Libreoffice Has Two Vulnerabilities

Libreoffice, a popular open-source office package, has been discovered to contain two vulnerabilities, one of which can potentially allow attackers to execute code. According to the security advisories disclosed by Libreoffice, the first vulnerability (CVE-2023-0950) enables attackers to achieve code execution when opening spreadsheets that contain specially modified formulas. The issue is caused by the overflow of the array index across the lower border (Underflow) in the formula analysis code used in the processing of electric tables.

The second vulnerability (CVE-2023-2255) enables attackers to create a specially executed document, which, when opened, presents external links that don’t correspond to the expected behavior of Libreoffice. This vulnerability is caused by the shortcomings of the code when using the Floating Frames mechanism, which is similar to the iframe in HTML and allows external files to be dynamically included in a document.

The first vulnerability was resolved in Libreoffice’s March issues (7.4.6 and 7.5.1) without any substantial announcement. The second vulnerability was only recently addressed in May’s Libreoffice updates (7.4.7 and 7.5.3). With these updates, Libreoffice fixes the vulnerabilities that potentially put its users at risk.

The Libreoffice team has urged users to update to the latest versions to mitigate the risks posed by these vulnerabilities. By updating, users can ensure that their software is equipped with the necessary patches to safeguard against potential attacks.

The disclosure of these vulnerabilities highlights the need for users to stay vigilant and maintain up-to-date security measures. As software vulnerabilities continue to be discovered, it remains crucial for users to exercise caution and stay informed about potential threats to their security.

/Reports, release notes, official announcements.