The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems.
Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of rogue code packaged within the macros.
“An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted,” LibreOffice said in an advisory.
Also resolved is the use of a static initialization vector (IV) during encryption (CVE-2022-26306) that could have weakened the security should a bad actor have access to the user’s configuration information.
Lastly, the updates also resolve CVE-2022-26307, wherein the master key was poorly encoded, rendering the stored passwords susceptible to a brute-force attack if an adversary is in possession of the user configuration.
The three vulnerabilities, which were reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, have been addressed in LibreOffice versions 7.2.7, 7.3.2, and 7.3.3.
The patches come five months after the Document Foundation fixed another improper certificate validation bug (CVE-2021-25636) in February 2022. Last October, three spoofing flaws were patched that could be abused to alter documents to make them appear as if they are digitally signed by a trusted source.