Skip to content

Ensure Tails 3.6 fixes CVE-2018-6871

Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.

A PoC has been released: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
Debian has not backported the fix to Stretch as of writing: https://security-tracker.debian.org/tracker/CVE-2018-6871

Is there a reason why there isn’t an AppArmor profile running containing the libreoffice suite?

How would we feel about disabling macro’s that can also possibly run code on your computer?

Related issues

Original created by @Dr_Whax on 15303 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information