| Package | libreoffice |
|---|---|
| Version | 1:4.3.3-2+deb8u14 (jessie) |
| Related CVEs | CVE-2023-0950 |
An abitrary code execution vulnerability was found in LibreOffice, an office productivity software suite.
CVE-2023-0950
An improper Validation of Array Index
vulnerability was present in the spreadsheet component of
LibreOffice. This allows an attacker to craft a spreadsheet
document that will cause an array index underflow when loaded.
In the affected versions of LibreOffice certain malformed
spreadsheet formulas, such as AGGREGATE, could be created
with less parameters passed to the formula interpreter than
it expected, leading to an array index underflow,
in which case there is a risk that arbitrary code could be executed
Unfortunately the changes required to fix the remaining issues affecting LibreOffice in Debian jessie are too invasive to be backported. Those issues affect only the use of LibreOffice via its Graphical User Interface (GUI). Users of LibreOffice needing the GUI are encouraged to migrate to Debian stretch or newer. From this point onwards the GUI components of LibreOffice are no longer supported in Debian jessie. Headless LibreOffice will continue to be supported.
For Debian 8 jessie, these problems have been fixed in version 1:4.3.3-2+deb8u14.
We recommend that you upgrade your libreoffice packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.