The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems.
LibreOffice is a popular cross-platform Microsoft Office alternative that is available for Windows, macOS and Linux.
CVE-2022-26305-the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of rogue code packaged within the macros.
LibreOffice supports the execution of macros, but limits the execution to macros to documents that are either stored in a trusted file location. It maintains a list of trusted certificates that are stored in the user’s configuration database.
When a document contains macros, LibreOffice attempts to match the certificate to the list of trusted certificates. The macro is executed if a matching certificate is found, and blocked otherwise.
Finally, the updates also resolve CVE-2022-26307, in which the master key was poorly encoded, making the stored passwords vulnerable to a brute-force attack if an adversary is in possession of the user’s configuration.
The three vulnerabilities, reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, were addressed in LibreOffice versions 7.2.7, 7.3.2, and 7.3.3.
The latest versions of LibreOffice are LibreOffice 22.214.171.124 and LibreOffice 7.2.7; both are available as downloads on the official website.
To check the installed LibreOffice version and Software update
- Open any LibreOffice application, e.g., LibreOffice Writer.
- Select Help > About LibreOffice.
If it is lower than 7.2.7 or 7.3.3, LibreOffice is vulnerable to attacks that target the vulnerabilities.
LibreOffice supports manual update checks and the downloading of updates using the Office client. Select Help > Check for Updates to run a check.
The application checks if a new version is available; a new version is then downloaded and installed.