Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1799 libreoffice security update 27 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libreoffice Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-26307 CVE-2022-26306 CVE-2022-26305 CVE-2022-3140 CVE-2021-25636 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html Comment: CVSS (Max): 8.8 CVE-2022-26307 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3368-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucaries March 26, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : libreoffice Version : 1:6.1.5-3+deb10u8 CVE ID : CVE-2021-25636 CVE-2022-3140 CVE-2022-26305 CVE-2022-26306 CVE-2022-26307 Multiple vulnerabilities were found in LibreOffice an office productivity software suite, leading to arbitrary script execution, improper certificate validation, and weak encryption of password storage in the users configuration database. CVE-2021-25636 Only use X509Data LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. CVE-2022-3140 Insufficient validation of "vnd.libreoffice.command" URI schemes. LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. CVE-2022-26305 Compare authors using Thumbprint An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted. CVE-2022-26306 LibreOffice supports the storage of passwords for web connections in the users configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data CVE-2022-26307 Add Initialization Vectors to password storage. LibreOffice supports the storage of passwords for web connections in the users configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. For Debian 10 buster, these problems have been fixed in version 1:6.1.5-3+deb10u8. We recommend that you upgrade your libreoffice packages. For the detailed security status of libreoffice please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libreoffice Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmQgs3wACgkQADoaLapB CF8IjhAApxk511xV1DzvjVNvnTOapgdiC8UENPV4lWHWHZUvoB2VoZ49aK988HYM Ktv27cR8xG60e84ExNpGdhPON8Ql44GJXMMWIV4l75JdwgixkMuJiIs0W9nV98Cx lA5a4abjrCRlIU5q2JpEhVzx+/8deRlp8ye9Zi0qbFbhsaKv2Q0YuuJucohWpn/B +ad94pezaRIHXJJJd/crvLeEhm1AvszT+PPEaXukF8UxU8XTyZzqlaOTEPoNSfLB nu3odMcjwWYUcJ5E9FWAJyrJLZVpotWmMm7UF5atc8WBDVrSLuq2YjXMOMzznZl9 map067Tm59B70amU1j8/XIrR8b4VArmNBL770t9TMU12RZ4viVZRL94Lartxu/BA rRwxMlvLjAtkPtojl/sYHonKHjwkOZ/nL56RbcSCOTKXwjLy5g+mAZhQS8ix0ezw /FkRdHYDex0Yr+Ny6nfvHihczO408BewmZVo/OTKg3bfsB28yVf7/TUFQoC4P70b 8mheRew+Yed7uF7j7v2gL9gyFrg4uzSMLB5lLLBmuuUOTZ17XpmFQT2g/kpNiELF Pgzqy5g9T4YLXHffgPwzXCiN6jLe3mj/4NCRMBHS4F6naNgUiUoq0E+ylTKQCG7I KecLpVV/XPB2xi9V+YHyvsB2up+OFanLB/dETsmr+Ha0A8cHPFk= =lpEN - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZCDzJckNZI30y1K9AQgb0g/+MX1mSILt48ffNx6sm1ymVKN4XVh2pZJ/ TfINOjcX6m+cD02NbbJqj+Y4Bo1uB4j70WiFxAMcyrcmDTYxly9keEwnQpeQrn0T udX6rg3lrtO+r1SDgLPAcEMGaBVtYlkKHUA6JrbXDEuX23M1MbbZisrqLP9ryR9V Nj+ImIA0JJSogXklLtPmP9m6in+vzLdh/NdAtCyrDqYb4p8DB+uaDfviWYSE7EBc jCUiZ8KdTJD3KMSrgA0Kvo6cEPzjx3lmtIhFHDgE1sADrk9maJctG13NITEm4noG phqx5c8Nabgug0h1UvOlbUrNk/aYpw68Ma0SwHMItToUilEiksC9pCnKexpLBhZE E2e20QA/Zw9d1RdUHELF2p8cEr0mozAQV5gYeUl04uEUqTUJB8GcMVgTIKLUDAhA Jt3NFPHgnkjq91LXP8ReK501TdaMgIzPBmpXdJOCbP8PJBcm0O9/srFTzqCr6Rhj sU1OsOFRUwgpMr/x4ztF8pRh5DRKvKBoDvv/EsTpbvVQLslihD33QFqTvFaG2r6Z yVgKjkIQoU3Pr8MGHgtgpmPAwMOdG31pBe7G166aJyYmBdIBRcMP/2G2ppGr55WI zDPBjxnlGpQ4Mby1LaJMxaVnj0Ku1UBb8rF6dUQx2YzGvsoxI/FfKvqpy9pE+hJs S4xFc2Wlq48= =gyM7 -----END PGP SIGNATURE-----