Subscribe to our Security Newsletter
You can get updates in your mail, if you subscribe with the form on this page.
Fixed in Collabora Office 6.4-39
CVE-2021-25632 fileloc extension added to macOS executable denylist
Collabora Office has a feature where hyperlinks in a document can be activated by CTRL+click. Under macOS the link can be passed to the system ‘open’ utility for handling. Collabora Office contains a denylist of extensions that it blocks from passing to ‘open’ to avoid attempting to launch executables.
In the Collabora Office 6.4 series in versions prior to 6.4-39 the denylist didn’t include the .fileloc extension which could be used to launch an executable on the system.
In the fixed versions this extension has been blocked. All macOS users are recommended to upgrade to Collabora Office >= 6.4-39
Thanks to Hou JingYi (@hjy79425575) of Qihoo 360 for discovering and reporting this problem
Fixed in Collabora Office 6.2-30 and 6.4-33
CVE-2021-25631 Denylist of executable filename extensions possible to bypass under Windows
Collabora Office has a feature where hyperlinks in a document can be activated by CTRL+click. Under Windows the link can be passed to the system ShellExecute function for handling. Collabora Office contains a denylist of extensions that it blocks from passing to ShellExecute to avoid attempting to launch executables.
In the Collabora Office 6.2 series in versions prior to 6.2-30, and in the 6.4 series in versions prior to 6.4-33, the denylist can be circumvented by manipulating the link so it doesn’t match the denylist but results in ShellExecute attempting to launch an executable type.
In the fixed versions this circumvention has been blocked.
Thanks to Lukas Euler of Positive Security for discovering and reporting this issue.
Fixed in Collabora Office 6.0-37 and 6.2-13
CVE-2020-12801 Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save
If Collabora Office has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, Collabora Office offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not Collabora Office’s default ODF file format, then affected versions of Collabora Office default that subsequent saves of the document are unencrypted.
This may lead to a user accidentally saving a Microsoft Office file format document unencrypted while believing it to be encrypted.
Fixed in Collabora Office 5.3-67 and 6.0-35
CVE-2019-9854 Unsafe URL assembly flaw in allowed script location check
CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution
Fixed in Collabora Office 5.3-66 and 6.0-34
CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution
Collabora Office is bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreLogo is not part of the default installation of Collabora Office (on Windows).
Collabora Office also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc
Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in Collabora Office allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers.
In the fixed versions, script urls are correctly decoded before validation
CVE-2019-9851 LibreLogo global-event script execution
Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However Collabora Office also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc
In the fixed versions, global script event handlers are validated equivalently to document script event handlers.
CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check
Collabora Office has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.
Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the Collabora Office install.
Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack.
In the fixed versions, the parsed url describing the script location is correctly encoded before further processing.
Fixed in Collabora Office 5.3-65 and 6.0-33
CVE-2019-9848: LibreLogo arbitrary script execution
Prior to 5.3-65 and 6.0-33 it is possible to construct malicious documents which can execute arbitrary python silently if the LibreLogo script is installed. LibreLogo is not installed by default in the binary builds of Collabora Office provided by Collabora Productivity Ltd.
CVE-2019-9849: remote bullet graphics retrieved in ‘stealth mode’
Collabora Office has a ‘stealth mode’ in which only documents from locations deemed ‘trusted’ are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable Collabora Office’s ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 5.3-65 and 6.0-33. Users of this feature should upgrade to 5.3-65 or 6.0-33.
Fixed in Collabora Office 5.3-64 and 6.0-28
CVE-2019-9847: Executable hyperlink targets executed unconditionally on activation
Before 5.3-64 and 6.0-28 under Windows and macOS when processing a hyperlink target explicitly activated by the user, as in you explicitly click on a hyperlink in some Collabora Office application, there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally.
In the fixed versions, such executables are not executed on hyperlink activation.
Fixed in Collabora Office 5.3-58 and 6.0-13
CVE-2018-16858 Directory traversal flaw in script execution
Fixed in Collabora Office 5.3-49 and Collabora GovOffice 5.3-49
CVE-2018-10583 Information disclosure via SMB link embedded in ODF document
Fixed in Collabora Office 5.3-46 and Collabora GovOffice 5.3-45
CVE-2018-10119 Use After Free in Structured Storage parser
CVE-2018-10120 Heap Buffer Overflow in MSWord Customizations parsing
Fixed in Collabora Office 5.3-39 and Collabora GovOffice 5.3-39
CVE-2018-1055 Remote arbitrary file disclosure vulnerability via
Fixed in Collabora Office 5.3-6 and Collabora GovOffice 5.3-8
CVE-2017-7870 Heap-buffer-overflow in WMF filter
CVE-2016-10327 Heap-buffer-overflow in EMF filter
CVE-2017-7856 Heap-buffer-overflow in SVM filter
CVE-2017-7882 Heap-buffer-overflow in HWP filter
CVE-2017-8358 Heap-buffer-overflow in JPG filter
CVE-2017-3157 Arbitrary file disclosure in Calc and Writer
CVE-2016-4324 Dereference of invalid STL iterator on processing RTF file
CVE-2016-0795 LotusWordPro Bounds overflows in LwpTocSuperLayout processing
CVE-2016-0794 LotusWordPro Multiple bounds overflows in lwp filter
CVE-2017-12607 Out-of-Bounds Write in Impress’ PPT Filter
CVE-2017-12608 Out-of-Bounds Write in Writer’s ImportOldFormatStyles
CVE-2015-5214 DOC Bookmark Status Memory Corruption
CVE-2015-4551 Arbitrary file disclosure in Calc and Writer
CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length)
CVE-2015-5213 DOC piecetable Integer Overflow
CVE-2015-1774 Out of bounds write in HWP file filter
CVE-2014-3693 Use-After-Free in socket manager of Impress Remote
CVE-2014-3524 CSV Command Injection and DDE formulas
CVE-2014-3575 Arbitrary File Disclosure using crafted OLE objects
CVE-2014-0247 Microsoft Office VBA Macro Execution
CVE-2013-4156 Microsoft .docm Denial Of Service
CVE-2012-4233 Multiple file format denial of service vulnerabilities
CVE-2012-2665 Multiple heap-based buffer overflows in the XML manifest encryption handling code
CVE-2012-1149 Integer overflows in graphic object loading
CVE-2012-2334 Integer overflow flaw with malformed PPT files
CVE-2012-0037 XML Entity Expansion flaw by processing RDF file
CVE-2011-2713 Multiple vulnerabilities in the ‘Microsoft Word’ (doc) binary file format importer
CVE-2013-2189 Microsoft .doc Memory Corruption Vulnerability
CVE-2017-9806 Out-of-Bounds Write in Writer’s WW8Fonts Constructor
CVE-2011-2685 Multiple vulnerabilities in the ‘Lotus Word Pro’ (lwp) file format importer
Third Party Advisories
Fixed in Collabora Office and Collabora GovOffice 5.3-32
CVE-2017-14952 ICU: “redundant UVector entry clean up function call” issue
Fixed in Collabora Office and Collabora GovOffice 5.3-24
Fixed in Collabora Office and Collabora GovOffice 5.3-22
CVE-2017-11742: Expat 2.2.3
Fixed in Collabora Office 5.3-6 and Collabora GovOffice 5.3-8
CVE-2014-0160 & more (a set of vulnerabilities) TLS heartbeat read overrun (4.1 line not affected)
CVE-2012-2149 libwpd: Memory overwrite flaw by processing certain WordPerfect (WPD). No version of Collabora Office is affected by this.