libreoffice 7.1.4.2_0: Bitdefener reports exploit CVE-2020-9596.5

[melbourneboy (Mark)]

Yesterday I was working through a problem updating libreoffice. I had uninstalled all versions then installed again.

sudo port uninstall libreoffice
sudo port install libreoffice

I then left to do other things. My Antivirus reported a detection overnight. Antivirus report as follows:

An infected file attempted to run on your device.
Threat name: Exploit.CVE-2020-9596.5
Path: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice/libreoffice/work/libreoffice-7.1.4.2/xmlsecurity/qa/unit/signing/data/hide-and-replace-shadow-file-signed-2.pdf
We deleted the file to prevent malicious commands from being executed on your device."

I then ran

sudo port uninstall libreoffice
sudo port clean --all libreoffice

Confirmed

/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice

was gone.

I then ran

sudo port install libreoffice

Broken file and ports reported again, selected 'Y' to rebuild. BitDefener reports virus detections while rebuild is progressing. Same detection message as above.

(base) mark@192-168-1-10 ~ % sudo port install libreoffice                                            
--->  Computing dependencies for libreoffice
--->  Fetching archive for libreoffice
--->  Attempting to fetch libreoffice-7.1.4.2_0.darwin_19.x86_64.tbz2 from https://packages.macports.org/libreoffice
--->  Attempting to fetch libreoffice-7.1.4.2_0.darwin_19.x86_64.tbz2.rmd160 from https://packages.macports.org/libreoffice
--->  Installing libreoffice @7.1.4.2_0
--->  Activating libreoffice @7.1.4.2_0
--->  Cleaning libreoffice
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  Found 5 broken files, matching files to ports      
--->  Found 1 broken port, determining rebuild order
You can always run 'port rev-upgrade' again to fix errors.
The following ports will be rebuilt: libreoffice @7.1.4.2
Continue? [Y/n]: Y
--->  Computing dependencies for libreoffice
--->  Cleaning libreoffice
--->  Scanning binaries for linking errors
--->  Found 5 broken files, matching files to ports      
--->  Found 1 broken port, determining rebuild order
--->  Rebuilding in order
     libreoffice @7.1.4.2_0
--->  Computing dependencies for libreoffice
--->  Fetching distfiles for libreoffice
--->  Attempting to fetch libreoffice-7.1.4.2.tar.xz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch libreoffice-dictionaries-7.1.4.2.tar.xz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch libreoffice-translations-7.1.4.2.tar.xz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch dtoa-20180411.tgz from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Attempting to fetch f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf from http://aarnet.au.distfiles.macports.org/pub/macports/distfiles/libreoffice
--->  Verifying checksums for libreoffice
--->  Extracting libreoffice
--->  Applying patches to libreoffice
--->  Configuring libreoffice
Error: Failed to configure libreoffice: consult /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice/libreoffice/work/libreoffice-7.1.4.2/config.log
Error: Failed to configure libreoffice: configure failure: command execution failed
Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_office_libreoffice/libreoffice/main.log for details.
Error: rev-upgrade failed: Error rebuilding libreoffice
Error: Follow https://guide.macports.org/#project.tickets if you believe there is a bug.
(base) mark@192-168-1-10 ~ % 

My system details are: macOS Catalina 10.15.7 Xcode 12.5.1 Bitdefener Anitvirus for Mac 8.3.2.4

[Tatsh (Andrew Udvare)]

It is a false positive. ​CVE-2020-9596 has nothing to do with LibreOffice.

If you're going to be building because of the Boost update, it won't work anyway until ​this PR is merged.

[chrstphrchvz (Christopher Chavez)]

I don’t know whether that file actually constitutes a test case for the vulnerability or just a false positive, but several other antimalware products flag it as malicious: ​https://www.virustotal.com/gui/file/fdee4b5216a3ccb9e75adbb18fc2d34c6c613d3393f396927af0e89c1fb434de

[Tatsh (Andrew Udvare)]

That file is just there for testing to ensure the vulnerability doesn't occur in LibreOffice code. The PDF file cannot do anything malicious unlesss you use a vulnerable version of software to read it.

This is a common thing with source code distribution. There will be 'malicious' files in test cases.

[melbourneboy (Mark)]

I'm glad to hear that it's not a genuine infection somewhere along the supply chain. But it still bothers me that I'm going to have to either ignore my anti-virus flagging an infection, or spend the time to confirm that the detection is benign every time an update comes through.

Anyway, looks like this might be done with. Do I need to do anything with regards to closing the ticket?

[jmroot (Joshua Root)]

Closing as per comment:5.