Ensure Tails 3.6 fixes CVE-2018-6871
Currently, when an attacker social engineers a Tails user to open up a maliciously crafted document in LibreOffice, it can exfiltrate various files.
A PoC has been released:
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
Debian has not backported the fix to Stretch as of writing:
https://security-tracker.debian.org/tracker/CVE-2018-6871
Is there a reason why there isn’t an AppArmor profile running containing the libreoffice suite?
How would we feel about disabling macro’s that can also possibly run code on your computer?
Related issues
- Related to #15307 (closed)
- Blocks #13245 (closed)
Original created by @Dr_Whax on 15303 (Redmine)