Package: libreoffice-calc Version: 1:6.1.5-3+deb10u6 Severity: grave Tags: security Justification: user security hole
Dear Maintainer,
When opening any CSV file with LibreOffice Calc, Calc opens and executes
encodings.py from the current working directory. That presumably happens
because
Some file managers, including Krusader and mc, would launch localc in the
current directory, as would running it from the command line (such as
`localc file.csv'), thereby running encodings.py from the directory
containing the file.
The issue is not present when LibreOffice is launched through the
application launcher, and the file is opened later through whatever
means (neither Open file, nor through a file manager or the command
line, since localc already operates in one's $HOME in that instance)
To reproduce the issue, one needs to:
1. Close LibreOffice *completely*
2. In an empty directory, create "encodings.py" which raises an exception
3. In the same directory (for simplicity), create "file.csv" with some
rows.
4. Open "file.csv" with `localc ./file.csv' using the directory containing
"encodings.py" (double clicking in krusader and mc leads to the same
result)
The result is that LibreOffice crashes with the Python exception raised
by the rogue encodings.py, and then exits with an error that reads:
Fatal Python error: initfsencoding: Unable to get the locale encoding
An offer is made to recover the unsaved file (but the list is empty),
relaunching LO sometimes leads to new crashes.
This is NOT the only way the issue happens, I was able to get the
same crash while clicking through the menus or editing an .ods
which initially didn't cause a crash, but those aren't deterministically
reproduced, whereas the .csv route seems to guarantee a crash for me
even when the .csv is ASCII.
The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and
Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed
by apt are present on either machine (on the one with 6.1.5 I never
installed any, and on the 7.0.4 I'm trusting what the LO extension
manager is telling me, since I cannot recall for sure)
Here's the console chatter:
# Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored
milko@host2 ~/Временна/LOSecurity $ cat > encodings.py
raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a bar")
milko@host2 ~/Временна/LOSecurity $ cat > test.csv
Column 1;Column 2;Column 3
текст;ຂໍ້ຄວາມ;text
milko@host2 ~/Временна/LOSecurity $ localc test.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
milko@host2 ~/Временна/LOSecurity $ cat > test2.csv
Column 1;Column 2;Column 3
text1;text2;text3
milko@host2 ~/Временна/LOSecurity $ localc test2.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
Application Error
milko@host2 ~/Временна/LOSecurity $
# Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored
# The encodings.py and test.csv were copied from host2
milko@host1 ~/Временни/LOSecurity $ localc test2.csv
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
milko@host1 ~/Временни/LOSecurity $ lowriter
Fatal Python error: initfsencoding: Unable to get the locale encoding
Traceback (most recent call last):
File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
^C
milko@host1 ~/Временни/LOSecurity $
LO packages installed on host1 and host2. I do apologize for the untidy
mess with transitional and unpurged packages and leftover from the dawn of
time (especially on host2) -- I didn't expect someone to be looking through
my messy house -- but I have to leave them here in case one of them comes
responsible.
milko@host2 ~ $ dpkg -l | grep -i -e libreoffice -e 1:7.0.4~rc2-1~bpo10+2
ii hyphen-ru 20030310-1
all Russian hyphenation patterns for
LibreOffice/OpenOffice.org
ii jabref-plugin-oo 2.10+ds-3
all LibreOffice plugin for JabRef
(transitional dummy package)
ii libjuh-java
1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO
runtime environment -- Java Uno helper (compatibility library)
ii libjurt-java
1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO
runtime environment -- Java Uno Runtime (compatibility library)
ii liblibreoffice-java
1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO
runtime environment -- Java library
ii libreoffice
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite (metapackage)
ii libreoffice-avmedia-backend-gstreamer
1:7.0.4~rc2-1~bpo10+2 amd64 transitional package
for GStreamer backend for LibreOffice
ii libreoffice-base
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- database
ii libreoffice-base-core
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- shared library
ii libreoffice-base-drivers
1:7.0.4~rc2-1~bpo10+2 amd64 Database connectivity
drivers for LibreOffice
ii libreoffice-calc
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- spreadsheet
ii libreoffice-common
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- arch-independent files
ii libreoffice-core
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- arch-dependent files
ii libreoffice-draw
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- drawing
rc libreoffice-filter-binfilter
1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity
suite -- legacy filters (e.g. StarOffice 5.2)
ii libreoffice-gnome
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- GNOME integration
rc libreoffice-gtk
1:5.2.7-1+deb9u10 all transitional package
to upgrade to libreoffice-gtk2/-systray
ii libreoffice-gtk3
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- GTK+ 3 integration
ii libreoffice-help-common
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- common files for LibreOffice help
ii libreoffice-help-en-us
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- English_american help
ii libreoffice-impress
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- presentation
ii libreoffice-java-common
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- arch-independent Java support files
ii libreoffice-kde5
1:7.0.4~rc2-1~bpo10+2 amd64 transitional package
for LibreOffice "KDE 5" integration
ii libreoffice-kf5
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- KDE Frameworks 5 integration
ii libreoffice-l10n-bg
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- Bulgarian language package
ii libreoffice-librelogo
1:7.0.4~rc2-1~bpo10+2 all Logo-like programming
language for LibreOffice
ii libreoffice-lightproof-en
0.4.3+1.5+git20140515-2 all Lightproof grammar
checker for LibreOffice (English)
ii libreoffice-math
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- equation editor
ii libreoffice-mysql-connector
1:7.0.4~rc2-1~bpo10+2 amd64 transitional package
for MariaDB/MySQL Connector extension for LibreOffice
ii libreoffice-nlpsolver
0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear
Programming" extension for LibreOffice
ii libreoffice-plasma
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- some Plasma integration
ii libreoffice-presentation-minimizer
1:4.3.3-2+deb8u12 all transitional package
for the LibreOffice presentation minimizer
ii libreoffice-presenter-console
1:4.3.3-2+deb8u12 all transitional package
for the LibreOffice presenter console
ii libreoffice-qt5
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- Qt 5 integration
ii libreoffice-report-builder
1:7.0.4~rc2-1~bpo10+2 all LibreOffice component
for building database reports
ii libreoffice-report-builder-bin
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice component
for building database reports -- libraries
ii libreoffice-script-provider-bsh
1:7.0.4~rc2-1~bpo10+2 all BeanShell script
support provider for LibreOffice scripting framework
ii libreoffice-script-provider-js
1:7.0.4~rc2-1~bpo10+2 all JavaScript script
support provider for LibreOffice scripting framework
ii libreoffice-script-provider-python
1:7.0.4~rc2-1~bpo10+2 all Python script support
provider for LibreOffice scripting framework
ii libreoffice-sdbc-firebird
1:7.0.4~rc2-1~bpo10+2 amd64 Firebird SDBC driver
for LibreOffice
ii libreoffice-sdbc-hsqldb
1:7.0.4~rc2-1~bpo10+2 amd64 HSQLDB SDBC driver
for LibreOffice
ii libreoffice-sdbc-mysql
1:7.0.4~rc2-1~bpo10+2 amd64 MariaDB/MySQL SDBC
driver for LibreOffice
ii libreoffice-sdbc-postgresql
1:7.0.4~rc2-1~bpo10+2 amd64 PostgreSQL SDBC
driver for LibreOffice
ii libreoffice-style-breeze
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- Breeze symbol style
ii libreoffice-style-colibre
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- colibre symbol style
ii libreoffice-style-elementary
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- Elementary symbol style
rc libreoffice-style-galaxy
1:5.2.7-1+deb9u10 all office productivity
suite -- Galaxy (Default) symbol style
rc libreoffice-style-hicontrast
1:5.2.7-1+deb9u10 all office productivity
suite -- Hicontrast symbol style
ii libreoffice-style-karasa-jaga
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- Karasa Jaga symbol style
rc libreoffice-style-oxygen
1:5.2.7-1+deb9u10 all office productivity
suite -- Oxygen symbol style
ii libreoffice-style-sifr
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- Sifr symbol style
ii libreoffice-style-sukapura
1:7.0.4~rc2-1~bpo10+2 all office productivity
suite -- Sukapura symbol style
ii libreoffice-wiki-publisher
1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension
for working with MediaWiki articles
ii libreoffice-writer
1:7.0.4~rc2-1~bpo10+2 amd64 office productivity
suite -- word processor
ii libreoffice-writer2latex 1.4-8
all Writer/Calc to LaTeX converter
extension for LibreOffice
ii libreoffice-writer2xhtml 1.4-8
all Writer/Calc to XHTML converter
extension for LibreOffice
ii libridl-java
1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO
runtime environment -- Java Uno runtime and base types and types access library
(compatibility library)
ii libuno-cppu3
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO
runtime environment -- CPPU public library
ii libuno-cppuhelpergcc3-3
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO
runtime environment -- CPPU helper library
ii libuno-purpenvhelpergcc3-3
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO
runtime environment -- "purpose environment" helper
ii libuno-sal3
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO
runtime environment -- SAL public library
ii libuno-salhelpergcc3-3
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO
runtime environment -- SAL helpers for C++ library
ii libunoil-java
1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO
runtime environment -- UNO interface library (compatibility library)
ii libunoloader-java
1:7.0.4~rc2-1~bpo10+2 all LibreOffice UNO
runtime environment -- (Java) UNO loader
ii mythes-bg 1:6.2.0-1
all Bulgarian Thesaurus for LibreOffice
ii mythes-de 20160424-3
all German Thesaurus for
OpenOffice.org/LibreOffice
ii mythes-en-us 1:6.2.0-1
all English (USA) Thesaurus for
LibreOffice
ii mythes-fr 1:6.2.0-1
all French Thesaurus for LibreOffice
ii mythes-ru 1:6.2.0-1
all Russian Thesaurus for LibreOffice
ii python3-uno
1:7.0.4~rc2-1~bpo10+2 amd64 Python-UNO bridge
ii uno-libs-private
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO
runtime environment -- private libraries used by public ones
ii unoconv 0.7-1.1
all converter between LibreOffice
document formats
ii ure
1:7.0.4~rc2-1~bpo10+2 amd64 LibreOffice UNO
runtime environment
milko@host1 ~ $ dpkg -l | grep libreoffice
ii libreoffice
1:6.1.5-3+deb10u6 amd64 office productivity
suite (metapackage)
ii libreoffice-avmedia-backend-gstreamer
1:6.1.5-3+deb10u6 amd64 GStreamer backend for
LibreOffice
ii libreoffice-base
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- database
ii libreoffice-base-core
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- shared library
ii libreoffice-base-drivers
1:6.1.5-3+deb10u6 amd64 Database connectivity
drivers for LibreOffice
ii libreoffice-calc
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- spreadsheet
ii libreoffice-common
1:6.1.5-3+deb10u6 all office productivity
suite -- arch-independent files
ii libreoffice-core
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- arch-dependent files
ii libreoffice-draw
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- drawing
ii libreoffice-emailmerge
1:4.3.3-2+deb8u7 all transitional package
for LibreOffices email mail merge
rc libreoffice-filter-binfilter
1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity
suite -- legacy filters (e.g. StarOffice 5.2)
ii libreoffice-gtk2
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- GTK+ 2 integration
ii libreoffice-gtk3
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- GTK+ 3 integration
ii libreoffice-impress
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- presentation
ii libreoffice-java-common
1:6.1.5-3+deb10u6 all office productivity
suite -- arch-independent Java support files
ii libreoffice-kde5
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- KDE 5 integration
ii libreoffice-l10n-bg
1:6.1.5-3+deb10u6 all office productivity
suite -- Bulgarian language package
ii libreoffice-librelogo
1:6.1.5-3+deb10u6 all Logo-like progamming
language for LibreOffice
ii libreoffice-lightproof-en
0.4.3+1.5+git20140515-2 all Lightproof grammar
checker for LibreOffice (English)
ii libreoffice-math
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- equation editor
ii libreoffice-nlpsolver
0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear
Programming" extension for LibreOffice
ii libreoffice-ogltrans
1:6.1.5-3+deb10u6 all transitional package
for libreoffice-ogltrans
ii libreoffice-pdfimport
1:6.1.5-3+deb10u6 all transitional package
for PDF Import component for LibreOffice
ii libreoffice-report-builder
1:6.1.5-3+deb10u6 all LibreOffice component
for building database reports
ii libreoffice-report-builder-bin
1:6.1.5-3+deb10u6 amd64 LibreOffice component
for building database reports -- libraries
ii libreoffice-script-provider-bsh
1:6.1.5-3+deb10u6 all BeanShell script
support provider for LibreOffice scripting framework
ii libreoffice-script-provider-js
1:6.1.5-3+deb10u6 all JavaScript script
support provider for LibreOffice scripting framework
ii libreoffice-script-provider-python
1:6.1.5-3+deb10u6 all Python script support
provider for LibreOffice scripting framework
ii libreoffice-sdbc-firebird
1:6.1.5-3+deb10u6 amd64 Firebird SDBC driver
for LibreOffice
ii libreoffice-sdbc-hsqldb
1:6.1.5-3+deb10u6 amd64 HSQLDB SDBC driver
for LibreOffice
ii libreoffice-sdbc-postgresql
1:6.1.5-3+deb10u6 amd64 PostgreSQL SDBC
driver for LibreOffice
ii libreoffice-style-breeze
1:6.1.5-3+deb10u6 all office productivity
suite -- Breeze symbol style
ii libreoffice-style-colibre
1:6.1.5-3+deb10u6 all office productivity
suite -- colibre symbol style
ii libreoffice-style-elementary
1:6.1.5-3+deb10u6 all office productivity
suite -- Elementary symbol style
ii libreoffice-style-sifr
1:6.1.5-3+deb10u6 all office productivity
suite -- Sifr symbol style
ii libreoffice-style-tango
1:6.1.5-3+deb10u6 all office productivity
suite -- Tango symbol style
ii libreoffice-wiki-publisher
1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension
for working with MediaWiki articles
ii libreoffice-writer
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- word processor
milko@milko-desktop ~ $ dpkg -l | grep -i -e libreoffice -e 1:6.1.5-3+deb10u6
ii libreoffice
1:6.1.5-3+deb10u6 amd64 office productivity
suite (metapackage)
ii libreoffice-avmedia-backend-gstreamer
1:6.1.5-3+deb10u6 amd64 GStreamer backend for
LibreOffice
ii libreoffice-base
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- database
ii libreoffice-base-core
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- shared library
ii libreoffice-base-drivers
1:6.1.5-3+deb10u6 amd64 Database connectivity
drivers for LibreOffice
ii libreoffice-calc
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- spreadsheet
ii libreoffice-common
1:6.1.5-3+deb10u6 all office productivity
suite -- arch-independent files
ii libreoffice-core
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- arch-dependent files
ii libreoffice-draw
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- drawing
ii libreoffice-emailmerge
1:4.3.3-2+deb8u7 all transitional package
for LibreOffices email mail merge
rc libreoffice-filter-binfilter
1:3.5.4+dfsg2-0+deb7u2 amd64 office productivity
suite -- legacy filters (e.g. StarOffice 5.2)
ii libreoffice-gtk2
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- GTK+ 2 integration
ii libreoffice-gtk3
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- GTK+ 3 integration
ii libreoffice-impress
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- presentation
ii libreoffice-java-common
1:6.1.5-3+deb10u6 all office productivity
suite -- arch-independent Java support files
ii libreoffice-kde5
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- KDE 5 integration
ii libreoffice-l10n-bg
1:6.1.5-3+deb10u6 all office productivity
suite -- Bulgarian language package
ii libreoffice-librelogo
1:6.1.5-3+deb10u6 all Logo-like progamming
language for LibreOffice
ii libreoffice-lightproof-en
0.4.3+1.5+git20140515-2 all Lightproof grammar
checker for LibreOffice (English)
ii libreoffice-math
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- equation editor
ii libreoffice-nlpsolver
0.9+LibO6.1.5-3+deb10u6 all "Solver for Nonlinear
Programming" extension for LibreOffice
ii libreoffice-ogltrans
1:6.1.5-3+deb10u6 all transitional package
for libreoffice-ogltrans
ii libreoffice-pdfimport
1:6.1.5-3+deb10u6 all transitional package
for PDF Import component for LibreOffice
ii libreoffice-report-builder
1:6.1.5-3+deb10u6 all LibreOffice component
for building database reports
ii libreoffice-report-builder-bin
1:6.1.5-3+deb10u6 amd64 LibreOffice component
for building database reports -- libraries
ii libreoffice-script-provider-bsh
1:6.1.5-3+deb10u6 all BeanShell script
support provider for LibreOffice scripting framework
ii libreoffice-script-provider-js
1:6.1.5-3+deb10u6 all JavaScript script
support provider for LibreOffice scripting framework
ii libreoffice-script-provider-python
1:6.1.5-3+deb10u6 all Python script support
provider for LibreOffice scripting framework
ii libreoffice-sdbc-firebird
1:6.1.5-3+deb10u6 amd64 Firebird SDBC driver
for LibreOffice
ii libreoffice-sdbc-hsqldb
1:6.1.5-3+deb10u6 amd64 HSQLDB SDBC driver
for LibreOffice
ii libreoffice-sdbc-postgresql
1:6.1.5-3+deb10u6 amd64 PostgreSQL SDBC
driver for LibreOffice
ii libreoffice-style-breeze
1:6.1.5-3+deb10u6 all office productivity
suite -- Breeze symbol style
ii libreoffice-style-colibre
1:6.1.5-3+deb10u6 all office productivity
suite -- colibre symbol style
ii libreoffice-style-elementary
1:6.1.5-3+deb10u6 all office productivity
suite -- Elementary symbol style
ii libreoffice-style-sifr
1:6.1.5-3+deb10u6 all office productivity
suite -- Sifr symbol style
ii libreoffice-style-tango
1:6.1.5-3+deb10u6 all office productivity
suite -- Tango symbol style
ii libreoffice-wiki-publisher
1.2.0+LibO6.1.5-3+deb10u6 all LibreOffice extension
for working with MediaWiki articles
ii libreoffice-writer
1:6.1.5-3+deb10u6 amd64 office productivity
suite -- word processor
ii mythes-de 20160424-3
all German Thesaurus for
OpenOffice.org/LibreOffice
ii mythes-en-us 1:6.2.0-1
all English (USA) Thesaurus for
LibreOffice
ii mythes-fr 1:6.2.0-1
all French Thesaurus for LibreOffice
ii mythes-ru 1:6.2.0-1
all Russian Thesaurus for LibreOffice
ii python3-uno
1:6.1.5-3+deb10u6 amd64 Python-UNO bridge
ii uno-libs3 6.1.5-3+deb10u6
amd64 LibreOffice UNO runtime environment
-- public shared libraries
ii ure 6.1.5-3+deb10u6
amd64 LibreOffice UNO runtime environment
-- System Information:
Debian Release: 10.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-13-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8),
LANGUAGE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libreoffice-calc depends on:
ii coinor-libcbc3 2.9.9+repack1-1
ii coinor-libcoinmp1v5 1.8.3-2+b11
ii coinor-libcoinutils3v5 2.10.14+repack1-1
ii libatlas3-base [liblapack.so.3] 3.10.3-8
ii libblas3 [libblas.so.3] 3.8.0-2
ii libboost-filesystem1.67.0 1.67.0-13+deb10u1
ii libboost-iostreams1.67.0 1.67.0-13+deb10u1
ii libbz2-1.0 1.0.6-9.2~deb10u1
ii libc6 2.28-10
ii libetonyek-0.1-1 0.1.9-1
ii libgcc1 1:8.3.0-6
ii libicu63 63.1-6+deb10u1
ii liblapack3 [liblapack.so.3] 3.8.0-2
ii liblcms2-2 2.9-3
ii libmwaw-0.3-3 0.3.14-1
ii libodfgen-0.1-1 0.1.7-1
ii liborcus-0.14-0 0.14.1-6
ii libreoffice-base-core 1:6.1.5-3+deb10u6
ii libreoffice-core 1:6.1.5-3+deb10u6
ii librevenge-0.0-0 0.0.4-6
ii libstaroffice-0.0-0 0.0.6-1
ii libstdc++6 8.3.0-6
ii libwps-0.4-4 0.4.10-1
ii libxml2 2.9.4+dfsg1-7+deb10u1
ii lp-solve 5.5.0.15-4+b1
ii uno-libs3 6.1.5-3+deb10u6
ii ure 6.1.5-3+deb10u6
ii zlib1g 1:1.2.11.dfsg-1
libreoffice-calc recommends no packages.
Versions of packages libreoffice-calc suggests:
ii mesa-opencl-icd 18.3.6-2+deb10u1
ii ocl-icd-libopencl1 2.2.12-2
Versions of packages libreoffice-core depends on:
ii fontconfig 2.13.1-2
ii fonts-opensymbol 2:102.10+LibO6.1.5-3+deb10u6
ii libboost-date-time1.67.0 1.67.0-13+deb10u1
ii libboost-locale1.67.0 1.67.0-13+deb10u1
ii libc6 2.28-10
ii libcairo2 1.16.0-4+deb10u1
ii libclucene-contribs1v5 2.3.3.4+dfsg-1
ii libclucene-core1v5 2.3.3.4+dfsg-1
ii libcmis-0.5-5v5 0.5.2-1
ii libcups2 2.2.10-6+deb10u4
ii libcurl3-gnutls 7.64.0-4+deb10u1
ii libdbus-1-3 1.12.20-0+deb10u1
ii libdbus-glib-1-2 0.110-4
ii libdconf1 0.30.1-2
ii libeot0 0.01-5
ii libepoxy0 1.5.3-0.1
ii libexpat1 2.2.6-2+deb10u1
ii libexttextcat-2.0-0 3.4.5-1
ii libfontconfig1 2.13.1-2
ii libfreetype6 2.9.1-3+deb10u2
ii libgcc1 1:8.3.0-6
ii libglib2.0-0 2.58.3-2+deb10u2
ii libgpgmepp6 1.12.0-6
ii libgraphite2-3 1.3.13-7
ii libharfbuzz-icu0 2.3.1-1
ii libharfbuzz0b 2.3.1-1
ii libhunspell-1.7-0 1.7.0-2
ii libhyphen0 2.8.8-7
ii libice6 2:1.0.9-2
ii libicu63 63.1-6+deb10u1
ii libjpeg62-turbo 1:1.5.2-2+deb10u1
ii liblcms2-2 2.9-3
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u6
ii libmythes-1.2-0 2:1.2.4-3
ii libneon27-gnutls 0.30.2-3
ii libnspr4 2:4.20-1
ii libnss3 2:3.42.1-1+deb10u3
ii libnumbertext-1.0-0 1.0.5-1
ii libodfgen-0.1-1 0.1.7-1
ii liborcus-0.14-0 0.14.1-6
ii libpng16-16 1.6.36-6
ii libpoppler82 0.71.0-5
ii librdf0 1.0.17-1.1+b1
ii libreoffice-common 1:6.1.5-3+deb10u6
ii librevenge-0.0-0 0.0.4-6
ii libsm6 2:1.2.3-1
ii libstdc++6 8.3.0-6
ii libx11-6 2:1.6.7-1+deb10u1
ii libxext6 2:1.3.3-1+b2
ii libxinerama1 2:1.1.4-2
ii libxml2 2.9.4+dfsg1-7+deb10u1
ii libxmlsec1 1.2.27-2
ii libxmlsec1-nss 1.2.27-2
ii libxrandr2 2:1.5.1-1
ii libxrender1 1:0.9.10-1
ii libxslt1.1 1.1.32-2.2~deb10u1
ii uno-libs3 6.1.5-3+deb10u6
ii ure 6.1.5-3+deb10u6
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages libreoffice-core recommends:
ii libpaper-utils 1.1.28
-- no debconf information
On Sunday, 7 March 2021, 14:18:33 EET Salvatore Bonaccorso wrote:
> Hi Milko,
>
> On Sat, Feb 27, 2021 at 08:36:31PM +0200, Milko Krachounov wrote:
> > Package: libreoffice-calc
> > Version: 1:6.1.5-3+deb10u6
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Dear Maintainer,
> >
> > When opening any CSV file with LibreOffice Calc, Calc opens and executes
> > encodings.py from the current working directory. That presumably happens
> > because
> >
> > Some file managers, including Krusader and mc, would launch localc in the
> > current directory, as would running it from the command line (such as
> > `localc file.csv'), thereby running encodings.py from the directory
> > containing the file.
> >
> > The issue is not present when LibreOffice is launched through the
> > application launcher, and the file is opened later through whatever
> > means (neither Open file, nor through a file manager or the command
> > line, since localc already operates in one's $HOME in that instance)
> >
> > To reproduce the issue, one needs to:
> > 1. Close LibreOffice *completely*
> > 2. In an empty directory, create "encodings.py" which raises an exception
> > 3. In the same directory (for simplicity), create "file.csv" with some
> >
> > rows.
> >
> > 4. Open "file.csv" with `localc ./file.csv' using the directory containing
> >
> > "encodings.py" (double clicking in krusader and mc leads to the same
> > result)
> >
> > The result is that LibreOffice crashes with the Python exception raised
> > by the rogue encodings.py, and then exits with an error that reads:
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > An offer is made to recover the unsaved file (but the list is empty),
> > relaunching LO sometimes leads to new crashes.
> >
> > This is NOT the only way the issue happens, I was able to get the
> > same crash while clicking through the menus or editing an .ods
> > which initially didn't cause a crash, but those aren't deterministically
> > reproduced, whereas the .csv route seems to guarantee a crash for me
> > even when the .csv is ASCII.
> >
> > The problem is present in both Debian Stable (1:6.1.5-3+deb10u6), and
> > Buster Backports (1:7.0.4~rc2-1~bpo10+2). No extensions not installed
> > by apt are present on either machine (on the one with 6.1.5 I never
> > installed any, and on the 7.0.4 I'm trusting what the LO extension
> > manager is telling me, since I cannot recall for sure)
> >
> > Here's the console chatter:
> >
> > # Test on the host with 1:7.0.4~rc2-1~bpo10+2 - hostname is censored
> > milko@host2 ~/Временна/LOSecurity $ cat > encodings.py
> > raise NotImplementedError("Darth Vader, Obi-Wan and Ahsoka walk into a
> > bar") milko@host2 ~/Временна/LOSecurity $ cat > test.csv
> > Column 1;Column 2;Column 3
> > текст;ຂໍ້ຄວາມ;text
> > milko@host2 ~/Временна/LOSecurity $ localc test.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > milko@host2 ~/Временна/LOSecurity $ cat > test2.csv
> > Column 1;Column 2;Column 3
> > text1;text2;text3
> > milko@host2 ~/Временна/LOSecurity $ localc test2.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временна/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > Application Error
> > milko@host2 ~/Временна/LOSecurity $
> >
> >
> > # Test on the host with 1:6.1.5-3+deb10u6 - hostname is censored
> > # The encodings.py and test.csv were copied from host2
> > milko@host1 ~/Временни/LOSecurity $ localc test2.csv
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > milko@host1 ~/Временни/LOSecurity $ lowriter
> > Fatal Python error: initfsencoding: Unable to get the locale encoding
> >
> > Traceback (most recent call last):
> > File "/home/milko/Временни/LOSecurity/encodings.py", line 1, in <module>
> >
> > NotImplementedError: Darth Vader, Obi-Wan and Ahsoka walk into a bar
> > ^C
> > milko@host1 ~/Временни/LOSecurity $
> >
> >
> > LO packages installed on host1 and host2. I do apologize for the untidy
> > mess with transitional and unpurged packages and leftover from the dawn of
> > time (especially on host2) -- I didn't expect someone to be looking
> > through
> > my messy house -- but I have to leave them here in case one of them comes
> > responsible.
>
> [...]
>
> Thanks for the report.
>
> Can yu pleas make this directly a public report in the Debian BTS?
>
> Regards,
> Salvatore
LOSecurity.tar.gz
Description: application/compressed-tar
