Vigil@nce - LibreOffice: information disclosure via object previews of linked objects
March 2017 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can make a user open a LibreOffice document including
links to external files, in order to get sensitive information.
Impacted products: Debian, LibreOffice, Ubuntu.
Severity: 1/4.
Creation date: 23/02/2017.
DESCRIPTION OF THE VULNERABILITY
The programs Writer and Calc from LibreOffice can include previews
of the linked or embedded objects.
A linked object may point to an external file which is not to be
included in the document. However, the preview creation process
will actually include a part of the linked file into the document.
An attacker can therefore make a user open a LibreOffice document
including links to external files, in order to get sensitive
information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN