tl;dr Upgrade to 7.6.7 or 24.2.3
---
CVE-2024-3044: Graphic on-click binding allows unchecked script
execution
Fixed in: LibreOffice 7.6.7/24.2.3
Description:
LibreOffice supports binding scripts to click events on graphics. In
affected version of LibreOffice there are scenarios where built-in
scripts can be executed without warning if the user clicks on a
document with such on-click handlers.
In early versions of LibreOffice these scripts were deemed trusted, but
are now deemed untrusted.
In the fixed versions the user's explicit macro execution permissions
for the document, determined at load time, are used for these handlers.
Users are recommended to upgrade to 7.6.7 or 24.2.3 to avoid this flaw.
Thanks to Amel Bouziane-Leblond for for finding and reporting this
issue.
--
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy
Context
- [tdf-discuss] security related information: CVE-2024-3044 · Caolán McNamara
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.