LibreOffice releases software update to patch 3 new vulnerabilities
The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems.
Tracked as CVE-2022-26305, the issue has been described as a case of incorrect certificate validation when checking if a macro is signed by a trusted author, leading to the execution of malicious code embedded in the macros.
“An adversary could therefore create an arbitrary certificate with a serial number and issuer chain identical to a trusted certificate that LibreOffice would present as belonging to the trusted author, potentially leading the user to execute arbitrary code contained in incorrectly trusted macros,” LibreOffice says in a notice.
Also resolved was the use of a static initialization vector (IV) when encrypting (CVE-2022-26306) which could have weakened security if a bad actor had access to user configuration information.
Finally, the updates also resolve CVE-2022-26307, in which the master key was miscoded, making stored passwords susceptible to brute force attack if an adversary is in possession of the user’s configuration. .
The three vulnerabilities, reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, have been fixed in LibreOffice versions 7.2.7, 7.3.2 and 7.3.3.
The fixes come five months after Document Foundation patched another incorrect certificate validation bug (CVE-2021-25636) in February 2022. Last October, three spoofing flaws were patched that could be misused to edit documents to make them appear as if they were digital. signed by a reliable source.