[sf-lug] LibreOffice has a security problem

Rick Moen rick at linuxmafia.com
Mon Dec 6 13:37:43 PST 2021


Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> LibreOffice 7.2.4 Community and LibreOffice 7.1.8 Community
> available ahead of schedule to provide an important security fix
> Posted in Announcements, LibreOffice, Press Releases By Italo
> Vignoli On December 6, 2021

Some people might want to know what "security problem" _means_, in
relation to real-world LibreOffice operations.

LibreOffice optionally can use x509 (SSL/TLS) security certificates to
digitally sign, and to verify other people's digital signatures of,
LibreOffice documents.  It uses the NSS crypto libraries from Mozilla to
carry out this cert-handling.  Docs about how to do that, here:
https://ask.libreoffice.org/t/digitally-signing-the-document-issue-what-is-nss-certificate-db/1265

Recently discovered flaw CVE-2021-43527 in NSS versions prior to version
3.73.0 involved poking the code to produce heap overflow when handling
DER-encoded DSA or RSA-PSS signatures -- specifically by asking NSS to
parse a maliciously malformed cert that makes it aberrantly react by
corrupting its heap memory.  In theory, maybe, at some point in the
future, this freakout by the NSS lib could be induced to do something
bad such as claim a bad digital signature was in fact good.

Of course, if you're thinking "But I don't use digital signatures in
LibreOffice documents, so why do I particularly care?", you would be
asking a good question, and would be reading security alerts
intelligently rather than just mindlessly.




More information about the sf-lug mailing list