| Package | libreoffice |
|---|---|
| Version | 1:6.1.5-3+deb9u6 (stretch), 1:6.1.5-3+deb10u15 (buster) |
| Related CVEs | CVE-2024-12425 CVE-2024-12426 |
Libreoffice, an office productivity software suite, was affected by two vulnerabilities
CVE-2024-12425
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was found
in The Document Foundation LibreOffice and allows Absolute Path Traversal. An attacker can write to arbitrary
locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files.
CVE-2024-12426
An Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability
was found in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental
variables or INI file values, so potentially sensitive information could be exfiltrated
to a remote server on opening a document containing such links.
For Debian 10 buster, these problems have been fixed in version 1:6.1.5-3+deb10u15.
For Debian 9 stretch, these problems have been fixed in version 1:6.1.5-3+deb9u6.
We recommend that you upgrade your libreoffice packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.