[tdf-discuss] security related information, CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307

Caolán McNamara <caolanm -AT- redhat.com>

Mon, 25 Jul 2022 12:17:08 +0100

tl:dr upgrade LibreOffice 7-2 to 7.2.7, and/or upgrade LibreOffice 7-3 to 7.3.3 CVE-2022-26305 Execution of Untrusted Macros Due to Improper Certificate Validation Due to a poor mechanism for comparing the authors of certificates it was possible to make a digitally signed document containing macros incorrectly appear as if it was signed by a trusted author (if the user had configured trusted certificates). Fixed in 7.2.7 and 7.3.2 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305 --- LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. There were two problems here: CVE-2022-26306 Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password The same initial vector for the encryption process was used for all encryption, leaving the password potentially vulnerable to recovery if an attacker gained access to the users config data. Fixed in 7.2.7 and 7.3.3 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306 and CVE-2022-26307 Weak Master Keys A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. Fixed in 7.2.7 and 7.3.3 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307 For CVE-2022-26306 and CVE-2022-26307 newly saved password information is saved using a more secure mechanism. In order to deal with old preexisting vulnerable data, if the old format is detected in the user's config during application startup then an infobar prompts the user to reenter your password in order to trigger replacing that old data with the new format. -- To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy

Context

[tdf-discuss] security related information, CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307 · Caolán McNamara

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.