LibreOffice, a popular open-source office suite application contains a major code execution flaw in the software. The flaw could allow anyone to execute arbitrary Python commands through the application. It could be exploited through a malicious document containing a macro that is opened with LibreOffice. The flaw was discovered by security researcher Nils Emmerich of ERNW.
Emmerich explains that the flaw resulted due to faulty code in LibreLogo.
“To move the turtle, LibreLogo executes custom script code that is internally translated to python code and executed. The big problem here is that the code in not translated well and just supplying python code as the script code often results in the same code after translation,” said Emmerich.
Since the flaw is unpatched, users are recommended to install LibreOffice without macros or exclude installing LibreLogo.