LibreOffice handlers defend suite's security after 'unfortunately partial' patch The Document Foundation, custodian of LibreOffice, has defended the suite's security after attempts to patch a code execution flaw turned out to be "partial". "So far in the story of LibreOffice we have been able to patch all security issues before they reached the end user," a spokesperson told The Reg. "For this last one we …
You do get it if you update to LibreOffice 6.2.x manually.
On ANY Linux using apt / synaptic package manager:
1) Launch synaptic package manager via Control panel. Password required.
2) type librelogo into search
3) Select "Remove Completely" on the checkbox if it's filled in.
4) Click Apply.
Nothing gets broken, because this is something No-one needs. No-one should be using it. It should never have been added. Scratch is brilliant for teaching kids to program.
Any apt command line expert can probably remove LibreLogo via a console. I could only find Windows Removal instructions. Centos / Redhat / Fedora or other RPM Linux users will use their similar methods.
Also I never enable Java in LibreOffice. Slows it down and adds nothing needed.
LibreLogo isn't in older versions pre-installed with Mint. I can't understand why this was added.
Why on earth do they want it as an extension?
The only use case is to stroke someone's ego.
My ok too, even though it wasn't preinstalled for me.
It's been a long time since I installed it, but I seem to remember that KDE Neon (based on Ubuntu 18.04) didn't come with Libreoffice installed, so I installed it myself out of the repo. It's older than any of the versions here, 6.0.7, but Librelogo is not installed, which was a wise choice by Canonical. It looks like it only got installed if you are using the version directly from LO, which is the default if you are one of those weirdos still using Windows I keep hearing about <g>.
We have a group of specialists that handle security, exactly as this is done for a company like Microsoft.
If you look at a database of vulnerabilities you will see that the number which affect LibreOffice is rather limited.
Only one of these statements can be true, which one is it, then ?
I just checked, the second statement is true.
Just because you have a group that handles security doesn't mean you'll never have security issues in live code. Bugs happen, no matter how careful you are.
Also I just checked and first statement is also true -- https://blog.documentfoundation.org/blog/2018/07/25/how-libreoffices-quality-has-improved-thanks-to-automated-tools-and-the-volunteer-contribution-of-security-specialists/
Relevant excerpt:
“The combination of Coverity Scan, Google OSS-Fuzz and dedicated fuzzing by security specialists at Forcepoint has allowed us to catch bugs – which could have turned into security issues – before a release,” says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.
When LibreOffice is as juicy a target and has as many users as MS Office, then comparing vulnerability counts will be more relevant. Even the OS is to LO’s advantage as it’s not necessarily Windows.
This NOT to defend MS in the least. It’s more my nature to crack jokes at their expense. And I’m a big fan of Open Source.
But this was a major fail, and as El Reg points out, LO’s PR was mealy-mouthed whereas a straight “Sorry, we screwed up and will do better next” would been just as good.
This whole comparison with MS’ certainly abysmal VBA practices and bug counts smells like whataboutism.
Definitely! I personally don't use macros, have no personal or business contacts who do either, so I'd like to disable any kind of macro entirely, totally, without exception. At the "uninstall macro handler" level.
And when some bored developer decides to implement the low-level disk formatting or network scanning module any Office Suite needs, I'd like to be able to not install that in the first place.
(BTW, LibreOffice user, OpenOffice before that)
Macros are just programs, like the rest of the software. They're not intrinsically less safe unless it's possible to replace a safe macro with a malicious one. You may need digital file signatures to prevent that.
I gather that this particular issue involves running arbitrary Python program code through LibreLogo by opening the document containing malicious code, which is regrettable.
> Macros are just programs, like the rest of the software.
Sure, and there is nothing inherently bad about them, unless they are left free to run rampage in a program which actually isn't really about programming.
If they had been an optional module, restricted to run only code the user has requested them to run (consciously, not accidentally), nobody would had found anything to complain about.
Logo? Why? Since TFA really doesn't make it clear, LibreLogo isn't some package for making logos, it is an implementation of the Logo programming language for libreoffice. The distinguishing feature of Logo is turtle graphics, a "turtle" can be fed rotation and movement commands and these are used for drawing lines onscreen. But as a full programming language, it's surprising it wasn't turned off by default if macros and VBA (Visual basic for applications) type scripting are.
As it's a full ancient programming language for teaching kids (originated in 1967), why is it included at all and only since recently?
It's of about zero value to automate anything in an office application.,
There are separate Logo programming implementations.
There are also far better things for teaching kids, like Scratch.
It's bonkers ever including it in an Office Package.
It is when you're trying to teach Joe Stupid to extend the functionality of their office suite when things need to get done that the suite foesn't do out of the box.
This is a situation where you just can't win. Lock things down, and you complaints of not being able to do things (often from over your head). Open things up and people drive lorries through it. Try to take a third option and you find the medium is UNhappy and you complaints AND pwns.
It is when you're trying to teach Joe Stupid to extend the functionality of their office suite when things need to get done that the suite foesn't do out of the box.
I'm not sure what "things [that] need to get done" in an office suite are best done with a moderately-obscure1 LISP variant with turtle graphics.
VBA may be (is) absymal, but Logo is really not a good choice as an alternative. I don't see any good justification for including the package in LO.
1And, yes, I've used Logo. Had a copy of DR Logo for the IBM PC back in the day.
"When are we going to learn that a document or a image is not a code repository? That's why one never opens any Microsoft format and PDF docs unless it's sand boxed; even then it may still bite."
If you are really sandboxing every PDF or .doc file you open, you have my deepest respect.
This post has been deleted by its author
Adobe Acrobat Vulns?
ActiveX in IE
OLE & DCOM
Outlook defaults.
Windows Explorer Defaults
Autorun: CDs, Network shares, USB sticks. The original registry setting to disable CD autorun doesn't disable network & USB. Amiga autorun virus on floppies before Win95.
No security on non-NT windows. Able to use Windows 3.x & 9.x apart from network shares just with a click.
SW for NT (win2K, XP, Vista etc) written for win3.x / win9.x security model so it only ran for Admin accounts.
Very many more DESIGN issues in MS Software, not fixed for years. Since the start of Word on Windows, the last line of a paragraph may fully justify instead of left. Current MS advice: "Add an extra return, then backspace to delete it". Almost g'teed on last paragraph before a page break. May not be visible till you do a PDF export.
Some bugs and bad defaults in Explorer since Win95 are still there in Win10. Explorer has got worse with each version of windows since XP in usability.
So you are talking about decade+ old software in most cases.
And autorun hasn't been enabled by default for many years.
That whole "only runs for admin accounts" has always been bollocks used as an excuse by lazy admins and develepors.
Honestly, 5 minutes with Sysinternals' Regmon and Filemon (from way back in their earliest iterations) would show up where users hadn't the correct rights to run someting, and it could be changed at a file/key level.
But...it was always "just easier" to make a normal user a local or <shudder> domain admin.
I lost count of how many times I saw that particular fudge - especially in Citrix / TS / RDS environments.
Like, in this case, allowing macros to run whether or not a user took the active decision to disallow them is lazy and goes to show that not everything or everyone in open source, or closed source, can follow the concept of best practices.
And many eyes checking the source, while a great concept, only works if the right eyes look at the right area (and that's not a slur against open source).
"...Some bugs and bad defaults in Explorer since Win95 are still there in Win10...."
Could you cite some of these, because a lot of your initial list looks mostly wrong.
I would guess that at some time someone decided to knock-up some teaching materials and thought it would be neat to be able include actual working examples within the document the kids got given - "Click the button below and see how it moves the turtle ten steps to the right".
... to put a bullet in LibreLogo, remove it from the product entirely and let those who actually care about it fork it to the bowels of some hell from which we never have to hear, ever again. It's the only way to be sure...
Come to think of it, there's a whole tonne of stuff that could (and absolutely SHOULD) be gutted from LibreOffice. I guess a lot of it exists because of the OpenOffice (and StarOffice) legacy and a lot of that exists because some nutter thought feature-parity with Microsoft Office was somehow a good thing. The LibreOffice team (and management) really need to learn that the best way to lower your vulnerability surface area and your maintenance overhead is to cut the feature creep.
Personally, I'd split the "suite" up, gut a tonne of the lesser-used and ill conceived stuff without remorse and make the default deployment contain ONLY a rich paginated-document editing program and a spreadsheet program. Neither would be plagued with "automation" features beyond provably safe cell formulae in the latter.
Come on. Let's stop fooling ourselves into believing that anything than Writer and Calc is even close to functional, anyway.
I find it interesting that the enterprise recommended version 6.1.6 is end of life: 29 May 2019.
So the recommended Enterprise version does not get updates.
Would it not be better that 6.2.x is the recommended Enterprise version after 29 May 2019?
I dualboot on my computer (Ubuntu 1904 / Windows 10 1904).
Librelogo was not listed in Ubuntu but it was in Windows. But LibreOffice told me that Java 64-bit was needed to run Macros (if I remember correctly).
So if one does not have Java 64-bit, LibreLogo cannot be used?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
