| Package | libreoffice |
|---|---|
| Version | 1:6.1.5-3+deb9u5 (stretch), 1:6.1.5-3+deb10u14 (buster) |
| Related CVEs | CVE-2024-7788 |
A vulnerability was found in libreoffice a popular office productivity suite.
CVE-2024-7788:
Various file formats are based on the zip file format. In cases of corruption of the underlying zip's central directory, LibreOffice offers a "repair mode" which will attempt to recover the zip file structure by scanning for secondary local file headers in the zip to reconstruct the document.
Prior to this fix, in the case of digitally signed zip files, an attacker could construct a document which, when repaired, reported a signature status not valid for the recovered file.
Previously if verification failed the user could choose to ignore the failure and enable the macros anyway.
Repair document mode has to be inherently tolerant, so now in fixed versions all signatures are implied to be invalid in recovery mode.For Debian 10 buster, these problems have been fixed in version 1:6.1.5-3+deb10u14.
For Debian 9 stretch, these problems have been fixed in version 1:6.1.5-3+deb9u5.
We recommend that you upgrade your libreoffice packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.