back to article LibreOffice handlers defend suite's security after 'unfortunately partial' patch

The Document Foundation, custodian of LibreOffice, has defended the suite's security after attempts to patch a code execution flaw turned out to be "partial". "So far in the story of LibreOffice we have been able to patch all security issues before they reached the end user," a spokesperson told The Reg. "For this last one we …

  1. CAPS LOCK Silver badge

    Just an FYI for Linux Mint users...

    ... Standard Linux Mint distros don't bundle LibreLogo, so unless you've installed it your ok.

    1. Neil Barnes Silver badge
      Thumb Up

      Re: Just an FYI for Linux Mint users...

      Thanks - saves me a job.

    2. Mage Silver badge
      Linux

      Linux: Remove LibreLogo

      You do get it if you update to LibreOffice 6.2.x manually.

      On ANY Linux using apt / synaptic package manager:

      1) Launch synaptic package manager via Control panel. Password required.

      2) type librelogo into search

      3) Select "Remove Completely" on the checkbox if it's filled in.

      4) Click Apply.

      Nothing gets broken, because this is something No-one needs. No-one should be using it. It should never have been added. Scratch is brilliant for teaching kids to program.

      Any apt command line expert can probably remove LibreLogo via a console. I could only find Windows Removal instructions. Centos / Redhat / Fedora or other RPM Linux users will use their similar methods.

      Also I never enable Java in LibreOffice. Slows it down and adds nothing needed.

      LibreLogo isn't in older versions pre-installed with Mint. I can't understand why this was added.

      Why on earth do they want it as an extension?

      The only use case is to stroke someone's ego.

      1. GrumpenKraut Silver badge

        Re: Linux: Remove LibreLogo

        apt remove libreoffice-librelogo

        Using Devuan testing, and it was installed.

        1. Mage Silver badge

          Re: Linux: Remove LibreLogo via console

          Windows refugees to Linux may not be aware of the simplicity of some console command lines.

          The advantage of the GUI method is that you don't need to know EXACTLY what the evil package is called :D

          Thank you

          1. GrumpenKraut Silver badge
            Pint

            Re: Linux: Remove LibreLogo via console

            You are welcome. For finding the package name, I used

            apt search logo | grep -i -C1 libre

            Anyway, pint o'clock. ------>

        2. wayne 8

          Re: Linux: Remove LibreLogo

          Not present in a Xubuntu 16.04 install with LibreOffice 6.0.6.2.

          Present in a Debian 9.4.0 install with LibreOffice 5.2.7.2.

      2. find users who cut cat tail

        Re: Linux: Remove LibreLogo

        Normally, you should not need to remove LibreLogo from RedHat/Fedora/Centos. It's a separate subpackage, not installed by default with LO.

    3. Updraft102 Silver badge

      Re: Just an FYI for Linux Mint users...

      My ok too, even though it wasn't preinstalled for me.

      It's been a long time since I installed it, but I seem to remember that KDE Neon (based on Ubuntu 18.04) didn't come with Libreoffice installed, so I installed it myself out of the repo. It's older than any of the versions here, 6.0.7, but Librelogo is not installed, which was a wise choice by Canonical. It looks like it only got installed if you are using the version directly from LO, which is the default if you are one of those weirdos still using Windows I keep hearing about <g>.

  2. Hans 1 Silver badge
    WTF?

    We have a group of specialists that handle security, exactly as this is done for a company like Microsoft.

    If you look at a database of vulnerabilities you will see that the number which affect LibreOffice is rather limited.

    Only one of these statements can be true, which one is it, then ?

    I just checked, the second statement is true.

    1. Cronus

      Just because you have a group that handles security doesn't mean you'll never have security issues in live code. Bugs happen, no matter how careful you are.

      Also I just checked and first statement is also true -- https://blog.documentfoundation.org/blog/2018/07/25/how-libreoffices-quality-has-improved-thanks-to-automated-tools-and-the-volunteer-contribution-of-security-specialists/

      Relevant excerpt:

      “The combination of Coverity Scan, Google OSS-Fuzz and dedicated fuzzing by security specialists at Forcepoint has allowed us to catch bugs – which could have turned into security issues – before a release,” says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.

      1. Cronus

        It just occurred to me that the point you were making is that it can't be "exactly as this is done for a company like Microsoft." because then there'd be hundreds of vulns. In which case, you are indeed correct.

        1. JLV Silver badge
          Flame

          When LibreOffice is as juicy a target and has as many users as MS Office, then comparing vulnerability counts will be more relevant. Even the OS is to LO’s advantage as it’s not necessarily Windows.

          This NOT to defend MS in the least. It’s more my nature to crack jokes at their expense. And I’m a big fan of Open Source.

          But this was a major fail, and as El Reg points out, LO’s PR was mealy-mouthed whereas a straight “Sorry, we screwed up and will do better next” would been just as good.

          This whole comparison with MS’ certainly abysmal VBA practices and bug counts smells like whataboutism.

      2. Hans 1 Silver badge
        Windows

        Exactly, have an upvote!

    2. hplasm Silver badge
      Alert

      O dear...

      "We have a group of specialists that handle security, exactly as this is done for a company like Microsoft."

      o dear, o dear...

  3. Anonymous Coward
    Anonymous Coward

    age of code

    "Unfortunately, the age of the code is no proof of its security."

    You, Sir, just won the Award for Understatement of the Year. OpenSSL anyone (former SSLay back in the 90s) ?

    1. It's just me
      Headmaster

      Re: age of code

      That's SSLeay, by Eric Andrew Young

  4. revenant Silver badge
    Unhappy

    Not secure enough

    When it comes to macros it would be nice to be able to kill them completely - even the builtin ones - but that doesn't seem to be possible.

    1. ThatOne Silver badge

      Re: Not secure enough

      Definitely! I personally don't use macros, have no personal or business contacts who do either, so I'd like to disable any kind of macro entirely, totally, without exception. At the "uninstall macro handler" level.

      And when some bored developer decides to implement the low-level disk formatting or network scanning module any Office Suite needs, I'd like to be able to not install that in the first place.

      (BTW, LibreOffice user, OpenOffice before that)

    2. Robert Carnegie Silver badge

      Re: Not secure enough

      Macros are just programs, like the rest of the software. They're not intrinsically less safe unless it's possible to replace a safe macro with a malicious one. You may need digital file signatures to prevent that.

      I gather that this particular issue involves running arbitrary Python program code through LibreLogo by opening the document containing malicious code, which is regrettable.

      1. ThatOne Silver badge

        Re: Not secure enough

        > Macros are just programs, like the rest of the software.

        Sure, and there is nothing inherently bad about them, unless they are left free to run rampage in a program which actually isn't really about programming.

        If they had been an optional module, restricted to run only code the user has requested them to run (consciously, not accidentally), nobody would had found anything to complain about.

  5. Anonymous Coward
    Anonymous Coward

    Where does that hide in the Mac version?

    Not that we use LO often, we have it more as a backup in case something happens to NeoOffice, but it would still be good to find out.

    So far I can't find it, so I'm hoping it means it doesn't install on Macs in the first place.

  6. Henry Wertz 1 Gold badge

    logo?

    Logo? Why? Since TFA really doesn't make it clear, LibreLogo isn't some package for making logos, it is an implementation of the Logo programming language for libreoffice. The distinguishing feature of Logo is turtle graphics, a "turtle" can be fed rotation and movement commands and these are used for drawing lines onscreen. But as a full programming language, it's surprising it wasn't turned off by default if macros and VBA (Visual basic for applications) type scripting are.

    1. Mage Silver badge

      Re: logo?

      As it's a full ancient programming language for teaching kids (originated in 1967), why is it included at all and only since recently?

      It's of about zero value to automate anything in an office application.,

      There are separate Logo programming implementations.

      There are also far better things for teaching kids, like Scratch.

      It's bonkers ever including it in an Office Package.

      1. Charles 9 Silver badge

        Re: logo?

        It is when you're trying to teach Joe Stupid to extend the functionality of their office suite when things need to get done that the suite foesn't do out of the box.

        This is a situation where you just can't win. Lock things down, and you complaints of not being able to do things (often from over your head). Open things up and people drive lorries through it. Try to take a third option and you find the medium is UNhappy and you complaints AND pwns.

        1. Michael Wojcik Silver badge

          Re: logo?

          It is when you're trying to teach Joe Stupid to extend the functionality of their office suite when things need to get done that the suite foesn't do out of the box.

          I'm not sure what "things [that] need to get done" in an office suite are best done with a moderately-obscure1 LISP variant with turtle graphics.

          VBA may be (is) absymal, but Logo is really not a good choice as an alternative. I don't see any good justification for including the package in LO.

          1And, yes, I've used Logo. Had a copy of DR Logo for the IBM PC back in the day.

  7. YetAnotherJoeBlow

    I wish...

    When are we going to learn that a document or a image is not a code repository? That's why one never opens any Microsoft format and PDF docs unless it's sand boxed; even then it may still bite.

    1. Anonymous Coward
      Anonymous Coward

      Re: I wish...

      When are YOU going to learn that if everyone wants everything yesterday, you better deliver or not expect any business worth doing today?

    2. Anonymous Coward
      Anonymous Coward

      Re: I wish...

      "When are we going to learn that a document or a image is not a code repository? That's why one never opens any Microsoft format and PDF docs unless it's sand boxed; even then it may still bite."

      If you are really sandboxing every PDF or .doc file you open, you have my deepest respect.

  8. heyrick Silver badge

    Quit with the victim blaming

    "This is true, of course, but malicious emails can look convincing, and inevitably not all users will follow best practice."

    User tells macros not to run. Macro runs anyway because it's somehow "special". So what was this about best practice?

  9. This post has been deleted by its author

  10. Anonymous Coward
    Anonymous Coward

    What do you expect from...

    ... a bunch of amateurs and freeloaders?

    1. HmYiss

      Re: What do you expect from...

      Such deluded nonsense could only be spat out by a true sucker who has been paying overblown M$ license fees since Office '95.

      With no better security quality WHATSOEVER.

      Keep on sucking at that corporate teet.

      1. Adrian 4 Silver badge

        Re: What do you expect from...

        I don't think it's a teet he's sucking.

    2. Mage Silver badge

      Re: What do you expect from...

      Adobe Acrobat Vulns?

      ActiveX in IE

      OLE & DCOM

      Outlook defaults.

      Windows Explorer Defaults

      Autorun: CDs, Network shares, USB sticks. The original registry setting to disable CD autorun doesn't disable network & USB. Amiga autorun virus on floppies before Win95.

      No security on non-NT windows. Able to use Windows 3.x & 9.x apart from network shares just with a click.

      SW for NT (win2K, XP, Vista etc) written for win3.x / win9.x security model so it only ran for Admin accounts.

      Very many more DESIGN issues in MS Software, not fixed for years. Since the start of Word on Windows, the last line of a paragraph may fully justify instead of left. Current MS advice: "Add an extra return, then backspace to delete it". Almost g'teed on last paragraph before a page break. May not be visible till you do a PDF export.

      Some bugs and bad defaults in Explorer since Win95 are still there in Win10. Explorer has got worse with each version of windows since XP in usability.

      1. TonyJ Silver badge

        Re: What do you expect from...

        So you are talking about decade+ old software in most cases.

        And autorun hasn't been enabled by default for many years.

        That whole "only runs for admin accounts" has always been bollocks used as an excuse by lazy admins and develepors.

        Honestly, 5 minutes with Sysinternals' Regmon and Filemon (from way back in their earliest iterations) would show up where users hadn't the correct rights to run someting, and it could be changed at a file/key level.

        But...it was always "just easier" to make a normal user a local or <shudder> domain admin.

        I lost count of how many times I saw that particular fudge - especially in Citrix / TS / RDS environments.

        Like, in this case, allowing macros to run whether or not a user took the active decision to disallow them is lazy and goes to show that not everything or everyone in open source, or closed source, can follow the concept of best practices.

        And many eyes checking the source, while a great concept, only works if the right eyes look at the right area (and that's not a slur against open source).

        "...Some bugs and bad defaults in Explorer since Win95 are still there in Win10...."

        Could you cite some of these, because a lot of your initial list looks mostly wrong.

  11. dajames Silver badge

    Why does Libre Logo even exist?

    I can't imagine that many users of office suites find much use for a built-in logo interpreter.

    1. Jason Bloomberg Silver badge

      Re: Why does Libre Logo even exist?

      I would guess that at some time someone decided to knock-up some teaching materials and thought it would be neat to be able include actual working examples within the document the kids got given - "Click the button below and see how it moves the turtle ten steps to the right".

  12. Marco van de Voort

    Headline: windows never had security problems.

    Windows scripting host was a macro package delivered with product.

  13. Czrly
    Stop

    The promised patch is obviously...

    ... to put a bullet in LibreLogo, remove it from the product entirely and let those who actually care about it fork it to the bowels of some hell from which we never have to hear, ever again. It's the only way to be sure...

    Come to think of it, there's a whole tonne of stuff that could (and absolutely SHOULD) be gutted from LibreOffice. I guess a lot of it exists because of the OpenOffice (and StarOffice) legacy and a lot of that exists because some nutter thought feature-parity with Microsoft Office was somehow a good thing. The LibreOffice team (and management) really need to learn that the best way to lower your vulnerability surface area and your maintenance overhead is to cut the feature creep.

    Personally, I'd split the "suite" up, gut a tonne of the lesser-used and ill conceived stuff without remorse and make the default deployment contain ONLY a rich paginated-document editing program and a spreadsheet program. Neither would be plagued with "automation" features beyond provably safe cell formulae in the latter.

    Come on. Let's stop fooling ourselves into believing that anything than Writer and Calc is even close to functional, anyway.

  14. MichaelEastman

    I find it interesting that the enterprise recommended version 6.1.6 is end of life: 29 May 2019.

    So the recommended Enterprise version does not get updates.

    Would it not be better that 6.2.x is the recommended Enterprise version after 29 May 2019?

    I dualboot on my computer (Ubuntu 1904 / Windows 10 1904).

    Librelogo was not listed in Ubuntu but it was in Windows. But LibreOffice told me that Java 64-bit was needed to run Macros (if I remember correctly).

    So if one does not have Java 64-bit, LibreLogo cannot be used?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019