Problema sicurezza CVE-2019-9848 e CVE-2019-9848 e patch per Fresh non per Steel

users
#1

Buongiorno a tutti,

credo che sia noto da settimane, pubblicato circa un mese addietro, e sembra piuttosto grave consentendo l'esecuzione di script python arbitrari all'insaputa dell'utente che aprisse un documento malevolo.

La soluzione fornita e' l'aggiornamento alla versione 6.2.5, che pero` non mi sembra ottimale, dato che e` la versione Fresh di sviluppo, mentre se uno volesse rimanere sulla Steel di produzione 6.1.X come dovrebbe fare?

Saluti,

Andrea Ferraris

#2

Sorry for the wrong language, here You are the translation:

I think it's been known for weeks, published about a month ago and rather serious because it allows the arbitrary execution of python scripts without the user's knowledge when opening a malicious document.

The solution provided is the upgrade to version 6.2.5, which however does not seem optimal, since it is the Fresh version of development,
whereas if one wanted to remain on the production one, Steel 6.1.X, how he should do?

Greetings,

#3

ANDREA FERRARIS wrote

Sorry for the wrong language, here You are the translation:

I think it's been known for weeks, published about a month ago and
rather serious because it allows the arbitrary execution of python
scripts without the user's knowledge when opening a malicious document.

The solution provided is the upgrade to version 6.2.5, which however
does not seem optimal, since it is the Fresh version of development,
whereas if one wanted to remain on the production one, Steel 6.1.X, how
he should do?

Greetings,

Andrea Ferraris

CVE-2019-9847 , CVE-2019-9848, and CVE-2019-9849 have all be corrected by
TDF for current "Fresh" 6.3.0 and "Still" 6.2.5 release builds. Follow the
TDF Discuss mail list
<https://listarchives.documentfoundation.org/www/discuss/> for any
security related issues.

Otherwise, sorry but the 6.1 branch is not supported by TDF, it is
End-of-Life effective 2019-05-29

The 6.3 branch was released 2019-08-08 and its 6.3.0 build is current
"Fresh" release

The 6.2 branch has now become the "Still" branch, with the patched 6.2.5
release available (and the 6.2.6 release candidate already built and
available for testing).

Meaning that either users Linux distro must update their packaging, or
users must seek 3rd party support to continue to use a 6.1 or pre 6.2.5
build of LibreOffice.

But again this belongs on the Discuss mail list.

#4

Hi,
I'm writing some Latin texts with long vowels indicated and so i'm frequently having to go to the special characters dialog.
I'm wondering if its possible to set up certain keys in LO so that pressing, e.g. ALT +A would enter a with macron character (and SHIFT +ALT +A for the capital)?

I've looked at tools>configure but can't yet see if there is a way to make a key combination return a special character rather than execute a function. I've also quickly looked at autocorrect but that doesn't seem to work on key combinations.

I'm guessing what i need is a keyboard mapping option?

I'm using LO 6.0.7.3 on ubuntu 18.04.08

Thanks
/Gary

#5

This was requested long time ago in [1] while meanwhile we have the Recently Used section and I could imagine to provide access per shortcut to those items. However, there is the wish to extend this section [2] and that would break any shortcut approach. What you always can do is to create own entries in the replacement table of the autocorrect function [3].

[1] https://bugs.documentfoundation.org/show_bug.cgi?id=41981
[2] https://bugs.documentfoundation.org/show_bug.cgi?id=120753
[3] https://help.libreoffice.org/6.3/en-US/text/shared/01/06040200.html

#6

Hi!

I'm wondering if its possible to set up certain keys in LO so that pressing, e.g. ALT +A would enter a with macron character (and SHIFT +ALT +A for the capital)?

I use xmodmap for that, e.g.:

/usr/local/bin/xmodmap -e 'keycode 33 = p P 0x00a7 0x00a7'

provides the paragraph character.

/usr/local/bin/xmodmap -e 'keycode 26 = e E 0x20ac 0x20ac'

yields the EURO currency symbol.

#7

Thanks,that's an interesting idea to explore. But would i then lose the normal behaviour/functionality in other programs, e.g. blender?
I really need something that is restricted to documents ....
/Gary On Friday, 9 August 2019, 08:56:42 BST, Kurt Jaeger <pilists@opsec.eu> wrote:

Hi!

I'm wondering if its possible to set up certain keys in LO so that pressing, e.g. ALT +A would enter a with macron character (and SHIFT +ALT +A for the capital)?

I use xmodmap for that, e.g.:

/usr/local/bin/xmodmap -e 'keycode 33 = p P 0x00a7 0x00a7'

provides the paragraph character.

/usr/local/bin/xmodmap -e 'keycode 26 = e E 0x20ac 0x20ac'

yields the EURO currency symbol.

#8

Thanks a lot for these references, i hope i might be able to get something usable from them.
/Gary On Friday, 9 August 2019, 08:46:44 BST, Heiko Tietze <heiko.tietze@documentfoundation.org> wrote:

This was requested long time ago in [1] while meanwhile we have the Recently Used section and I could imagine to provide access per shortcut to those items. However, there is the wish to extend this section [2] and that would break any shortcut approach. What you always can do is to create own entries in the replacement table of the autocorrect function [3].

[1] https://bugs.documentfoundation.org/show_bug.cgi?id=41981
[2] https://bugs.documentfoundation.org/show_bug.cgi?id=120753
[3] https://help.libreoffice.org/6.3/en-US/text/shared/01/06040200.html

#9

I've tried (3), using \a for macron a,etc., and it sort of works, but, it seems, the character sequence is replaced in the text only when preceded by a space. Since this space is not removed when the replacement is made, and since the vast majority of macron characters are not at the beginning of a word, this space must be manually removed for each character required, and this makes the process almost as slow as inserting from the special characters.
Is there a way to get LO writer to recognise and replace the sequence even when it comes in the middle of a word or at the end?

Thanks
/Gary

This was requested long time ago in [1] while meanwhile we have the Recently Used section and I could imagine to provide access per shortcut to those items. However, there is the wish to extend this section [2] and that would break any shortcut approach. What you always can do is to create own entries in the replacement table of the autocorrect function [3].

[1] https://bugs.documentfoundation.org/show_bug.cgi?id=41981
[2] https://bugs.documentfoundation.org/show_bug.cgi?id=120753
[3] https://help.libreoffice.org/6.3/en-US/text/shared/01/06040200.html

#10

Nope, unfortunately not. The space is needed. But feel free to ask again on ask.libreoffice.org where users with more expertise may find a solution for you.

#11

Hi Gary,

if you want to go with macros, the following will work:
The general part once (you might need to correct line breaks):

Sub lcl_InsertCharacter_Writer(byval sChar as string)
Dim oDoc as variant
  oDoc = ThisComponent
Dim oCurrentController as variant
  oCurrentController = oDoc.getCurrentController()
if not(oCurrentController.supportsService("com.sun.star.text.TextDocumentView")) then
  msgbox("only for text documents")
  exit sub
end if
Dim oTextViewCursor as variant
  oTextViewCursor = oCurrentController.getViewCursor()
Dim oText as variant
If IsEmpty(oTextViewCursor.Cell) Then
         oText=oTextViewCursor.Text
Else
         oText=oTextViewCursor.Cell.Text
End If
oText.insertString(oTextViewCursor,sChar,false)
End Sub

And then for each desired character, for example:

sub S_Lower_Hatchek
  lcl_InsertCharacter_Writer(chr(clng("&H0161")))
end sub

sub C_Upper_Cedilla
  lcl_InsertCharacter_Writer(chr(clng("&Hc7")))
end sub

Of cause you need to adapt the number "&H0161" or "&Hc7" to your character. You can assign a short-cut to macros. Macros are at the bottom of the Category list in the Keyboard tab of the Customize dialog.

I found it difficult to remember short-cuts. Therefore I had made an own toolbar for these characters, where I used the character itself as name for the icon. I had added the macros and the toolbar to a document template. I had used it many yours ago for my pupils, so that they could easily write French texts. But with the new special character dialog, such is not really needed nowadays.

Kind regards
Regina

#12

I've been using this since my last post and while not ideal it is a significant improvement over the characters dialoge, so thanks a lot for the help.
I may ask later on that other forum but i fear i may find it difficult to access on my phone (which for most of the time is my only internet access).
Best
/Gary

Nope, unfortunately not. The space is needed. But feel free to ask again on ask.libreoffice.org where users with more expertise may find a solution for you.

#13

I use the International U.S. English layout, which provides a lot of
extra characters.

#14

How do you access the extra characters from the keyboard? (I used to use ubuntu onboard onscreen keyboard which was very useful, especially for clasical greek, but since upgrading ubuntu to 18.04 i havent been able to get it to work for extended characters) On Friday, 9 August 2019, 12:04:36 BST, James Knott <james.knott@jknott.net> wrote:

Hi!

I'm wondering if its possible to set up certain keys in LO so that pressing, e.g. ALT +A would enter a with macron character (and SHIFT +ALT +A for the capital)?

I use xmodmap for that, e.g.:

/usr/local/bin/xmodmap -e 'keycode 33 = p P 0x00a7 0x00a7'

provides the paragraph character.

/usr/local/bin/xmodmap -e 'keycode 26 = e E 0x20ac 0x20ac'

yields the EURO currency symbol.

I use the International U.S. English layout, which provides a lot of
extra characters.

#15

Are you referring to the International English keyboard I referred to ?

If so, you have to go into the input devices to select the layout.  On
openSUSE 15.1 & KDE, it's Configure Desktop > Input Devices.  In
Keyboard, Layouts tab, near the bottom, you'll find the area for
configuring layouts.  Enable Configure Layouts and make your choice.  I
selected English (intl., with AtlGr dead keys).  You'll then have a
layout for U.S. International English. You can see the layout here:
https://en.wikipedia.org/wiki/British_and_American_keyboards

You then use the right Alt (Alt Gr) and shift keys to select which
character a key represents.  For example, Alt Gr & ; = ¶, Shift Alt Gr &
; = °, Alt Gr & 5 = €, etc.

Most of the characters shown on the layout work.

#16

Thanks for this info,it was the use of alt-gr key that i didnt know - vety helpful. Ive looked at several variants of english keyboard layouts and havent found one with the macron vowels. Since later i will probably also want caron vowels as well i dont think i'll go down that route. Also i want classical greek chars, and whilst i know that it is technically possible to get them from the keyboard (i used to do that when i used Windows) there are far too many key combinations to temember. When i get the chance i'll check for any ubuntu updates that might resolve the problems with Onboard; failing that i will try to write my own simple customisrd onscreen keyboard to conveniently select the characters i want - just as soon as i find out how to get a tkinter program to output the characters to a different running program,ie output the character without the tkinter app 'stealing' the focus. (I'll probably do that in any case at some stage but i don't know when as I've also got other pressing issues that have arisen since reinstalling ubuntu).
Best
Gary On Friday, 9 August 2019, 16:54:58 BST, James Knott <james.knott@jknott.net> wrote:

Are you referring to the International English keyboard I referred to ?

If so, you have to go into the input devices to select the layout.  On
openSUSE 15.1 & KDE, it's Configure Desktop > Input Devices.  In
Keyboard, Layouts tab, near the bottom, you'll find the area for
configuring layouts.  Enable Configure Layouts and make your choice.  I
selected English (intl., with AtlGr dead keys).  You'll then have a
layout for U.S. International English. You can see the layout here:
https://en.wikipedia.org/wiki/British_and_American_keyboards

You then use the right Alt (Alt Gr) and shift keys to select which
character a key represents.  For example, Alt Gr & ; = ¶, Shift Alt Gr &
; = °, Alt Gr & 5 = €, etc.

Most of the characters shown on the layout work.

#17

There is also a Greek layout.  One thing that might help is that you can
configure multiple layouts and switch between them as needed.

#18

Yeah, ive been there and done that; the problen with the greek is the huge number of characters required, i could never remember which combinations of shift ctrl alt went with which characters which made it VERY slow to use. With onboard a long click on, say, alpha, would bring up a little menu of all the variations making it a lot faster with the vowels than using the physical keyboard
/Gary On Sunday, 18 August 2019, 12:49:15 BST, James Knott <james.knott@jknott.net> wrote:

Also i want classical greek chars

There is also a Greek layout.  One thing that might help is that you can
configure multiple layouts and switch between them as needed.