Vulnerabilities in LibreOffice and Apache OpenOffice, allowing to bypass a digital signature check

Disclose information about three vulnerabilities in office packages libreoffice and APache OpenOffice , allowing attacking to prepare documents that look like a trustworthy source, or change the date of the already signed document. The problems were eliminated in the releases of Apache OpenOffice 4.1.11 and LibreOffice 7.0.6 / 7.1.2 under the guise of non-security errors (issues of LibreOffice 7.0.6 and 7.1.2 were published in early May, but the vulnerability information is disclosed only now).

  • CVE-2021-41832 , cve-2021-25635 – allows an attacker to sign an ODF document not deserving a self-signed certificate, but through the change in the digital signature algorithm On an incorrect or unsupported value, to see the display of this document as a trustworthy (the signature with the incorrect algorithm was processed as correct).
  • CVE-2021-41830 , cve-2021-25633 – allows an attacker through alignment in the DocumentSignatures.xml and Macrosignatures.xml and macrosignatures.xml files signed by different certificates , Create an ODF document or macro, which will be displayed in the interface as a trustworthy, despite the presence of additional content certified by another certificate.
  • CVE-2021-41831 , cve-2021-25634 – Allows you to make changes to a digital signature of an ODF document that distort the user-showing digital signature time without violation of confidence indication.
/Media reports.