CVE-2018-10583 A LibreOffice document with a linked image, which is on a samba share, will cause LibreOffice to automatically initiate a samba connection to retrieve the image. This is by design. If end users or administrators wish to disable this functionality this can now be disabled via tools->options->security->options->block any links from documents not among the trusted locations.
How to install
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
Shouldn't it be opt-in by default? And maybe some notification with question weather user want to allow LibreOffice to try to connect to remote samba share?
It seems that this feature (document with attachment on remote share) will more likely be used by an attacker than users.
Wrt notification, right now there is no such notification ui so its not practical to provide one in a timely manner, though some form of infobar notification would be a good idea. Wrt opt in/out out, what we have available is an opt-in/out-out for all links, smb, http, https etc. So opening any html with graphic links in them would auto-fail which is a bit radical, especially in the absence of a ui to explain and rectify it.
Thanks for your answer. Infobar notification is what I've already seen in action and had in mind, just didn't know the official name. Would infobar notification only for SMB links saying 'An image from SMB share (smb://... or file://...) was blocked. If you're sure it's not a rogue SMB server, unlock it' be feasible?
Not right now. Eventually maybe. But wrt smb, there's nothing special about them vs say http/https from LibreOffice's perspective so its a general remote links issue rather than a specific smb links issue.
CVE-2018-10583 seems to be what makes smb links different from http, I think, because for smb the linked file doesn't need to be malicious for attack to succeed - it just exploits default behaviour and is easy to prepare.
This update has been submitted for testing by caolanm.
works
Shouldn't it be opt-in by default? And maybe some notification with question weather user want to allow LibreOffice to try to connect to remote samba share?
It seems that this feature (document with attachment on remote share) will more likely be used by an attacker than users.
Wrt notification, right now there is no such notification ui so its not practical to provide one in a timely manner, though some form of infobar notification would be a good idea. Wrt opt in/out out, what we have available is an opt-in/out-out for all links, smb, http, https etc. So opening any html with graphic links in them would auto-fail which is a bit radical, especially in the absence of a ui to explain and rectify it.
Thanks for your answer. Infobar notification is what I've already seen in action and had in mind, just didn't know the official name. Would infobar notification only for SMB links saying 'An image from SMB share (smb://... or file://...) was blocked. If you're sure it's not a rogue SMB server, unlock it' be feasible?
Not right now. Eventually maybe. But wrt smb, there's nothing special about them vs say http/https from LibreOffice's perspective so its a general remote links issue rather than a specific smb links issue.
This update has been pushed to testing.
No regressions here.
Works great! LGTM! =)
This update has been submitted for batched by bodhi.
This update has been submitted for stable by bodhi.
CVE-2018-10583 seems to be what makes smb links different from http, I think, because for smb the linked file doesn't need to be malicious for attack to succeed - it just exploits default behaviour and is easy to prepare.
No regressions noted with this update.
This update has been pushed to stable.