LibreOffice releases software update to patch 3 new vulnerabilities

The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems.

Tracked as CVE-2022-26305the issue was described as a case of incorrect certificate validation when verifying a macro’s signature by a trusted author, leading to the execution of malicious code embedded in the macros.

cyber security

“An adversary could therefore create an arbitrary certificate with a serial number and issuer chain identical to a trusted certificate that LibreOffice would present as belonging to the trusted author, potentially leading the user to execute arbitrary code contained in incorrectly trusted macros,” LibreOffice says in a notice.

Using a static initialization vector (IV) during encryption (CVE-2022-26306) that could have weakened security if a malicious actor had access to user configuration information.

Finally, the updates also resolve CVE-2022-26307in which the master key was miscoded, making stored passwords susceptible to brute force attack if an adversary is in possession of the user’s configuration.

cyber security

The three vulnerabilities, reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, have been fixed in LibreOffice versions 7.2.7, 7.3.2 and 7.3.3.

The fixes come five months after Document Foundation fixed another incorrect certificate validation bug (CVE-2021-25636) in February 2022. Last October, three spoofing flaws were patched that could be misused to alter documents to make them appear as if they were digitally signed by a trusted source.