Debian: DLA-3368-1 Critical: LibreOffice Multiple Issues Overview
debian lts
March 26, 2023
Multiple vulnerabilities were found in LibreOffice an office productivity software suite, leading to arbitrary script execution, improper certificate validation, and weak encryptio...
Summary
CVE-2021-25636
Only use X509Data
LibreOffice supports digital signatures of ODF documents and macros
within documents, presenting visual aids that no alteration of the
document occurred since the last signing and that the signature is
valid. An Improper Certificate Validation vulnerability in LibreOffice
allowed an attacker to create a digitally signed ODF document, by
manipulating the documentsignatures.xml or macrosignatures.xml stream
within the document to contain both "X509Data" and "KeyValue" children
of the "KeyInfo" tag, which when opened caused LibreOffice to verify
using the "KeyValue" but to report verification with the unrelated
"X509Data" value.
CVE-2022-3140
Insufficient validation of "vnd.libreoffice.command"
URI schemes. LibreOffice supports Office URI Schemes to enable browser
integration of LibreOffice with MS SharePoint server. An additional
scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libreoffice
Version: 1:6.1.5-3+deb10u8
CVE ID: CVE-2021-25636 CVE-2022-3140 CVE-2022-26305 CVE-2022-26306
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!