Description: I set the marco security setting to "very high" and still the contaminated file makes LibreOffice to hang completely. I tested the file in a fresh contained VM (Fedora 29 Workstation edition) and ran all the updates. Steps to Reproduce: 1. Setup fresh VM with Fedora 29 (don't use any production machine) 2. Open LibreOffice and set the macro security setting to "very high" 3. Open the contaminated file. Actual Results: LibreOffice says that the document contains macros but macros are disabled. After I click on ok, LibreOffice hangs immediately... Expected Results: LibreOffice shouldn't hang, because no macro is executed. Reproducible: Always User Profile Reset: No Additional Info:
Sooo, nobody is interested in this issue?
Can I get at least a security email address where I can send the malware to? I don't want it to be available in the public bugtracker...
First try to reset your userprofile and test it again Wish OS
@Buovjaga > Can I get at least a security email address where I can send the malware to? > I don't want it to be available in the public bugtracker...
(In reply to LFlo from comment #2) > Can I get at least a security email address where I can send the malware to? > I don't want it to be available in the public bugtracker... security@documentfoundation.org
(In reply to Buovjaga from comment #5) > (In reply to LFlo from comment #2) > > Can I get at least a security email address where I can send the malware to? > > I don't want it to be available in the public bugtracker... > > security@documentfoundation.org Thanks a lot! I just sent the document.
no macro is executed, the layout of a line of text is looping. so its not a virus or a macro, just a hang. Its looping in laying out a line of text, seemingly unable to find a place to line break it on first glance. We don't treat such denial of service issues, (hangs and such), as high priority security issues requiring special handling, but your reporting of it through this channel is commendable. You can attach your test case to the bug in the clear.
its the spell checking, or the calculation of the area of text that is misspelled, that is hanging. So if you uncheck "automatic spell checking" in the tools menu before attempting to open it, it will then open without a hang.
The area calculation does eventually complete so its not a true hang, just very slow. The good news is that while in 6.1 it takes (for me) about 21 seconds, in 6.2 it now takes about 3. So arguably this might be considered fixed in 6.2 if we consider that an acceptable delay. caolanm->vmiklos; I imagine that's your sallayout cache in action in the time reduction.
@Caolán, Since this is not a security issue, could it be possible to attach the document ?
LFlo sent the doc in private to the security list so I can't assume permission to attach their document in the clear here although I can confirm its safe for them to do so and hopefully they will
(In reply to Caolán McNamara from comment #11) > LFlo sent the doc in private to the security list so I can't assume > permission to attach their document in the clear here although I can confirm > its safe for them to do so and hopefully they will Oh, you're right! @LFlo, Please attach a sample document, as this makes it easier for us to verify the bug. (Please note that the attachment will be public, remove any sensitive information before attaching it. See https://wiki.documentfoundation.org/QA/FAQ#How_can_I_eliminate_confidential_data_from_a_sample_document.3F for help on how to do so.) I have set the bug's status to 'NEEDINFO'. Please change it back to 'NEW' once the requested document is provided.
Hey sorry for the late response. Actually this isn't a test case I made up, it was actual malware we got on our E-Mail account. I saved the file in order to test if the malware can also attack libre office. As far as I know the file *does* contain macros which can hurt windows environment, at least libre office warned me of macros before opening the file. Also the anti-virus of the Windows system in our office detected it as malware. That's why I wasn't sure if I can actually upload the file since I don't want to provide a "free" way to hurt any Windows System with MS Office although Libre office + Linux seem to be immune against. @Caolán McNamara: Can you confirm again that the file does not contain any macros which can be malicious for Libre Office and MS Office? Is there a way to get rid of the macros? Thanks again for the investigation of the file!
Created attachment 147311 [details] just the textbox that causes the delay I'll take that as permission to upload the content, so here's just the bit that matters to us
Dear LFlo, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from http://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
Dear LFlo, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug