LibreOffice releases software update for patch 3 new vulnerabilities


The team behind LibreOffice has released security updates to address three security vulnerabilities in the productivity software, one of which could be exploited to cause arbitrary code execution on affected systems.

Tracked as CVE-2022-26305The issue has been described as a case of incorrect certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of fraudulent code packaged in the macros.

An adversary could therefore create a random certificate with a serial number and issuer string identical to a trusted certificate that LibreOffice would present as belonging to the trusted author, potentially leading the user to run arbitrary code in macros that be trusted incorrectly,” LibreOffice said in an advisory.

Also fixed is the use of a static initialization vector (IV) during encryption (CVE-2022-26306) which could have weakened security if an attacker had access to the user’s configuration information.

Finally, the updates are also fixed CVE-2022-26307where the master key was poorly encrypted, making the stored passwords susceptible to a brute-force attack if an adversary is in possession of the user configuration.

The three vulnerabilities, reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, have been addressed in LibreOffice versions 7.2.7, 7.3.2 and 7.3.3.

The patches come five months after the Document Foundation fixed another certificate validation flaw (CVE-2021-25636) in February 2022. Last October, three spoofing errors were fixed that could be exploited to alter documents to appear as if they were digitally signed by a trusted source.