Container: Harden Libreoffice

[deeplow]

Custom macros in documents are a common attack vector. This is currently NOT a security issue Dangerzone faces since in its default config LibreOffice in alpine does disable untrusted macros (and there are zero trusted macros) by setting the macro security to high.

My proposal is to increase the macro security level to Very High:

Very high

Only macros from trusted file locations are allowed to run. All other macros, regardless of whether they are signed or not, are disabled. Trusted file locations can be set on the Trusted Sources tab page. Any macro from a trusted file location is allowed to run.

CVEs like CVE-2022-26305 that do improper macro validation could make very high be a safer default. And given that our policy is to disable macros, why not bump that up to the max?

PoC

Libreoffice has an XML user configuration in ~/.config/libreoffice/4/user/registrymodifications.xcu, to which we can add a line to set it to very high:

<item oor:path="/org.openoffice.Office.Common/Security/Scripting"><prop oor:name="MacroSecurityLevel" oor:op="fuse"><value>3</value></prop></item>

A custom config can be specified with soffice -env:UserInstallation=file:///tmp/test or by setting it in libreoffice's bootstraprc.

[deeplow]

Here's a resource found by the security auditor that can prove useful in further hardening LibreOffice.

[deeplow]

I installed LibreOffice 24.2 but didn't find this option. It could be that it was put in some other place. Or it could be that it will only be included in 24.8. There was some ambiguity around that in the issue.

Or perhaps it wasn't surfaced in the UI and I'll need to configure it via the settings XML file. Either way, I'll have to give this another spin.

I also confirmed that Alpine Linux doesn't support the "unstable" versions of LibreOffice. So we're stuck in the past in that front.