The group behind LibreOffice has launched safety updates to repair three safety flaws within the productiveness software program, considered one of which could possibly be exploited to attain arbitrary code execution on affected techniques.
Tracked as CVE-2022-26305, the difficulty has been described as a case of improper certificates validation when checking whether or not a macro is signed by a trusted writer, resulting in the execution of rogue code packaged throughout the macros.
“An adversary might subsequently create an arbitrary certificates with a serial quantity and an issuer string similar to a trusted certificates which LibreOffice would current as belonging to the trusted writer, probably resulting in the person to execute arbitrary code contained in macros improperly trusted,” LibreOffice stated in an advisory.
Additionally resolved is using a static initialization vector (IV) throughout encryption (CVE-2022-26306) that would have weakened the safety ought to a nasty actor have entry to the person’s configuration info.
Lastly, the updates additionally resolve CVE-2022-26307, whereby the grasp key was poorly encoded, rendering the saved passwords prone to a brute-force assault if an adversary is in possession of the person configuration.
The three vulnerabilities, which have been reported by OpenSource Safety GmbH on behalf of the German Federal Workplace for Info Safety, have been addressed in LibreOffice variations 7.2.7, 7.3.2, and seven.3.3.
The patches come 5 months after the Doc Basis fastened one other improper certificates validation bug (CVE-2021-25636) in February 2022. Final October, three spoofing flaws have been patched that could possibly be abused to change paperwork to make them seem as if they’re digitally signed by a trusted supply.
