Date: prev next · Thread: first prev next last
2022 Archives by date, by thread · List index




---------- Forwarded message ---------
From: Caolán McNamara <>
Date: 2022年2月22日(火) 19:54
Subject: [tdf-discuss] security related information, CVE-2021-25636
To: <>

tl:dr upgrade to LibreOffice 7-2 to 7.2.5
(or libreoffice 7.3.0)

LibreOffice supports digital signatures of ODF documents and macros
within documents, presenting visual aids that no alteration of the
document occurred since the last signing and that the signature is

The Network and Data Security group at Ruhr University Bochum
reported a flaw with the implementation of this.

CVE-2021-25636 Incorrect trust validation of signature with ambiguous
KeyInfo children

An Improper Certificate Validation vulnerability in LibreOffice allowed
an attacker to create a digitally signed ODF document, by manipulating
the documentsignatures.xml or macrosignatures.xml stream within the
document to contain both "X509Data" and "KeyValue" children of the
"KeyInfo" tag[1], which when opened caused LibreOffice to verify using
the "KeyValue" but to report verification with the unrelated "X509Data"

In versions >= 7.2.5 (and >= 7.3.0) certificate validation is now
configured to only consider X509Data children to limit validation to
X509 certificates only.


To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
Privacy Policy:

Shinji Enoki

Unsubscribe instructions: E-mail to
Posting guidelines + more:
List archive:
Privacy Policy:


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.