Date: prev next · Thread: first prev next last


榎です

tdf-discussのMLで、次の3つの脆弱性修正についてのお知らせがありましたので、転送します。
CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307

これらの脆弱性が修正されたバージョンを使うには
LibreOffice 7.2系は7.2.7に、LibreOffice 7.3系は7.3.3以降にアップデートします

詳細は転送元メールの内容を確認ください。

---------- Forwarded message ---------
From: Caolán McNamara <caolanm@redhat.com>
Date: 2022年7月25日(月) 20:18
Subject: [tdf-discuss] security related information, CVE-2022-26305,
CVE-2022-26306 and CVE-2022-26307
To: <discuss@documentfoundation.org>


tl:dr  upgrade LibreOffice 7-2 to 7.2.7,
and/or upgrade LibreOffice 7-3 to 7.3.3

CVE-2022-26305 Execution of Untrusted Macros Due to Improper
Certificate Validation

Due to a poor mechanism for comparing the authors of certificates it
was possible to make a digitally signed document containing macros
incorrectly appear as if it was signed by a trusted author (if the user
had configured trusted certificates).

Fixed in 7.2.7 and 7.3.2
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305

---

LibreOffice supports the storage of passwords for web connections in
the user’s configuration database. The stored passwords are encrypted
with a single master key provided by the user. There were two problems
here:

CVE-2022-26306 Static Initialization Vector Allows to Recover Passwords
for Web Connections Without Knowing the Master Password

The same initial vector for the encryption process was used for all
encryption, leaving the password potentially vulnerable to recovery if
an attacker gained access to the users config data.

Fixed in 7.2.7 and 7.3.3
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306

and

CVE-2022-26307 Weak Master Keys

A flaw in LibreOffice existed where master key was poorly encoded
resulting in weakening its entropy from 128 to 43 bits making the
stored passwords vulnerable to a brute force attack if an attacker has
access to the users stored config.

Fixed in 7.2.7 and 7.3.3
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307

For CVE-2022-26306 and CVE-2022-26307 newly saved password information
is saved using a more secure mechanism. In order to deal with old
preexisting vulnerable data, if the old format is detected in the
user's config during application startup then an infobar prompts the
user to reenter your password in order to trigger replacing that old
data with the new format.


--
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy


--
Shinji Enoki
shinji.enoki@gmail.com

-- 
Unsubscribe instructions: E-mail to users+unsubscribe@ja.libreoffice.org
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/ja/users/
Privacy Policy: https://www.documentfoundation.org/privacy

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.