Announced: May 28, 2020

Fixed in: 6.3.6/6.4.3

Description:

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice’s default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted.

This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted.

In the fixed versions, encrypted recovered MSOffice format documents default to encrypted save.

Credits:

Thanks to Tomas Florian tomas@armoreye.ca for raising awareness of the issue

References:

CVE-2020-12801

Announced: September 6, 2019

Fixed in: 6.2.7/6.3.1

Description:

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install.

Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step.

However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step.

In the fixed versions, the parsed url describing the script location is assembled from the output of the verification step.

Credits:

Thanks to RiceX(@ricex_cc) for reporting this issue

References:

CVE-2019-9854

Announced: September 6, 2019

Fixed in: 6.2.7/6.3.1

Description:

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc

Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym

In the fixed versions, such paths are rejected

Credits:

Thanks to alex (@insertscript) for reporting this issue

References:

CVE-2019-9855

Announced: September 27, 2019

Fixed in: 6.2.6/6.3.1

Description:

LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default.

A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings.

The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution

In the fixed versions, the parsed url describing the script location is correctly decoded before further processing.

Credits:

Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue

References:

CVE-2019-9853

Announced: August 15, 2019

Fixed in: 6.2.6/6.3.0

Description:

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc

Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers.

In the fixed versions, script urls are correctly decoded before validation

Credits:

Thanks to alex (@insertscript) for reporting this issue

References:

CVE-2019-9850

Announced: August 15, 2019

Fixed in: 6.2.6/6.3.0

Description:

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc

In the fixed versions, global script event handlers are validated equivalently to document script event handlers.

Credits:

Thanks to Gabriel Masei of 1&1 for discovering and reporting this issue

References:

CVE-2019-9851

Announced: August 15, 2019

Fixed in: 6.2.6/6.3.0

Description:

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install.

Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack.

In the fixed versions, the parsed url describing the script location is correctly encoded before further processing.

Credits:

Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue

References:

CVE-2019-9852

Announced: July 16, 2019

Fixed in: 6.2.5

Description:

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc.

LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.

By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.

In the fixed versions, LibreLogo cannot be called from a document event handler..

Credits:

Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue

References:

CVE-2019-9848

Announced: July 16, 2019

Fixed in: 6.2.5

Description:

LibreOffice has a ‘stealth mode’ in which only documents from locations deemed ’trusted’ are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice’s ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5.

Credits:

Thanks to Matei “Mal” Badanoiu for discovering and reporting this problem

References:

CVE-2019-9849

Announced: May 8, 2019

Fixed in: 6.1.6/6.2.3

Description:

Before 6.1.6/6.2.3 under Windows and macOS when processing a hyperlink target explicitly activated by the user there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally.

In the fixed versions, such executables are not executed on hyperlink activation.

Credits:

Thanks to Zhongcheng Li(CK01) of Pox Security Team for reporting this issue

References:

CVE-2019-9847

Announced: Feb 1, 2019

Fixed in: 6.0.7/6.1.3

Description:

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various document events such as mouse-over, etc.

Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set of known scripts at a known relative file system location to work with.

In the 6.1 series, the problem was compounded by an additional feature which enables specifying in the document arguments to pass to the python method (Earlier series only allow a method to be called with no argument). The bundled python happens to include a method which executes via os.system one of its arguments, providing a simple route in 6.1 to execute arbitrary commands via such a crafted document.

In the fixed versions, the relative directory flaw is fixed, and access is restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install

Credits:

Thanks to alex (@insertscript) for reporting this issue

References:

CVE-2018-16858

Announced: May 24, 2018

Addressed in: LibreOffice 5.4.7/6.0.4

Description:

A LibreOffice document with a linked image, which is on a samba share, will cause LibreOffice to automatically initiate a samba connection to retrieve the image. This is analogous to how opening HTML documents which contain links to images on remote web sites are automatically fetched by web browsers.

Since LibreOffice 5.4.7, and 6.0.4 in the 6.X series, end users or administrators can disable this functionality to automatically fetch such linked images via “tools->options->security->options->block any links from documents not among the trusted locations”

References:

CVE-2018-10583

Announced: April 18, 2018

Fixed in: LibreOffice 5.4.6/6.0.2

Description:

LibreOffice before 5.4.6 and 6.x before 6.0.2 have a flaw in an edge case in processing a specific uncommon Microsoft Word record. An index into a dynamically allocated buffer is used without bounds checking.

All users are recommended to upgrade to LibreOffice >= 5.4.6 or >= 6.0.2

References:

CVE-2018-10120

Announced: February 9, 2018

Fixed in: LibreOffice 5.4.5/6.0.1

Description:

LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function.

LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL (e.g file://) which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and construct a remote URL whose path leaks the local data to a remote attacker.

In later versions of LibreOffice without this flaw, WEBSERVICE has now been limited to accessing http and https URLs along with bringing WEBSERVICE URLs under LibreOffice Calc’s link management infrastructure.

All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1

References:

CVE-2018-6871

Announced: April 18, 2018

Fixed in: LibreOffice 5.4.5/6.0.1

Description:

LibreOffice before 5.4.5 and 6.x before 6.0.1 have a flaw in an edge case in processing the structured storage ole2 wrapper file format. A short datatype is used which can overflow resulting in a write to recently freed data

All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1

References:

CVE-2018-10119

Announced: April 21, 2017

Fixed in: LibreOffice 5.2.5/5.3.0

Description:

Windows Metafiles (WMF) can contain polygons which under certain circumstances when processed (split) can result in output polygons which have too many points to be represented by LibreOffice’s internal polygon class.

Prior to versions 5.2.5/5.3.0 this failure was undetected and a heap buffer overflow could occur as the attempt to split the polygon was assumed to succeed.

All users are recommended to upgrade to LibreOffice >= 5.2.5 or >= 5.3.0.

References:

CVE-2017-7870

Announced: April 21, 2017

Fixed in: LibreOffice 5.2.5/5.3.0

Description:

Enhanced Metafiles (EMF) can contain bitmap data preceded by a header and a field with in that header which states the offset from the start of the header to the bitmap data. An emf can be crafted to provide an illegal offset which if not tested for validity can trigger a heap buffer overflow.

All users are recommended to upgrade to LibreOffice >= 5.2.5 or >= 5.3.0 which sanity test the offset before use.

References:

CVE-2017-10327

Announced: April 21, 2017

Fixed in: All versions of LibreOffice

Description:

A bug existed in an unreleased version of LibreOffice between 19 Jan 2017 and 11 March 2017 and was detected by oss-fuzz and a CVE was filed for the bug. The specific problem tracked by CVE-2017-7856 was not present in any release.

References:

CVE-2017-7856

Announced: April 21, 2017

Fixed in: All versions of LibreOffice

Description:

A bug existed in an unreleased version of LibreOffice between 2 Jan 2017 and 14 March 2017 and was detected by oss-fuzz and a CVE was filed for the bug. The specific problem tracked by CVE-2017-7882 was not present in any release.

References:

CVE-2017-7882

Announced: April 30, 2017

Fixed in: All versions of LibreOffice

Description:

LibreOffice before 2017-03-17 had an out-of-bounds write caused by a heap-based buffer overflow related to the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx.

References:

CVE-2017-8358

Announced: February 22, 2017

Fixed in: LibreOffice 5.1.6/5.2.2/5.3.0

Description:

Embedded Objects in writer and calc can contain previews of their content. A document can be crafted which contains an embedded object that is a link to an existing file on the targets system. On load the preview of the embedded object will be updated to reflect the content of the file on the target system. In the case of LibreOffice used as an online service that preview of data on the target system could be used to expose details of the environment LibreOffice is running in. In the case of LibreOffice as a standard desktop application, the preview could be concealed in hidden sections and retrieved by the attacker if the document is saved and returned to sender.

In later version of LibreOffice without this flaw the LinkUpdateMode feature has been expanded to additionally control the update of previews of embedded objects as well as its prior function to control the update of embedded object contents.

All users are recommended to upgrade to LibreOffice >= 5.1.6 or >= 5.2.5 or >= 5.3.0

Thanks to Ben Hayak for discovering this flaw.

References:

CVE-2017-3157

Announced: June 28th, 2016

Fixed in: LibreOffice 5.1.4/5.2.0

Description:

Parsing the Rich Text Format character style index was insufficiently checked for validity. Documents can be constructed which dereference an iterator to the first entry of an empty STL container.

All users are recommended to upgrade to LibreOffice >= 5.1.4

Thanks to the researchers working with Cisco Talos Security Intelligence and Research Group for discovering this flaw.

References:

CVE-2016-4324

Announced: February 17, 2016

Fixed in: LibreOffice 5.0.5/5.1.0

Description:

Parsing the LwpTocSuperLayout record was insufficiently checked for validity. Documents can be constructed which cause memory corruption by overflowing the LwpTocSuperLayout buffer..

All users are recommended to upgrade to LibreOffice >= 5.0.5 or >= 5.1.0

Thanks to the researchers working with VeriSign iDefense Labs for discovering this flaw.

References:

CVE-2016-0795

Announced: February 17, 2016

Fixed in: LibreOffice 5.0.4/5.1.0

Description:

Multiple offsets in parsing lwp documents were insufficiently checked for validity. Documents can be constructed which cause memory corruption by overflowing various buffer bounds.

All users are recommended to upgrade to LibreOffice >= 5.0.4 or >= 5.1.0

Thanks to the researchers working with VeriSign iDefense Labs for discovering this flaw.

References:

CVE-2016-0794

Announced: October 27, 2017

Fixed in: LibreOffice 5.0.2/5.1.0

Description:

Prior to version 5.0.2/5.1.0 a vulnerability exists in the PPT stylesheet parser, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. Users should already have upgraded to versions >= 5.0.2/5.1.0 due to earlier advisories.

References:

CVE-2017-12607

Announced: October 27, 2017

Fixed in: LibreOffice 5.0.2/5.1.0

Description:

Prior to version 5.0.2/5.1.0 a vulnerability exists in the DOC style parser, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. Users should already have upgraded to versions >= 5.0.2/5.1.0 due to earlier advisories.

References:

CVE-2017-12608

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.6/5.0.1

Description:

The indexes into the bookmark array were insufficiently checked for validity. A document can be constructed which refers to bookmarks that don’t exist, causing memory corruption.

All users are recommended to upgrade to LibreOffice >= 4.4.6 or >= 5.0.1

References:

CVE-2015-5214

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.5/5.0.0

Description:

The LinkUpdateMode feature controls whether documents inserted into Writer or Calc via links will either not get updated, or prompt to update, or automatically update, when the parent document is loaded. The configuration of this option was stored in the document. That flawed approach enabled documents to be crafted with links to plausible targets on the victims host computer. The contents of those automatically inserted after load links can be concealed in hidden sections and retrieved by the attacker if the document is saved and returned to sender, or via http requests if the user has selected lower security settings for that document.

All users are recommended to upgrade to LibreOffice >= 4.4.5 or >= 5.0.0

Thanks to Federico “fox” Scrinzi for discovering this flaw.

References:

CVE-2015-4551

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.5/5.0.0

Description:

The PrinterSetup data stored in ODF files can be of attacker controlled variable legnth, but is coped into a fixed length buffer without sufficient size checks.

All users are recommended to upgrade to LibreOffice >= 4.4.5 or >= 5.0.0

References:

CVE-2015-5212

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.5/5.0.0

Description:

The number of pieces in a Microsoft Word .doc file is counted via an unsigned 16 bit number. A sufficiently long document can be constructed which causes that count to overflow and insufficient memory to be allocated for the number of pieces that are copied into it.

All users are recommended to upgrade to LibreOffice >= 4.4.5 or >= 5.0.0

References:

CVE-2015-5213

Announced: April 27, 2015

Fixed in: LibreOffice 4.3.7/4.4.2

Description:

Certain crafted HWP documents can allow attackers to cause a denial of service or possibly the execution of arbitrary code by writing past the end of buffers.

All users are recommended to upgrade to LibreOffice 4.3.7 or 4.4.2.

Thanks to the researchers working with VeriSign iDefense Labs for discovering this flaw.

References:

CVE-2015-1774

Announced: November 05, 2014

Fixed in: LibreOffice 4.2.7/4.3.3

Description:

In LibreOffice 4.0.0 and later, a new feature was added for remote control capabilities in Impress. Users can run a smart phone application to communicate with Impress over a custom protocol to switch slides and the like. By default whenever Impress is started, it immediately began listening on TCP port 1599 on all interfaces.

But there was a use after free bug in the code managing that port leaving LibreOffice vulnerable to external attackers with access to that port where those external attackers could cause the deleted port manager to continue to process attacker supplied data.

All users are recommended to upgrade to LibreOffice 4.2.7 or 4.3.3.

The impress remote can be disabled by:

1. Open LibreOffice, go to “Tools -> Options…”
2. Select “LibreOffice Impress -> General”
3. Uncheck “Presentation -> Enable remote control”

Thanks to the researchers at the SecuriTeam Secure Disclosure project for discovering this flaw.

References:

CVE-2014-3693

Announced: August 21, 2014

Fixed in: LibreOffice 4.2.6-secfix/4.3.1

Description:

The vulnerability allows command injection when loading Calc spreadsheets under Windows. Specially crafted documents can be used for command-injection attacks. Other operating systems are not affected.

Windows users are recommended to upgrade their LibreOffice to 4.2.6-secfix or 4.3.1

Thanks to Rohan Durve and James Kettle of Context Information Security for discovering this flaw.

References:

CVE-2014-3524

Announced: August 21, 2014

Fixed in: LibreOffice 4.2.6-secfix/4.3.1

Description:

The vulnerability allows an attacker to send a document which when opened will trigger the prompt to “Update Links” but if the user cancels that prompt may still generate and insert into the document an OLE2 preview image of a file on the victims filesystem, Data exposure is possible if the updated document is then distributed to other parties.

All users are recommended to upgrade to LibreOffice 4.2.6-secfix or 4.3.1.

Thanks to Malte Timmermann of Open-Xchange for discovering this flaw.

References:

CVE-2014-3575

Announced: July 10, 2014

Fixed in: LibreOffice 4.2.5

Description:

It was discovered during routine code review that LibreOffice >= 4.1.4/4.2.0 unconditionally executed certain VBA macros on loading Microsoft Office documents, contrary to user expectations.

Users are recommended to upgrade to 4.2.5.

Thanks to Stephen Bergmann of Red Hat, Inc. for discovering this flaw.

References:

CVE-2014-0247

Announced: July 26 2013

Fixed in: LibreOffice 3.6.7/4.0.4

Description:

A denial of service flaw was found in the .docm import filter of LibreOffice. An attacker cound create a specially-crafted file in the .docm file format which when loaded would immediately terminate the application through a NULL dereference.

Thanks to Jeremy Brown of Microsoft Vulnerability Research for reporting this flaw. Users are recommended to upgrade to 3.6.7, 4.0.4 or 4.1.0 to avoid this flaw.

References:

• CVE-2013-4156

Announced: October 31 2012

Fixed in: LibreOffice 3.5.7/3.6.1

Description:

Multiple denial of service flaws were found in various import filters of LibreOffice. An attacker could create a specially-crafted file in the .xls (Excel), .wmf (Window Meta File) or Open Document Format for Office Applications formats which when loaded would immediately terminate the application.

Thanks to High-Tech Bridge for reporting these flaws. Users are recommended to upgrade to 3.5.7 or 3.6.1 to avoid these flaws

References:

• CVE-2012-4233
• HTB23106

Announced: August 01 2012

Fixed in: LibreOffice 3.5.5/3.6.0

Description:

Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution.

Thanks to Timo Warns of PRE-CERT for reporting this flaw. Users are recommended to upgrade to 3.5.5 or 3.6.0 to avoid this flaw

References:

• CVE-2012-2665

Announced: May 16 2012

Fixed in: LibreOffice 3.5.3

Description:

An integer overflow vulnerability in LibreOffice graphic loading code could allow a remote attacker to cause a denial of service (application crash) or potentially execute arbitrary code on vulnerable installations of LibreOffice.

Thanks to Tielei Wang via Secunia SVCRP for reporting this flaw. Users are recommended to upgrade to 3.5.3 to avoid this flaw

References:

• CVE-2012-1149

Announced: May 16 2012

Updated: May 29 2012

Fixed in: LibreOffice 3.5.3

Description:

An integer overflow flaw, leading to buffer overflow, was found in the way LibreOffice processed invalid Escher graphics records length in PowerPoint documents. An attacker could provide a specially-crafted PowerPoint document that, when opened, would cause LibreOffice to crash or, potentially, execute arbitrary code with the privileges of the user running LibreOffice.

Thanks to Sven Jacobi for reporting the initial flaw. Thanks to Florian Weimer, Red Hat Product Security Team, for identifying the possibility integer overflow. Users are recommended to upgrade to 3.5.3 to avoid this flaw

References:

• CVE-2012-2334

Announced: March 22 2012

Fixed in: LibreOffice 3.4.6/3.5.1

Description:

An XML Entity Expansion flaw was found in the way embedded Raptor library processed certain RDF and other XML-based format files. An attacker could create a specially-crafted file in an affected LibreOffice format which when opened could cause arbitrary code execution or local file inclusion.

Thanks to Timothy D. Morgan of VSR for reporting this flaw. Users are recommended to upgrade to 3.4.6 or 3.5.1 to avoid this flaw

References:

• CVE-2012-0037

Announced: October 05, 2011

Fixed in: LibreOffice 3.4.3

Description:

Red Hat, Inc. security researcher Huzaifa Sidhpurwala reported multiple vulnerabilities in the binary Microsoft Word (doc) file format importer where custom crafted documents trigger out of bounds behaviour.

Thanks to Huzaifa Sidhpurwala of Red Hat Security Team for reporting this vulnerability. Users are recommended to upgrade to 3.4.3 to avoid this flaw.

References:

• CVE-2011-2713

Announced: July 26 2013

Fixed in: LibreOffice 3.4.3

Description:

Prior to version 3.4.3 a vulnerability exists where parsing a malformed Microsoft .doc file can operate on invalid PLCF (Plex of Character Positions in File) data. Users should already have upgraded to versions >= 3.4.3 due to earlier advisories.

Thanks to Jeremy Brown of Microsoft Vulnerability Research for reporting this flaw.

References:

• CVE-2013-2189

Announced: October 27, 2017

Fixed in: LibreOffice 3.4.3

Description:

Prior to version 3.4.3 a vulnerability exists in the DOC font descriptor parser, allowing attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. Users should already have upgraded to versions >= 3.4.3 due to earlier advisories.

References:

• CVE-2017-9806

Announced: June 06, 2011

Fixed in: LibreOffice 3.3.3/3.4.0

Description:

CERT/CC security researchers Will Dormann and Jared Allar reported multiple vulnerabilities in the ‘Lotus Word Pro’ (lwp) file format importer.

Thanks to Will Dormann and Jared Allar of the CERT/CC for reporting these vulnerabilities.

References:

• CVE-2011-2685
• US-CERT: VU#953183

Announced: April 7, 2014

Fixed in: LibreOffice 4.2.3

Description:

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, aka the Heartbleed bug.

Other related vulnerabilites, also fixed:

CVE-2010-5298 CVE-2014-0224 CVE-2013-4353 CVE-2014-0195 CVE-2014-3470 CVE-2013-6449 CVE-2014-0198 CVE-2013-6450 CVE-2014-0221

Users are recommended to upgrade to 4.2.3 to avoid this flaw when using the packages provided from www.libreoffice.org which include a bundled copy of openssl.

LibreOffice 4.1 line uses an older copy of openssl that is not vulnerable.

References:

• Openssl Security Advisory
• CVE-2010-5298
• CVE-2013-4353
• CVE-2014-0195
• CVE-2014-3470
• CVE-2013-6449
• CVE-2014-0198
• CVE-2013-6450
• CVE-2014-0221

Announced: March 20, 2014

Fixed in: LibreOffice 4.1.5/4.2.0

Description:

A security issue and multiple vulnerabilities have been reported in Python, which can be exploited by malicious people to conduct spoofing attacks and cause a DoS (Denial of Service).

Users are recommended to upgrade to 4.1.5 or 4.2.0 to avoid this flaw when using the packages provided from www.libreoffice.org which include a bundled copy of python.

References:

• CVE-2013-1752
• CVE-2013-4238

Announced: Aug 13, 2018

Fixed in: Not a Bug

Description:

CVE-2018-14939 was assigned to address an apparent buffer overflow in the get_app_path function with the suggestion that it is possible for attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site.

Our analysis is that this is not the case. get_app_path is only called with argv[0] of LO’s oosplash helper executable (installed at /usr/lib…/libreoffice/program/oosplash, called during the LO start-up sequence), so an attack would need launch that executable with a suitably long argv[0] which is not under the control of an attacker.

References:

CVE-2018-14939

References:

CVE-2012-2149