LibreOffice Vulnerability (CVE-2024-7788): Exploit of “Repair Mode” Signatures Raises Security Concerns
In a newly disclosed security advisory, The Document Foundation has revealed a high-severity vulnerability (CVE-2024-7788, CVSS 7.8) affecting LibreOffice’s document recovery mechanism. This flaw highlights significant risks in the software’s “repair mode” functionality, specifically when dealing with corrupted zip-based file formats. Users of LibreOffice are urged to update their software to versions 24.2.5 or 24.8.0 to patch the vulnerability and safeguard their systems.
LibreOffice, like many modern office suites, relies heavily on zip file formats for storing various types of documents. When a zip-based file becomes corrupted, LibreOffice’s “repair mode” kicks in, attempting to salvage the contents by reconstructing the zip file’s structure through scanning local file headers.
However, this recovery mode exposed a flaw when handling digitally signed files. Prior to the patch, an attacker could exploit this vulnerability by creating a document designed to manipulate the recovery process. When the document was repaired, the signature verification system could incorrectly report the status of a signature, giving a false sense of authenticity to a potentially malicious document.
In practical terms, this meant that when a signed document became corrupted and was then “repaired” by LibreOffice, it could falsely indicate that its signature was valid, despite the recovered content not matching the original. The previous versions of LibreOffice even allowed users to bypass failed verification checks and enable macros regardless of the file’s compromised integrity—a critical risk vector, as malicious macros are a common delivery mechanism for malware.
To mitigate the threat posed by CVE-2024-7788, LibreOffice has fundamentally changed how signature verification works in recovery mode. From versions 24.2.5 and 24.8.0 onwards, any signatures on files that enter repair mode will automatically be marked as invalid. This ensures that no repaired file can bypass the integrity checks designed to protect users from tampered content, especially those containing harmful macros.
As the security advisory notes, “repair mode” must be inherently tolerant of file corruption, and this necessitated an overhaul in how digital signatures are handled during the recovery process. By marking all signatures as invalid, the LibreOffice team ensures that users won’t mistakenly trust a corrupted, potentially harmful document.
