Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20251210113517.GF2622@qaa.vinc17.org>
Date: Wed, 10 Dec 2025 12:35:17 +0100
From: Vincent Lefevre <vincent@...c17.net>
To: oss-security@...ts.openwall.com
Subject: LibreOffice puts searched text into the PRIMARY selection (Linux,
 X11)

Under Linux X11, LibreOffice (Writer, Calc, Draw...) silently puts
searched text into the PRIMARY selection when a search is active and
its window gets the focus. This can yield such text to be disclosed
to web sites (when one clicks with the middle button in some form)
and to other applications using the same X server (without needing
any action from the user).

A search in LibreOffice should have remained local to LibreOffice.
Text entered in the search field may be private or confidential,
thus it must not be disclosed anywhere else.

To reproduce:

1. Start LibreOffice Writer (or Calc, Draw...).
2. Type Ctrl-F to start a search.
3. Type some text to search (a single character is sufficient).
4. Optional: Select some text in another application, e.g. xterm.
5. Move the cursor over the LibreOffice window.
   With window managers that support "focus-follows-mouse"
   (e.g. FVWM and twm), this window gets the focus.
   Otherwise you need to click so that this window gets the focus.

Result: The text in the LibreOffice search field automatically
becomes the new PRIMARY selection. This can be seen by pasting
the PRIMARY selection somewhere else (with the middle button)
or with the following script (using the xclip utility):

while true
do
  new=$(xclip -o 2> /dev/null)
  if [ "x$new" != "x$old" ]; then
    printf "%s\n" "$new"
    old=$new
  fi
  sleep 1
done

which prints text from the current PRIMARY selection, as soon as
it is modified.

Note: The text in the LibreOffice search field appears as
selected, but this should have remained internal to LibreOffice.
For instance, when I click on the address bar of Firefox, its
contents get selected, but the PRIMARY selection is unchanged.

Affected LibreOffice versions (at least): 24.2.5, 24.2.6 and 25.8.3.2

In case this matters, I'm using the libreoffice Debian package
under Debian/unstable.

Bug I had reported last year (I forgot about it, until I got caught
again today, wondering what was happening):
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080978
  https://bugs.documentfoundation.org/show_bug.cgi?id=162821

-- 
Vincent Lefèvre <vincent@...c17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.