CVE-2019-9855

Name	CVE-2019-9855
Description	LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libreoffice (PTS)	jessie, jessie (lts)	1:4.3.3-2+deb8u15	fixed
	stretch (security)	1:5.2.7-1+deb9u11	fixed
	stretch (lts), stretch	1:6.1.5-3~deb9u2	fixed
	buster	1:6.1.5-3+deb10u7	fixed
	buster (security)	1:6.1.5-3+deb10u11	fixed
	bullseye	1:7.0.4-4+deb11u8	fixed
	bullseye (security)	1:7.0.4-4+deb11u9	fixed
	bookworm	4:7.4.7-1+deb12u1	fixed
	bookworm (security)	4:7.4.7-1+deb12u2	fixed
	sid, trixie	4:24.2.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libreoffice	source	(unstable)	(not affected)

- libreoffice <not-affected> (Windows-specific)
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9855/