Announced: May 24, 2023

Fixed in: LibreOffice 7.4.7/7.5.3

Description:

LibreOffice supports “Floating Frames”, similar to a html IFrame. The frames display their linked document in a floating frame inside the host document.

In affected versions of LibreOffice these floating frames fetch and display their linked document without prompt on loading the host document. This was inconsistent with the behavior of other linked document content such as OLE objects, Writer linked sections or Calc WEBSERVICE formulas which warn the user that there are linked documents and prompts if they should be allowed to update.

In versions >= 7.4.7 (and >= 7.5.3) the existing “update link” manager has been expanded to additionally control the update of the content of IFrames, so such IFrames will not automatically refresh their content unless the user agrees via the prompts.

Thanks to Amel Bouziane-Leblond for discovering this flaw.

References:

CVE-2023-2255

Announced: May 24, 2023

Fixed in: LibreOffice 7.4.6/7.5.2

Description:

The Spreadsheet module of LibreOffice supports various formulas that take multiple parameters. The formulas are interpreted by ‘ScInterpreter’ which extract the required parameters for a given formula off a stack.

In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that the arbitrary code could be executed.

In versions >= 7.4.6 (and >= 7.5.2) the count of parameters is validated

Credits:

• Secusmart GmbH for discovering and reporting the issue
• Eike Rathke of Red Hat, Inc. for a solution

References:

CVE-2023-0950

Announced: October 11, 2022

Fixed in: LibreOffice 7.3.6/7.4.1

Description:

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme ‘vnd.libreoffice.command’ specific to LibreOffice was added.

In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning.

In versions >= 7.3.6 (and >= 7.4.1) such unwanted command URIs are blocked from execution.

Credits:

• TheSecurityDev working with Trend Micro Zero Day Initiative

References:

CVE-2022-3140

Announced: July 25, 2022

Fixed in: LibreOffice 7.2.7/7.3.3

Description:

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.

A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data.

In versions >= 7.2.7 (and >= 7.3.3) unique initialization vectors are used when the passwords are stored and the user is prompted via an infobar to reenter their master password in order to reencrypt old existing vulnerable stored config data if it exists.

Credits:

• OpenSource Security GmbH on behalf of the German Federal Office for Information Security

References:

CVE-2022-26306

Announced: July 25, 2022

Fixed in: LibreOffice 7.2.7/7.3.3

Description:

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.

A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.

In versions >= 7.2.7 (and >= 7.3.3) the poor encoding is fixed and the user is prompted via an infobar to reenter their master password in order to reencrypt old existing vulnerable stored config data if it exists.

Credits:

• OpenSource Security GmbH on behalf of the German Federal Office for Information Security

References:

CVE-2022-26307

Announced: July 25, 2022

Fixed in: LibreOffice 7.2.7/7.3.2

Description:

LibreOffice supports the execution of macros. By default LibreOffice executes macros only if they are stored in a trusted file location or if they are signed by a trusted certificate.

To determine whether a macro is signed by a trusted author, LibreOffice matches the used certificate with the list of trusted certificates stored in the user’s configuration database.

An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted.

In versions >= 7.2.7 (and >= 7.3.2) certificate matching is amended to ensure the certificates match correctly.

This vulnerability is not exploitable if macro security level is set to very high or if the user has no trusted certificates.

Credits:

• OpenSource Security GmbH on behalf of the German Federal Office for Information Security

References:

CVE-2022-26305

Announced: March 24, 2023

Fixed in: LibreOffice 7.2.6/7.3.1

Description:

Most versions of LibreOffice support and contain components written in Java. LibreOffice extends the existing Java class path with its own internal classes.

In the affected versions of LibreOffice if the existing class path was empty, then when Java class files are loaded, the current working directory is searched for valid classes before using the embedded versions. If an attacker sends a zip file containing a class file alongside a document then, depending on the file manager or other tool used to open the zip file, when on navigating to the document and launching LibreOffice to open it, the current working directory of LibreOffice may be the directory in which the class file exists, in which case there is a risk that the arbitrary code of the class file could be executed.

In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not appended to the classpath

Credits:

• European Commission’s Open Source Programme Office for sponsoring a security bug bounty for LibreOffice
• Stephan Bergmann of Red Hat, Inc. for a solution

References:

CVE-2022-38745

Announced: February 22, 2022

Fixed in: LibreOffice 7.2.5/7.3.0

Description:

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both “X509Data” and “KeyValue” children of the “KeyInfo” tag[1], which when opened caused LibreOffice to verify using the “KeyValue” but to report verification with the unrelated “X509Data” value.

In versions >= 7.2.5 (and >= 7.3.0) certificate validation is configured to only consider X509Data children to limit validation to X509 certificates only.

[1] https://www.w3.org/TR/xmldsig-core1/#sec-KeyInfo

Credits:

• Thanks to NDS of Ruhr University Bochum for discovering and reporting this problem.
• Thanks to Aleksey Sanin for advice on a solution

References:

CVE-2021-25636

Announced: May 18, 2021

Fixed in: LibreOffice 7.0.6/7.1.3

Description:

LibreOffice has a feature where hyperlinks in a document can be activated by CTRL+click. Under macOS the link can be passed to the system ‘open’ utility for handling. LibreOffice contains a denylist of extensions that it blocks from passing to ‘open’ to avoid attempting to launch executables.

In versions of LibreOffice without this fix the denylist didn’t include the .fileloc extension which could be used to launch an executable on the system.

In the fixed versions this extension has been blocked. All macOS users are recommended to upgrade to LibreOffice >= 7.0.6 or 7.1.3

References:

Thanks to Hou JingYi (@hjy79425575) of Qihoo 360 for discovering and reporting this problem

References:

CVE-2021-25632

Announced: October 11, 2021

Fixed in: LibreOffice 7.0.6/7.1.2

Description:

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown.

References:

NDS of Ruhr University Bochum for discovering and reporting this problem.

Thanks to Michael Stahl of allotropia software GmbH for solving this problem.

References:

CVE-2021-25633

Announced: October 11, 2021

Fixed in: LibreOffice 7.0.6/7.1.2

Description:

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to modify a digitally signed ODF document to insert an additional signing time timestamp which LibreOffice would incorrectly present as a valid signature signed at the bogus signing time.

References:

Thanks to NDS of Ruhr University Bochum for discovering and reporting this problem.

Thanks to Michael Stahl of allotropia software GmbH for solving this problem.

References:

CVE-2021-25634

Announced: April 15, 2021

Fixed in: LibreOffice 7.0.5/7.1.2

Description:

LibreOffice has a feature where hyperlinks in a document can be activated by CTRL+click. Under Windows the link can be passed to the system ShellExecute function for handling. LibreOffice contains a denylist of extensions that it blocks from passing to ShellExecute to avoid attempting to launch executables.

In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn’t match the denylist but results in ShellExecute attempting to launch an executable type.

In the fixed versions this circumvention has been blocked. All Windows users are recommended to upgrade to LibreOffice >= 7.0.5 or >= 7.1.2

References:

Thanks to Lukas Euler of Positive Security for discovering and reporting this problem

References:

CVE-2021-25631

Announced: October 11, 2021

Fixed in: LibreOffice 7.0.5/7.1.1

Description:

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF document, with a signature untrusted by the target, then modify it to change the signature algorithm to an invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person.

Credits:

Thanks to NDS of Ruhr University Bochum for discovering and reporting this problem.

References:

CVE-2021-25635

Announced: Jun 08, 2020

Fixed in: 6.4.4

Description:

LibreOffice has a ‘stealth mode’ in which only documents from locations deemed ’trusted’ are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice’s ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4.

Credits:

Thanks to Jens Müller of Ruhr University Bochum for discovering and reporting this problem

References:

CVE-2020-12802

Announced: June 09, 2020

Fixed in: LibreOffice 6.4.4

Description:

ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF implements the XForms W3C standard, which allows data to be submitted without the need for macros or other active scripting

Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the form, but to avoid the possibility of malicious documents engineered to maximize the possibility of inadvertent user submission this feature has now been limited to http[s] URIs, removing the possibility to overwrite local files.

All users are recommended to upgrade to LibreOffice >= 6.4.4

References:

Thanks to Jens Müller of Ruhr University Bochum for discovering and reporting this problem

References:

CVE-2020-12803

Announced: May 28, 2020

Fixed in: 6.3.6/6.4.3

Description:

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice’s default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted.

This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted.

In the fixed versions, encrypted recovered MSOffice format documents default to encrypted save.

Credits:

Thanks to Tomas Florian tomas@armoreye.ca for raising awareness of the issue

References:

CVE-2020-12801

Announced: September 6, 2019

Fixed in: 6.2.7/6.3.1

Description:

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install.

Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step.

However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step.

In the fixed versions, the parsed url describing the script location is assembled from the output of the verification step.

Credits:

Thanks to RiceX(@ricex_cc) for reporting this issue

References:

CVE-2019-9854

Announced: September 6, 2019

Fixed in: 6.2.7/6.3.1

Description:

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc

Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym

In the fixed versions, such paths are rejected

Credits:

Thanks to alex (@insertscript) for reporting this issue

References:

CVE-2019-9855

Announced: September 27, 2019

Fixed in: 6.2.6/6.3.1

Description:

LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default.

A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings.

The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution

In the fixed versions, the parsed url describing the script location is correctly decoded before further processing.

Credits:

Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue

References:

CVE-2019-9853

Announced: August 15, 2019

Fixed in: 6.2.6/6.3.0

Description:

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc

Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers.

In the fixed versions, script urls are correctly decoded before validation

Credits:

Thanks to alex (@insertscript) for reporting this issue

References:

CVE-2019-9850

Announced: August 15, 2019

Fixed in: 6.2.6/6.3.0

Description:

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from.

Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc

In the fixed versions, global script event handlers are validated equivalently to document script event handlers.

Credits:

Thanks to Gabriel Masei of 1&1 for discovering and reporting this issue

References:

CVE-2019-9851

Announced: August 15, 2019

Fixed in: 6.2.6/6.3.0

Description:

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install.

Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack.

In the fixed versions, the parsed url describing the script location is correctly encoded before further processing.

Credits:

Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue

References:

CVE-2019-9852

Announced: July 16, 2019

Fixed in: 6.2.5

Description:

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc.

LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.

By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.

In the fixed versions, LibreLogo cannot be called from a document event handler..

Credits:

Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue

References:

CVE-2019-9848

Announced: July 16, 2019

Fixed in: 6.2.5

Description:

LibreOffice has a ‘stealth mode’ in which only documents from locations deemed ’trusted’ are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice’s ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5.

Credits:

Thanks to Matei “Mal” Badanoiu for discovering and reporting this problem

References:

CVE-2019-9849

Announced: May 8, 2019

Fixed in: 6.1.6/6.2.3

Description:

Before 6.1.6/6.2.3 under Windows and macOS when processing a hyperlink target explicitly activated by the user there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally.

In the fixed versions, such executables are not executed on hyperlink activation.

Credits:

Thanks to Zhongcheng Li(CK01) of Pox Security Team for reporting this issue

References:

CVE-2019-9847

Announced: Feb 1, 2019

Fixed in: 6.0.7/6.1.3

Description:

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various document events such as mouse-over, etc.

Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set of known scripts at a known relative file system location to work with.

In the 6.1 series, the problem was compounded by an additional feature which enables specifying in the document arguments to pass to the python method (Earlier series only allow a method to be called with no argument). The bundled python happens to include a method which executes via os.system one of its arguments, providing a simple route in 6.1 to execute arbitrary commands via such a crafted document.

In the fixed versions, the relative directory flaw is fixed, and access is restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install

Credits:

Thanks to alex (@insertscript) for reporting this issue

References:

CVE-2018-16858

Announced: May 24, 2018

Addressed in: LibreOffice 5.4.7/6.0.4

Description:

A LibreOffice document with a linked image, which is on a samba share, will cause LibreOffice to automatically initiate a samba connection to retrieve the image. This is analogous to how opening HTML documents which contain links to images on remote web sites are automatically fetched by web browsers.

Since LibreOffice 5.4.7, and 6.0.4 in the 6.X series, end users or administrators can disable this functionality to automatically fetch such linked images via “tools->options->security->options->block any links from documents not among the trusted locations”

References:

CVE-2018-10583

Announced: April 18, 2018

Fixed in: LibreOffice 5.4.6/6.0.2

Description:

LibreOffice before 5.4.6 and 6.x before 6.0.2 have a flaw in an edge case in processing a specific uncommon Microsoft Word record. An index into a dynamically allocated buffer is used without bounds checking.

All users are recommended to upgrade to LibreOffice >= 5.4.6 or >= 6.0.2

References:

CVE-2018-10120

Announced: February 9, 2018

Fixed in: LibreOffice 5.4.5/6.0.1

Description:

LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function.

LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL (e.g file://) which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and construct a remote URL whose path leaks the local data to a remote attacker.

In later versions of LibreOffice without this flaw, WEBSERVICE has now been limited to accessing http and https URLs along with bringing WEBSERVICE URLs under LibreOffice Calc’s link management infrastructure.

All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1

References:

CVE-2018-6871

Announced: April 18, 2018

Fixed in: LibreOffice 5.4.5/6.0.1

Description:

LibreOffice before 5.4.5 and 6.x before 6.0.1 have a flaw in an edge case in processing the structured storage ole2 wrapper file format. A short datatype is used which can overflow resulting in a write to recently freed data

All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1

References:

CVE-2018-10119

Announced: April 21, 2017

Fixed in: LibreOffice 5.2.5/5.3.0

Description:

Windows Metafiles (WMF) can contain polygons which under certain circumstances when processed (split) can result in output polygons which have too many points to be represented by LibreOffice’s internal polygon class.

Prior to versions 5.2.5/5.3.0 this failure was undetected and a heap buffer overflow could occur as the attempt to split the polygon was assumed to succeed.

All users are recommended to upgrade to LibreOffice >= 5.2.5 or >= 5.3.0.

References:

CVE-2017-7870

Announced: April 21, 2017

Fixed in: LibreOffice 5.2.5/5.3.0

Description:

Enhanced Metafiles (EMF) can contain bitmap data preceded by a header and a field with in that header which states the offset from the start of the header to the bitmap data. An emf can be crafted to provide an illegal offset which if not tested for validity can trigger a heap buffer overflow.

All users are recommended to upgrade to LibreOffice >= 5.2.5 or >= 5.3.0 which sanity test the offset before use.

References:

CVE-2017-10327

Announced: April 21, 2017

Fixed in: All versions of LibreOffice

Description:

A bug existed in an unreleased version of LibreOffice between 19 Jan 2017 and 11 March 2017 and was detected by oss-fuzz and a CVE was filed for the bug. The specific problem tracked by CVE-2017-7856 was not present in any release.

References:

CVE-2017-7856

Announced: April 21, 2017

Fixed in: All versions of LibreOffice

Description:

A bug existed in an unreleased version of LibreOffice between 2 Jan 2017 and 14 March 2017 and was detected by oss-fuzz and a CVE was filed for the bug. The specific problem tracked by CVE-2017-7882 was not present in any release.

References:

CVE-2017-7882

Announced: April 30, 2017

Fixed in: All versions of LibreOffice

Description:

LibreOffice before 2017-03-17 had an out-of-bounds write caused by a heap-based buffer overflow related to the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx.

References:

CVE-2017-8358

Announced: February 22, 2017

Fixed in: LibreOffice 5.1.6/5.2.2/5.3.0

Description:

Embedded Objects in writer and calc can contain previews of their content. A document can be crafted which contains an embedded object that is a link to an existing file on the targets system. On load the preview of the embedded object will be updated to reflect the content of the file on the target system. In the case of LibreOffice used as an online service that preview of data on the target system could be used to expose details of the environment LibreOffice is running in. In the case of LibreOffice as a standard desktop application, the preview could be concealed in hidden sections and retrieved by the attacker if the document is saved and returned to sender.

In later version of LibreOffice without this flaw the LinkUpdateMode feature has been expanded to additionally control the update of previews of embedded objects as well as its prior function to control the update of embedded object contents.

All users are recommended to upgrade to LibreOffice >= 5.1.6 or >= 5.2.5 or >= 5.3.0

Thanks to Ben Hayak for discovering this flaw.

References:

CVE-2017-3157

Announced: June 28th, 2016

Fixed in: LibreOffice 5.1.4/5.2.0

Description:

Parsing the Rich Text Format character style index was insufficiently checked for validity. Documents can be constructed which dereference an iterator to the first entry of an empty STL container.

All users are recommended to upgrade to LibreOffice >= 5.1.4

Thanks to the researchers working with Cisco Talos Security Intelligence and Research Group for discovering this flaw.

References:

CVE-2016-4324

Announced: February 17, 2016

Fixed in: LibreOffice 5.0.5/5.1.0

Description:

Parsing the LwpTocSuperLayout record was insufficiently checked for validity. Documents can be constructed which cause memory corruption by overflowing the LwpTocSuperLayout buffer..

All users are recommended to upgrade to LibreOffice >= 5.0.5 or >= 5.1.0

Thanks to the researchers working with VeriSign iDefense Labs for discovering this flaw.

References:

CVE-2016-0795

Announced: February 17, 2016

Fixed in: LibreOffice 5.0.4/5.1.0

Description:

Multiple offsets in parsing lwp documents were insufficiently checked for validity. Documents can be constructed which cause memory corruption by overflowing various buffer bounds.

All users are recommended to upgrade to LibreOffice >= 5.0.4 or >= 5.1.0

Thanks to the researchers working with VeriSign iDefense Labs for discovering this flaw.

References:

CVE-2016-0794

Announced: October 27, 2017

Fixed in: LibreOffice 5.0.2/5.1.0

Description:

Prior to version 5.0.2/5.1.0 a vulnerability exists in the PPT stylesheet parser, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. Users should already have upgraded to versions >= 5.0.2/5.1.0 due to earlier advisories.

References:

CVE-2017-12607

Announced: October 27, 2017

Fixed in: LibreOffice 5.0.2/5.1.0

Description:

Prior to version 5.0.2/5.1.0 a vulnerability exists in the DOC style parser, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. Users should already have upgraded to versions >= 5.0.2/5.1.0 due to earlier advisories.

References:

CVE-2017-12608

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.6/5.0.1

Description:

The indexes into the bookmark array were insufficiently checked for validity. A document can be constructed which refers to bookmarks that don’t exist, causing memory corruption.

All users are recommended to upgrade to LibreOffice >= 4.4.6 or >= 5.0.1

References:

CVE-2015-5214

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.5/5.0.0

Description:

The LinkUpdateMode feature controls whether documents inserted into Writer or Calc via links will either not get updated, or prompt to update, or automatically update, when the parent document is loaded. The configuration of this option was stored in the document. That flawed approach enabled documents to be crafted with links to plausible targets on the victims host computer. The contents of those automatically inserted after load links can be concealed in hidden sections and retrieved by the attacker if the document is saved and returned to sender, or via http requests if the user has selected lower security settings for that document.

All users are recommended to upgrade to LibreOffice >= 4.4.5 or >= 5.0.0

Thanks to Federico “fox” Scrinzi for discovering this flaw.

References:

CVE-2015-4551

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.5/5.0.0

Description:

The PrinterSetup data stored in ODF files can be of attacker controlled variable legnth, but is coped into a fixed length buffer without sufficient size checks.

All users are recommended to upgrade to LibreOffice >= 4.4.5 or >= 5.0.0

References:

CVE-2015-5212

Announced: November 5, 2015

Fixed in: LibreOffice 4.4.5/5.0.0

Description:

The number of pieces in a Microsoft Word .doc file is counted via an unsigned 16 bit number. A sufficiently long document can be constructed which causes that count to overflow and insufficient memory to be allocated for the number of pieces that are copied into it.

All users are recommended to upgrade to LibreOffice >= 4.4.5 or >= 5.0.0

References:

CVE-2015-5213

Announced: April 27, 2015

Fixed in: LibreOffice 4.3.7/4.4.2

Description:

Certain crafted HWP documents can allow attackers to cause a denial of service or possibly the execution of arbitrary code by writing past the end of buffers.

All users are recommended to upgrade to LibreOffice 4.3.7 or 4.4.2.

Thanks to the researchers working with VeriSign iDefense Labs for discovering this flaw.

References:

CVE-2015-1774

Announced: November 05, 2014

Fixed in: LibreOffice 4.2.7/4.3.3

Description:

In LibreOffice 4.0.0 and later, a new feature was added for remote control capabilities in Impress. Users can run a smart phone application to communicate with Impress over a custom protocol to switch slides and the like. By default whenever Impress is started, it immediately began listening on TCP port 1599 on all interfaces.

But there was a use after free bug in the code managing that port leaving LibreOffice vulnerable to external attackers with access to that port where those external attackers could cause the deleted port manager to continue to process attacker supplied data.

All users are recommended to upgrade to LibreOffice 4.2.7 or 4.3.3.

The impress remote can be disabled by:

1. Open LibreOffice, go to “Tools -> Options…”
2. Select “LibreOffice Impress -> General”
3. Uncheck “Presentation -> Enable remote control”

Thanks to the researchers at the SecuriTeam Secure Disclosure project for discovering this flaw.

References:

CVE-2014-3693

Announced: August 21, 2014

Fixed in: LibreOffice 4.2.6-secfix/4.3.1

Description:

The vulnerability allows command injection when loading Calc spreadsheets under Windows. Specially crafted documents can be used for command-injection attacks. Other operating systems are not affected.

Windows users are recommended to upgrade their LibreOffice to 4.2.6-secfix or 4.3.1

Thanks to Rohan Durve and James Kettle of Context Information Security for discovering this flaw.

References:

CVE-2014-3524

Announced: August 21, 2014

Fixed in: LibreOffice 4.2.6-secfix/4.3.1

Description:

The vulnerability allows an attacker to send a document which when opened will trigger the prompt to “Update Links” but if the user cancels that prompt may still generate and insert into the document an OLE2 preview image of a file on the victims filesystem, Data exposure is possible if the updated document is then distributed to other parties.

All users are recommended to upgrade to LibreOffice 4.2.6-secfix or 4.3.1.

Thanks to Malte Timmermann of Open-Xchange for discovering this flaw.

References:

CVE-2014-3575

Announced: July 10, 2014

Fixed in: LibreOffice 4.2.5

Description:

It was discovered during routine code review that LibreOffice >= 4.1.4/4.2.0 unconditionally executed certain VBA macros on loading Microsoft Office documents, contrary to user expectations.

Users are recommended to upgrade to 4.2.5.

Thanks to Stephen Bergmann of Red Hat, Inc. for discovering this flaw.

References:

CVE-2014-0247

Announced: July 26 2013

Fixed in: LibreOffice 3.6.7/4.0.4

Description:

A denial of service flaw was found in the .docm import filter of LibreOffice. An attacker cound create a specially-crafted file in the .docm file format which when loaded would immediately terminate the application through a NULL dereference.

Thanks to Jeremy Brown of Microsoft Vulnerability Research for reporting this flaw. Users are recommended to upgrade to 3.6.7, 4.0.4 or 4.1.0 to avoid this flaw.

References:

• CVE-2013-4156

Announced: October 31 2012

Fixed in: LibreOffice 3.5.7/3.6.1

Description:

Multiple denial of service flaws were found in various import filters of LibreOffice. An attacker could create a specially-crafted file in the .xls (Excel), .wmf (Window Meta File) or Open Document Format for Office Applications formats which when loaded would immediately terminate the application.

Thanks to High-Tech Bridge for reporting these flaws. Users are recommended to upgrade to 3.5.7 or 3.6.1 to avoid these flaws

References:

• CVE-2012-4233
• HTB23106

Announced: August 01 2012

Fixed in: LibreOffice 3.5.5/3.6.0

Description:

Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution.

Thanks to Timo Warns of PRE-CERT for reporting this flaw. Users are recommended to upgrade to 3.5.5 or 3.6.0 to avoid this flaw

References:

• CVE-2012-2665

Announced: May 16 2012

Fixed in: LibreOffice 3.5.3

Description:

An integer overflow vulnerability in LibreOffice graphic loading code could allow a remote attacker to cause a denial of service (application crash) or potentially execute arbitrary code on vulnerable installations of LibreOffice.

Thanks to Tielei Wang via Secunia SVCRP for reporting this flaw. Users are recommended to upgrade to 3.5.3 to avoid this flaw

References:

• CVE-2012-1149

Announced: May 16 2012

Updated: May 29 2012

Fixed in: LibreOffice 3.5.3

Description:

An integer overflow flaw, leading to buffer overflow, was found in the way LibreOffice processed invalid Escher graphics records length in PowerPoint documents. An attacker could provide a specially-crafted PowerPoint document that, when opened, would cause LibreOffice to crash or, potentially, execute arbitrary code with the privileges of the user running LibreOffice.

Thanks to Sven Jacobi for reporting the initial flaw. Thanks to Florian Weimer, Red Hat Product Security Team, for identifying the possibility integer overflow. Users are recommended to upgrade to 3.5.3 to avoid this flaw

References:

• CVE-2012-2334

Announced: March 22 2012

Fixed in: LibreOffice 3.4.6/3.5.1

Description:

An XML Entity Expansion flaw was found in the way embedded Raptor library processed certain RDF and other XML-based format files. An attacker could create a specially-crafted file in an affected LibreOffice format which when opened could cause arbitrary code execution or local file inclusion.

Thanks to Timothy D. Morgan of VSR for reporting this flaw. Users are recommended to upgrade to 3.4.6 or 3.5.1 to avoid this flaw

References:

• CVE-2012-0037

Announced: October 05, 2011

Fixed in: LibreOffice 3.4.3

Description:

Red Hat, Inc. security researcher Huzaifa Sidhpurwala reported multiple vulnerabilities in the binary Microsoft Word (doc) file format importer where custom crafted documents trigger out of bounds behaviour.

Thanks to Huzaifa Sidhpurwala of Red Hat Security Team for reporting this vulnerability. Users are recommended to upgrade to 3.4.3 to avoid this flaw.

References:

• CVE-2011-2713

Announced: July 26 2013

Fixed in: LibreOffice 3.4.3

Description:

Prior to version 3.4.3 a vulnerability exists where parsing a malformed Microsoft .doc file can operate on invalid PLCF (Plex of Character Positions in File) data. Users should already have upgraded to versions >= 3.4.3 due to earlier advisories.

Thanks to Jeremy Brown of Microsoft Vulnerability Research for reporting this flaw.

References:

• CVE-2013-2189

Announced: October 27, 2017

Fixed in: LibreOffice 3.4.3

Description:

Prior to version 3.4.3 a vulnerability exists in the DOC font descriptor parser, allowing attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. Users should already have upgraded to versions >= 3.4.3 due to earlier advisories.

References:

• CVE-2017-9806

Announced: June 06, 2011

Fixed in: LibreOffice 3.3.3/3.4.0

Description:

CERT/CC security researchers Will Dormann and Jared Allar reported multiple vulnerabilities in the ‘Lotus Word Pro’ (lwp) file format importer.

Thanks to Will Dormann and Jared Allar of the CERT/CC for reporting these vulnerabilities.

References:

• CVE-2011-2685
• US-CERT: VU#953183

Announced: April 7, 2014

Fixed in: LibreOffice 4.2.3

Description:

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, aka the Heartbleed bug.

Other related vulnerabilites, also fixed:

CVE-2010-5298 CVE-2014-0224 CVE-2013-4353 CVE-2014-0195 CVE-2014-3470 CVE-2013-6449 CVE-2014-0198 CVE-2013-6450 CVE-2014-0221

Users are recommended to upgrade to 4.2.3 to avoid this flaw when using the packages provided from www.libreoffice.org which include a bundled copy of openssl.

LibreOffice 4.1 line uses an older copy of openssl that is not vulnerable.

References:

• Openssl Security Advisory
• CVE-2010-5298
• CVE-2013-4353
• CVE-2014-0195
• CVE-2014-3470
• CVE-2013-6449
• CVE-2014-0198
• CVE-2013-6450
• CVE-2014-0221

Announced: March 20, 2014

Fixed in: LibreOffice 4.1.5/4.2.0

Description:

A security issue and multiple vulnerabilities have been reported in Python, which can be exploited by malicious people to conduct spoofing attacks and cause a DoS (Denial of Service).

Users are recommended to upgrade to 4.1.5 or 4.2.0 to avoid this flaw when using the packages provided from www.libreoffice.org which include a bundled copy of python.

References:

• CVE-2013-1752
• CVE-2013-4238

Announced: Aug 13, 2018

Fixed in: Not a Bug

Description:

CVE-2018-14939 was assigned to address an apparent buffer overflow in the get_app_path function with the suggestion that it is possible for attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site.

Our analysis is that this is not the case. get_app_path is only called with argv[0] of LO’s oosplash helper executable (installed at /usr/lib…/libreoffice/program/oosplash, called during the LO start-up sequence), so an attack would need launch that executable with a suitably long argv[0] which is not under the control of an attacker.

References:

CVE-2018-14939

References:

CVE-2012-2149