Collabora Office Security Advisories

Subscribe to our Security Newsletter

You can get updates in your mail, if you subscribe with the form on this page.

Fixed in Collabora Office 6.4-39

CVE-2021-25632 fileloc extension added to macOS executable denylist

Collabora Office has a feature where hyperlinks in a document can be activated by CTRL+click. Under macOS the link can be passed to the system ‘open’ utility for handling. Collabora Office contains a denylist of extensions that it blocks from passing to ‘open’ to avoid attempting to launch executables.

In the Collabora Office 6.4 series in versions prior to 6.4-39 the denylist didn’t include the .fileloc extension which could be used to launch an executable on the system.

In the fixed versions this extension has been blocked. All macOS users are recommended to upgrade to Collabora Office >= 6.4-39

References:

Thanks to Hou JingYi (@hjy79425575) of Qihoo 360 for discovering and reporting this problem

Fixed in Collabora Office 6.2-30 and 6.4-33

CVE-2021-25631 Denylist of executable filename extensions possible to bypass under Windows

Collabora Office has a feature where hyperlinks in a document can be activated by CTRL+click. Under Windows the link can be passed to the system ShellExecute function for handling. Collabora Office contains a denylist of extensions that it blocks from passing to ShellExecute to avoid attempting to launch executables.

In the Collabora Office 6.2 series in versions prior to 6.2-30, and in the 6.4 series in versions prior to 6.4-33, the denylist can be circumvented by manipulating the link so it doesn’t match the denylist but results in ShellExecute attempting to launch an executable type.

In the fixed versions this circumvention has been blocked.

Thanks to Lukas Euler of Positive Security for discovering and reporting this issue.

Fixed in Collabora Office 6.0-37 and 6.2-13

CVE-2020-12801 Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save

If Collabora Office has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, Collabora Office offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not Collabora Office’s default ODF file format, then affected versions of Collabora Office default that subsequent saves of the document are unencrypted.

This may lead to a user accidentally saving a Microsoft Office file format document unencrypted while believing it to be encrypted.

Fixed in Collabora Office 5.3-67 and 6.0-35

CVE-2019-9854 Unsafe URL assembly flaw in allowed script location check

CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution

Fixed in Collabora Office 5.3-66 and 6.0-34

CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution

Collabora Office is bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreLogo is not part of the default installation of Collabora Office (on Windows).

Collabora Office also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc

Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in Collabora Office allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers.

In the fixed versions, script urls are correctly decoded before validation

CVE-2019-9851 LibreLogo global-event script execution

Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However Collabora Office also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc

In the fixed versions, global script event handlers are validated equivalently to document script event handlers.

CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check

Collabora Office has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the Collabora Office install.

Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack.

In the fixed versions, the parsed url describing the script location is correctly encoded before further processing.

Fixed in Collabora Office 5.3-65 and 6.0-33

CVE-2019-9848: LibreLogo arbitrary script execution

Prior to 5.3-65 and 6.0-33 it is possible to construct malicious documents which can execute arbitrary python silently if the LibreLogo script is installed. LibreLogo is not installed by default in the binary builds of Collabora Office provided by Collabora Productivity Ltd.

CVE-2019-9849: remote bullet graphics retrieved in ‘stealth mode’

Collabora Office has a ‘stealth mode’ in which only documents from locations deemed ‘trusted’ are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable Collabora Office’s ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 5.3-65 and 6.0-33. Users of this feature should upgrade to 5.3-65 or 6.0-33.

Fixed in Collabora Office 5.3-64 and 6.0-28

CVE-2019-9847: Executable hyperlink targets executed unconditionally on activation

Before 5.3-64 and 6.0-28 under Windows and macOS when processing a hyperlink target explicitly activated by the user, as in you explicitly click on a hyperlink in some Collabora Office application, there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally.

In the fixed versions, such executables are not executed on hyperlink activation.

Fixed in Collabora Office 5.3-58 and 6.0-13

CVE-2018-16858 Directory traversal flaw in script execution

Fixed in Collabora Office 5.3-49 and Collabora GovOffice 5.3-49

CVE-2018-10583 Information disclosure via SMB link embedded in ODF document

Fixed in Collabora Office 5.3-46 and Collabora GovOffice 5.3-45

CVE-2018-10119 Use After Free in Structured Storage parser

CVE-2018-10120 Heap Buffer Overflow in MSWord Customizations parsing

Fixed in Collabora Office 5.3-39 and Collabora GovOffice 5.3-39

CVE-2018-1055 Remote arbitrary file disclosure vulnerability via
WEBSERVICE formula

Fixed in Collabora Office 5.3-6 and Collabora GovOffice 5.3-8

CVE-2017-7870 Heap-buffer-overflow in WMF filter

CVE-2016-10327 Heap-buffer-overflow in EMF filter

CVE-2017-7856 Heap-buffer-overflow in SVM filter

CVE-2017-7882 Heap-buffer-overflow in HWP filter

CVE-2017-8358 Heap-buffer-overflow in JPG filter

CVE-2017-3157 Arbitrary file disclosure in Calc and Writer

CVE-2016-4324 Dereference of invalid STL iterator on processing RTF file

CVE-2016-0795 LotusWordPro Bounds overflows in LwpTocSuperLayout processing

CVE-2016-0794 LotusWordPro Multiple bounds overflows in lwp filter

CVE-2017-12607 Out-of-Bounds Write in Impress’ PPT Filter

CVE-2017-12608 Out-of-Bounds Write in Writer’s ImportOldFormatStyles

CVE-2015-5214 DOC Bookmark Status Memory Corruption

CVE-2015-4551 Arbitrary file disclosure in Calc and Writer

CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length)

CVE-2015-5213 DOC piecetable Integer Overflow

CVE-2015-1774 Out of bounds write in HWP file filter

CVE-2014-3693 Use-After-Free in socket manager of Impress Remote

CVE-2014-3524 CSV Command Injection and DDE formulas

CVE-2014-3575 Arbitrary File Disclosure using crafted OLE objects

CVE-2014-0247 Microsoft Office VBA Macro Execution

CVE-2013-4156 Microsoft .docm Denial Of Service

CVE-2012-4233 Multiple file format denial of service vulnerabilities

CVE-2012-2665 Multiple heap-based buffer overflows in the XML manifest encryption handling code

CVE-2012-1149 Integer overflows in graphic object loading

CVE-2012-2334 Integer overflow flaw with malformed PPT files

CVE-2012-0037 XML Entity Expansion flaw by processing RDF file

CVE-2011-2713 Multiple vulnerabilities in the ‘Microsoft Word’ (doc) binary file format importer

CVE-2013-2189 Microsoft .doc Memory Corruption Vulnerability

CVE-2017-9806 Out-of-Bounds Write in Writer’s WW8Fonts Constructor

CVE-2011-2685 Multiple vulnerabilities in the ‘Lotus Word Pro’ (lwp) file format importer

Third Party Advisories

Fixed in Collabora Office and Collabora GovOffice 5.3-32

CVE-2017-14952 ICU: “redundant UVector entry clean up function call” issue

Fixed in Collabora Office and Collabora GovOffice 5.3-24

CVE-2017-9047 & CVE-2017-9048 & CVE-2017-9049 & CVE-2017-9050 Libxml2 fixes

Fixed in Collabora Office and Collabora GovOffice 5.3-22

CVE-2017-11742: Expat 2.2.3

Fixed in Collabora Office 5.3-6 and Collabora GovOffice 5.3-8

CVE-2014-0160 & more (a set of vulnerabilities) TLS heartbeat read overrun (4.1 line not affected)

CVE-2013-1752 & CVE-2013-4238 Python Multiple Vulnerabilities

CVE-2012-2149 libwpd: Memory overwrite flaw by processing certain WordPerfect (WPD). No version of Collabora Office is affected by this.