The group at the back of LibreOffice has launched safety updates to mend 3 safety flaws within the productiveness instrument, certainly one of which might be exploited to succeed in arbitrary code execution on affected methods.
Tracked as CVE-2022-26305, the problem has been described as a case of mistaken certificates validation when checking whether or not a macro is signed by way of a depended on creator, resulting in the execution of rogue code packaged throughout the macros.
“An adversary may just subsequently create an arbitrary certificates with a serial quantity and an issuer string similar to a depended on certificates which LibreOffice would provide as belonging to the depended on creator, probably resulting in the person to execute arbitrary code contained in macros improperly depended on,” LibreOffice mentioned in an advisory.
Additionally resolved is the usage of a static initialization vector (IV) all over encryption (CVE-2022-26306) that will have weakened the safety will have to a foul actor have get entry to to the person’s configuration knowledge.
Finally, the updates additionally unravel CVE-2022-26307, through which the grasp key was once poorly encoded, rendering the saved passwords at risk of a brute-force assault if an adversary is in ownership of the person configuration.
The 3 vulnerabilities, that have been reported by way of OpenSource Safety GmbH on behalf of the German Federal Place of work for Knowledge Safety, had been addressed in LibreOffice variations 7.2.7, 7.3.2, and seven.3.3.
The patches come 5 months after the Report Basis fastened some other mistaken certificates validation computer virus (CVE-2021-25636) in February 2022. Remaining October, 3 spoofing flaws have been patched which may be abused to change paperwork to lead them to seem as though they’re digitally signed by way of a depended on supply.