LibreOffice Addresses Two Security Vulnerabilities – CVE-2023-0950 & CVE-2023-2255
Security in an open-source environment is a shared responsibility. The LibreOffice community is proud to illustrate this ethos with its recent handling of two notable vulnerabilities, which could have posed significant risks to LibreOffice users around the globe.
1. CVE-2023-0950: Array Index Underflow in Calc Formula Parsing
LibreOffice’s spreadsheet module, Calc, is the backbone for many users’ data management tasks, bolstered by its support for an array of complex formulas. A powerful formula interpreter, known as ‘ScInterpreter’, diligently sifts through these formulas, extracting the required parameters off a stack for each formula.
However, a recent discovery has spotlighted a flaw in this process. Certain malformed spreadsheet formulas, such as AGGREGATE, could be created with fewer parameters passed to the formula interpreter than it expected. This discrepancy could lead to an array index underflow. In these situations, the risk of arbitrary code execution – a major security concern – escalates.
Thankfully, diligent security professionals from Secusmart GmbH discovered the CVE-2023-0950 flaw. As a result, in LibreOffice versions 7.4.6 and onwards (and >= 7.5.2), the count of parameters is now validated, thereby eliminating the risk posed by this vulnerability.
2. CVE-2023-2255: Remote Documents Loaded Without Prompt via IFrame
LibreOffice boasts support for “Floating Frames”, a feature reminiscent of HTML IFrames. These frames enrich documents by displaying linked content in a floating frame within the host document. However, it was discovered that these frames could be manipulated to fetch and display their linked document without a prompt upon loading the host document, thereby deviating from LibreOffice’s standard procedure of warning users about linked documents.
This inconsistency was identified by Amel Bouziane-Leblond, prompting immediate action from the LibreOffice team. In versions 7.4.7 and onwards (and >= 7.5.3), the existing “update link” manager has been augmented to oversee the update of IFrame content. As a result, IFrames will not automatically refresh their content unless the user provides consent via prompted prompts, thus nullifying this vulnerability.
All LibreOffice users are recommended to upgrade to the latest version as soon as possible.