Updated packages of the office software suite LibreOffice fix some high-risk security vulnerabilities. Attackers could send potential victims manipulated documents that, if opened, pose a risk of malicious code being injected and executed.

High-risk vulnerabilities fixed

Array index underflow can occur when processing formulas in Calc. Various formulas can include multiple parameters. The formula parser ScInterpreter does not correctly check the number of parameters passed, but instead retrieves the minimum number of parameters required for a formula from a stack. However, if fewer parameters were specified in the formula, an underflow occurs in which there is a risk that arbitrary code could be executed as described in the according security advisory (CVE-2023-0950, risk high).

Another vulnerability affects the behavior when loading documents containing iframes. Unlike other linked objects in documents, LibreOffice updated the iframes without prompting when opened. Current LibreOffice versions now add a previous query to users (CVE-2023-2255, no CVSS value yet) for Iframes as well.

The project has corrected the vulnerabilities in the current versions 7.5.3 and 7.4.7 and newer. They are available for download on the LibreOffice project's download page. Under Linux, the distribution's own software management is usually responsible for updates, so Linux users should call them up once and check for updates and apply them when they are available. LibreOffice users should check to be on the safe side whether they are actually already using the current version.