CVE-2024-12425
Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability allows Absolute Path Traversal.
An attacker can write to arbitrary locations, albeit suffixed
with ".ttf", by supplying a file in a format that supports
embedded font files
CVE-2024-12426
Exposure of Environmental Variables and arbitrary INI file values
to an Unauthorized Actor vulnerability.
URLs could be constructed which expanded environmental variables
or INI file values, so potentially sensitive information could
be exfiltrated to a remote server on opening a document
containing such links.
For Debian 11 bullseye, these problems have been fixed in version
1:7.0.4-4+deb11u12.
We recommend that you upgrade your libreoffice packages.
For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libreoffice
Get the latest Linux and open source security news straight to your inbox.