[tdf-discuss] security related information: CVE-2022-38745

tl;dr: upgrade to LibreOffice >= 7.2.6 or >= 7.3.1, (which was already
recommended)

https://www.libreoffice.org/about-us/security/advisories/CVE-2022-38745

CVE-2022-38745: Empty entry in Java class path risks arbitrary code
execution

Fixed in: LibreOffice 7.2.6/7.3.1

Description:

Most versions of LibreOffice support and contain components written in
Java. LibreOffice extends the existing Java class path with its own
internal classes.

In the affected versions of LibreOffice if the existing class path was
empty, then when Java class files are loaded, the current working
directory is searched for valid classes before using the embedded
versions. If an attacker sends a zip file containing a class file
alongside a document then depending on the file manager or other tool
used to open the zip file, navigate to the document and launch
LibreOffice to open it, then the current working directory of
LibreOffice may be the directory in which the class file exists, in
which case there is a risk that the arbitrary code of the class file
could be executed.

In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not
appended to the classpath


-- 
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy