CVE-2019-9847: user/libreoffice: hyperlink to executable unconditionally launched
| Bugzilla ID | 111 |
| Alias(es) | CVE-2019-9847 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-24 13:55:27 -0500 |
| Modified | 2019-07-24 13:56:01 -0500 |
| Status | RESOLVED NOTABUG |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-9847 |
Description
A vulnerability in LibreOffice hyperlink processing allows an attacker
to construct documents containing hyperlinks pointing to the location
of an executable on the target users file system. If the hyperlink is
activated by the victim the executable target is unconditionally
launched. Under Windows and macOS when processing a hyperlink target
explicitly activated by the user there was no judgment made on whether
the target was an executable file, so such executable targets were
launched unconditionally. This issue affects: All LibreOffice Windows
and macOS versions prior to 6.1.6; LibreOffice Windows and macOS
versions in the 6.2 series prior to 6.2.3.
Does not apply to Linux.