Earlier this month, The Document Foundation launched LibreOffice 6.2.7 and 6.3.1, both maintenance versions that, among their fixes, had some security fixes. It was not until yesterday at the last minute that Canonical updated the packages of its official repositories and, later, published the security report USN-4138-1 that explained to us that they had detected a medium urgency security breach. As they always do and I think is the best, the company that runs Mark Shuttleworth reported the security flaw after they had corrected it.
The vulnerability mentioned in the USN-4138-1 report is the CVE-2019-9854, it affects all supported Ubuntu versions and details a security flaw that made LibreOffice not handle the scripts embedded in the documents well, so if we were tricked into opening a specially designed document, a remote attacker could execute arbitrary code.
LibreOffice 6.2.7 now available in the official Ubuntu repositories
A layer of security was added in past versions to fix the CVE-2019-9854 bug, but it was possible to get around and take advantage of the LibreOffice bug. This vulnerability affects Ubuntu 19.04, Ubuntu 18.04, Ubuntu 16.04 and even LibreOffice 6.3 from Ubuntu 19.10, but the versions that are available in the official repositories have already solved the problem.
The specific versions that include the patch against CVE-2019-9854 are:
- v6.2.7 for Ubuntu 19.04.
- v6.0.7 for Ubuntu 18.04.
- v5.1.6 for Ubuntu 16.04.
- v6.3.1 for Ubuntu 19.10, still in the development phase and which will launch its first beta tomorrow.
LibreOffice 6.2.7, v6.3.1 and the rest of the updated versions weren't the only packages Canonical updated yesterday for security reasons. At the same time as those of the office suite, the UK-based company took the opportunity to update firefox packages, adding Firefox 69.0.1 which also fixes a security flaw. After all packages have been installed, it is recommended that you restart your computer for the changes to take effect.