Security News > 2022 > July > LibreOffice Releases Software Update to Patch 3 New Vulnerabilities
The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems.
Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of rogue code packaged within the macros.
"An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted," LibreOffice said in an advisory.
The three vulnerabilities, which were reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, have been addressed in LibreOffice versions 7.2.7, 7.3.2, and 7.3.3.
The patches come five months after the Document Foundation fixed another improper certificate validation bug in February 2022.
Last October, three spoofing flaws were patched that could be abused to alter documents to make them appear as if they are digitally signed by a trusted source.
News URL
https://thehackernews.com/2022/07/libreoffice-releases-software-security.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-07-25 | CVE-2022-26305 | Improper Certificate Validation vulnerability in Libreoffice 7.2.0/7.3.0/7.3.1 An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. | 7.5 |