Opened 3 years ago

Closed 3 years ago

#63152 closed defect (wontfix)

libreoffice 7.1.4.2_0: Bitdefener reports exploit CVE-2020-9596.5

Reported by: melbourneboy (Mark) Owned by: Tatsh (Andrew Udvare)
Priority: Normal Milestone:
Component: ports Version: 2.7.1
Keywords: Cc: chrstphrchvz (Christopher Chavez), cooljeanius (Eric Gallager)
Port: libreoffice

Description

Yesterday I was working through a problem updating libreoffice. I had uninstalled all versions then installed again.

sudo port uninstall libreoffice
sudo port install libreoffice

I then left to do other things. My Antivirus reported a detection overnight. Antivirus report as follows:

An infected file attempted to run on your device.
Threat name: Exploit.CVE-2020-9596.5
Path: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice/libreoffice/work/libreoffice-7.1.4.2/xmlsecurity/qa/unit/signing/data/hide-and-replace-shadow-file-signed-2.pdf
We deleted the file to prevent malicious commands from being executed on your device."

I then ran

sudo port uninstall libreoffice
sudo port clean --all libreoffice

Confirmed

/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice

was gone.

I then ran

sudo port install libreoffice

Broken file and ports reported again, selected 'Y' to rebuild. BitDefener reports virus detections while rebuild is progressing. Same detection message as above.

(base) mark@192-168-1-10 ~ % sudo port install libreoffice                                            
--->  Computing dependencies for libreoffice
--->  Fetching archive for libreoffice
--->  Attempting to fetch libreoffice-7.1.4.2_0.darwin_19.x86_64.tbz2 from https://packages.macports.org/libreoffice
--->  Attempting to fetch libreoffice-7.1.4.2_0.darwin_19.x86_64.tbz2.rmd160 from https://packages.macports.org/libreoffice
--->  Installing libreoffice @7.1.4.2_0
--->  Activating libreoffice @7.1.4.2_0
--->  Cleaning libreoffice
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  Found 5 broken files, matching files to ports      
--->  Found 1 broken port, determining rebuild order
You can always run 'port rev-upgrade' again to fix errors.
The following ports will be rebuilt: libreoffice @7.1.4.2
Continue? [Y/n]: Y
--->  Computing dependencies for libreoffice
--->  Cleaning libreoffice
--->  Scanning binaries for linking errors
--->  Found 5 broken files, matching files to ports      
--->  Found 1 broken port, determining rebuild order
--->  Rebuilding in order
     libreoffice @7.1.4.2_0
--->  Computing dependencies for libreoffice
--->  Fetching distfiles for libreoffice
--->  Attempting to fetch libreoffice-7.1.4.2.tar.xz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch libreoffice-dictionaries-7.1.4.2.tar.xz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch libreoffice-translations-7.1.4.2.tar.xz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch dtoa-20180411.tgz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Verifying checksums for libreoffice
--->  Extracting libreoffice
--->  Applying patches to libreoffice
--->  Configuring libreoffice
Error: Failed to configure libreoffice: consult /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice/libreoffice/work/libreoffice-7.1.4.2/config.log
Error: Failed to configure libreoffice: configure failure: command execution failed
Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice/libreoffice/main.log for details.
Error: rev-upgrade failed: Error rebuilding libreoffice
Error: Follow https://guide.macports.org/#project.tickets if you believe there is a bug.
(base) mark@192-168-1-10 ~ % 

My system details are: macOS Catalina 10.15.7 Xcode 12.5.1 Bitdefener Anitvirus for Mac 8.3.2.4

Change History (8)

comment:1 Changed 3 years ago by Tatsh (Andrew Udvare)

It is a false positive. CVE-2020-9596 has nothing to do with LibreOffice.

If you're going to be building because of the Boost update, it won't work anyway until this PR is merged.

comment:2 Changed 3 years ago by jmroot (Joshua Root)

Keywords: catalina x86_64 removed
Owner: changed from audvare@… to Tatsh
Port: libreoffice added; libreoffice@7.1.4.2_0 removed

comment:3 Changed 3 years ago by chrstphrchvz (Christopher Chavez)

I don’t know whether that file actually constitutes a test case for the vulnerability or just a false positive, but several other antimalware products flag it as malicious: https://www.virustotal.com/gui/file/fdee4b5216a3ccb9e75adbb18fc2d34c6c613d3393f396927af0e89c1fb434de

comment:4 Changed 3 years ago by chrstphrchvz (Christopher Chavez)

Cc: chrstphrchvz added

comment:5 Changed 3 years ago by Tatsh (Andrew Udvare)

That file is just there for testing to ensure the vulnerability doesn't occur in LibreOffice code. The PDF file cannot do anything malicious unlesss you use a vulnerable version of software to read it.

This is a common thing with source code distribution. There will be 'malicious' files in test cases.

comment:6 Changed 3 years ago by melbourneboy (Mark)

I'm glad to hear that it's not a genuine infection somewhere along the supply chain. But it still bothers me that I'm going to have to either ignore my anti-virus flagging an infection, or spend the time to confirm that the detection is benign every time an update comes through.

Anyway, looks like this might be done with. Do I need to do anything with regards to closing the ticket?

comment:7 Changed 3 years ago by cooljeanius (Eric Gallager)

Cc: cooljeanius added

comment:8 Changed 3 years ago by jmroot (Joshua Root)

Resolution: wontfix
Status: assignedclosed

Closing as per comment:5.

Note: See TracTickets for help on using tickets.