Errata overview
Errata ID 260
Date 2019-09-11
Source package libreoffice
Fixed in version 1:5.2.7-1+deb9u11
This update addresses the following issues:
* LibreOffice has a feature where documents can specify that pre-installed
  macros can be executed on various script events such as mouse-over,
  document-open etc. Access is intended to be restricted to scripts under the
  share/Scripts/python/, user/Scripts/python/ sub-directories of the
  LibreOffice install. Protection was added, to address CVE-2019-9852, to
  avoid a directory traversal attack where scripts in arbitrary locations on
  the file system could be executed by employing a URL encoding attack to
  defeat the path verification step. However this protection could be
  bypassed by taking advantage of a flaw in how LibreOffice assembled the
  final script URL location directly from components of the passed in path as
  opposed to solely from the sanitized output of the path verification step.
Additional notes
CVE ID CVE-2019-9854
UCS Bug number #50144