+deb10u1
ii  libdbus-1-3               1.12.20-0+deb10u1
ii  libdbus-glib-1-2          0.110-4
ii  libdconf1                 0.30.1-2
ii  libeot0                   0.01-5
ii  libepoxy0                 1.5.3-0.1
ii  libexpat1                 2.2.6-2+deb10u1
ii  libexttextcat-2.0-0       3.4.5-1
ii  libfontconfig1            2.13.1-2
ii  libfreetype6              2.9.1-3+deb10u2
ii  libgcc1                   1:8.3.0-6
ii  libglib2.0-0              2.58.3-2+deb10u2
ii  libgpgmepp6               1.12.0-6
ii  libgraphite2-3            1.3.13-7
ii  libharfbuzz-icu0          2.3.1-1
ii  libharfbuzz0b             2.3.1-1
ii  libhunspell-1.7-0         1.7.0-2
ii  libhyphen0                2.8.8-7
ii  libice6                   2:1.0.9-2
ii  libicu63                  63.1-6+deb10u1
ii  libjpeg62-turbo           1:1.5.2-2+deb10u1
ii  liblcms2-2                2.9-3
ii  libldap-2.4-2             2.4.47+dfsg-3+deb10u6
ii  libmythes-1.2-0           2:1.2.4-3
ii  libneon27-gnutls          0.30.2-3
ii  libnspr4                  2:4.20-1
ii  libnss3                   2:3.42.1-1+deb10u3
ii  libnumbertext-1.0-0       1.0.5-1
ii  libodfgen-0.1-1           0.1.7-1
ii  liborcus-0.14-0           0.14.1-6
ii  libpng16-16               1.6.36-6
ii  libpoppler82              0.71.0-5
ii  librdf0                   1.0.17-1.1+b1
ii  libreoffice-common        1:6.1.5-3+deb10u6
ii  librevenge-0.0-0          0.0.4-6
ii  libsm6                    2:1.2.3-1
ii  libstdc++6                8.3.0-6
ii  libx11-6                  2:1.6.7-1+deb10u1
ii  libxext6                  2:1.3.3-1+b2
ii  libxinerama1              2:1.1.4-2
ii  libxml2                   2.9.4+dfsg1-7+deb10u1
ii  libxmlsec1                1.2.27-2
ii  libxmlsec1-nss            1.2.27-2
ii  libxrandr2                2:1.5.1-1
ii  libxrender1               1:0.9.10-1
ii  libxslt1.1                1.1.32-2.2~deb10u1
ii  uno-libs3                 6.1.5-3+deb10u6
ii  ure                       6.1.5-3+deb10u6
ii  zlib1g                    1:1.2.11.dfsg-1

Versions of packages libreoffice-core recommends:
ii  libpaper-utils  1.1.28

-- no debconf information

On Sunday, 7 March 2021, 14:18:33 EET Salvatore Bonaccorso wrote:
> Hi Milko,
> 
> On Sat, Feb 27, 2021 at 08:36:31PM +0200, Milko Krachounov wrote:
> > Package: libreoffice-calc
> > Version: 1:6.1.5-3+deb10u6
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Dear Maintainer,
> > 
> > When opening any CSV file with LibreOffice Calc, Calc opens and executes
> > encodings.py from the current working directory. That presumably happens
> > because
> > 
> > Some file managers, including Krusader and mc, would launch localc in the
> > current directory, as would running it from the command line (such as
> > `localc file.csv'), thereby running encodings.py from the directory
> > containing the file.
> > 
> > The issue is not present when LibreOffice is launched through the
> > application launcher, and the file is opened later through whatever
> > means (neither Open file, nor through a file manager or the command
> > line, since localc already operates in one's $HOME in that instance)
> > 
> > To reproduce the issue, one needs to:
> > 1. Close LibreOffice *completely*
> > 2. In an empty directory, create "encodings.py" which raises an exception
> > 3. In the same directory (for simplicity), create "file.csv" with some
> > 
> >    rows.
> > 
> > 4. Open "file.csv" with `localc ./file.csv' using the directory containing
> > 
> >    "encodings.py" (double clicking in krusader and mc leads to the same
> >    result)
> > 
> > The result is that LibreOffice crashes with the Python exception raised
> > by the rogue encodings.py, and then exits with an error that reads:
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> > 
> > An offer is made to recover the unsaved file (but the list is empty),
> > relaunching LO sometimes leads to new crashes.
> > 
> > This is NOT the only way the issue happens, I was able to get the
> > same crash while clicking through the menus or editing an .ods
> > which initially didn't cause a crash, but those aren't deterministically
> > reproduced, whereas the .csv route seems to guarantee a crash for me
> > even when the .csv is ASCII.
> > 
> > The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and
> > Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed
> > by apt are present on either machine (on the one with 6.1.5 I never
> > installed any, and on the 7.0.4 I'm trusting what the LO extension
> > manager is telling me, since I cannot recall for sure)
> > 
> > Here's the console chatter:
> > 
> > # Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored
> > milko@host2 ~/Временна/LOSecurity $ cat > encodings.py
> > raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a
> > bar") milko@host2 ~/Временна/LOSecurity $ cat > test.csv
> > Column 1;Column 2;Column 3
> > текст;ຂໍ້ຄວາມ;text
> > milko@host2 ~/Временна/LOSecurity $ localc test.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> > 
> > Traceback (most recent call last):
> >   File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> > 
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> > 
> > Traceback (most recent call last):
> >   File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> > 
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > milko@host2 ~/Временна/LOSecurity $ cat > test2.csv
> > Column 1;Column 2;Column 3
> > text1;text2;text3
> > milko@host2 ~/Временна/LOSecurity $ localc test2.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> > 
> > Traceback (most recent call last):
> >   File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> > 
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > Application Error
> > milko@host2 ~/Временна/LOSecurity $
> > 
> > 
> > # Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored
> > # The encodings.py and test.csv were copied from host2
> > milko@host1 ~/Временни/LOSecurity $ localc test2.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> > 
> > Traceback (most recent call last):
> >   File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
> > 
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > milko@host1 ~/Временни/LOSecurity $ lowriter
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> > 
> > Traceback (most recent call last):
> >   File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
> > 
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > ^C
> > milko@host1 ~/Временни/LOSecurity $
> > 
> > 
> > LO packages installed on host1 and host2. I do apologize for the untidy
> > mess with transitional and unpurged packages and leftover from the dawn of
> > time (especially on host2) -- I didn't expect someone to be looking
> > through
> > my messy house -- but  I have to leave them here in case one of them comes
> > responsible.
> 
> [...]
> 
> Thanks for the report.
> 
> Can yu pleas make this directly a public report in the Debian BTS?
> 
> Regards,
> Salvatore

Attachment: LOSecurity.tar.gz
Description: application/compressed-tar

--- End Message ---

--- Begin Message ---

To: 984703-close@bugs.debian.org
Subject: Bug#984703: fixed in libreoffice 1:6.1.5-3+deb10u7
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 14 Mar 2021 10:02:09 +0000
Message-id: <E1lLNZZ-000CvJ-Nk@fasolo.debian.org>
Reply-to: Rene Engelhard <rene@debian.org>

Source: libreoffice
Source-Version: 1:6.1.5-3+deb10u7
Done: Rene Engelhard <rene@debian.org>

We believe that the bug you reported is fixed in the latest version of
libreoffice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984703@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated libreoffice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Mar 2021 13:13:24 +0100
Source: libreoffice
Architecture: source
Version: 1:6.1.5-3+deb10u7
Distribution: buster
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Closes: 984703
Changes:
 libreoffice (1:6.1.5-3+deb10u7) buster; urgency=medium
 .
   * debian/patches/fix-PYTHONPATH.diff: backport upstream fix to
     not leave a bare trailing : in PYTHONPATH as it causes unconditional
     loading of encodings.py from . (closes: #984703)
Checksums-Sha1:
 cb673c9cd49689434bd03aaa91d32201a225e2a1 27751 libreoffice_6.1.5-3+deb10u7.dsc
 9dd9108378a5922a5f8c83db267f66d38976d23e 9979232 libreoffice_6.1.5-3+deb10u7.debian.tar.xz
 7c41dc0f6d48adc8bda4c1cc8d828cf35884a8db 44626 libreoffice_6.1.5-3+deb10u7_source.buildinfo
Checksums-Sha256:
 096f96fa0523b98a94cddc04f1e83b4008442fda514cfee59da2568092a9f370 27751 libreoffice_6.1.5-3+deb10u7.dsc
 eb0062b9096d80a5a2aeb350990ae98f78e798fa4dadecac750ecfaf9d8db113 9979232 libreoffice_6.1.5-3+deb10u7.debian.tar.xz
 49a7f876b84fa0ebb7292acfacab74d4ee8ec1666dcfb9af5b8528289f199693 44626 libreoffice_6.1.5-3+deb10u7_source.buildinfo
Files:
 a5610b0e780f1b1f27e8ea7dc834c8d9 27751 editors optional libreoffice_6.1.5-3+deb10u7.dsc
 40aee43b0c1ebfa80c40d485be940e03 9979232 editors optional libreoffice_6.1.5-3+deb10u7.debian.tar.xz
 2ce0877ba1e4e48009af5677d81398f8 44626 editors optional libreoffice_6.1.5-3+deb10u7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAmBGF4QQHHJlbmVAZGVi
aWFuLm9yZwAKCRAKoEVx0D4+cDn3D/929nybHFsQiJq8wziHEgUeteaeMeMOmf46
UbskZh37berWcaOI7P/m36za0Mwy4AjvUHEXspECaUqwuHVR9TaYajGZynuTeIf8
JZpjZGM7V1+w4EU9sCUCoLyZvxEkHaeGZMXUQhgS1NKi2q6XjnhOpUst+wt8Ziue
yGw35AYdiNYmN2TgZdBzoIIseCouIO12vPkVvv1b0lJZ+5zH062U8k5/DbE7M9ew
VR5Hp1ER/AB1UYBolu79AgjfbEN72dnC4FYcBQaHSVCfo8iw8uVuOJjEjRd6CsGA
E5+O41N50uaO4b+VGD1JoYJ1yKsqcObninPgUgd/Wjb8vIHmLd4YKiAz8UkLSGZ3
bX02Sb+vC79G3HdB/k5QaWdiyBQdX+qVcHM3VcdGCLkdZ1WObnaWMbx3wfycHtbU
f8TGw4dvMtnsGvuDOpd9GYoCDenTKr6WwsTPcBy0oRWdQFQlRHB3ACNDbx1fL7XF
bnGADoqPwmNtxz5wqm2WGAfs0qCRTprH6DMd3JkU1EutaBk6svd24CFpi6Y6T2+s
0b4fto6YZ1CCZDsVKNlEFLsF22qc53+7RwqCe29zVnrx9l+7ecGQ77cdmKnPHwUn
eqUykaoQdqDukTyGRYJfcL/UMI/84SSNXCkoQx3s7Qa3qpEUt/+PY60sRj2HoTiA
nJpsyPHZQw==
=Z8vI
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#984703: libreoffice-calc: LibreOffice Calc executes code from current dir (encodings.py) when opening a .csv
  - From: Milko Krachounov <bugsbunny@milko.3mhz.net>

Prev by Date: libreoffice_6.1.5-3+deb10u7_source.changes ACCEPTED into proposed-updates->stable-new
Next by Date: libreoffice_6.1.5-3+deb10u7_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Previous by thread: Processed: Bug#984703 marked as pending in libreoffice
Next by thread: Bug#977857: libreoffice-common: On Wayland, it doesn't work without the xwayland pkg but installation does not pull xwayland as a dependency
Index(es):
- Date
- Thread