Описание
Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.
A flaw was found in LibreOffice. Various file formats are based on the zip file format. In cases of corruption of the underlying zip's central directory, LibreOffice offers a "repair mode" which will attempt to recover the zip file structure by scanning for secondary local file headers in the zip to reconstruct the document. In the case of digitally signed zip files, an attacker could construct a document which, when repaired, reported a signature status not valid for the recovered file.
Отчет
The issue of incorrect digital signature validation during the repair of corrupted zip files in LibreOffice is classified as moderate severity due to its specific conditions and limited impact. While the flaw could potentially allow an attacker to exploit the repair mechanism to bypass signature verification, it requires both the corruption of a zip file and the presence of a digital signature, which narrows the scope of exploitation. Furthermore, successful exploitation would only affect the validation of the signature status rather than directly compromising the integrity or security of the document's content.
Меры по смягчению последствий
Do not try to recover or open an untrusted document.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | libreoffice | Out of support scope | ||
| Red Hat Enterprise Linux 7 | libreoffice | Out of support scope | ||
| Red Hat Enterprise Linux 8 | libreoffice | Will not fix | ||
| Red Hat Enterprise Linux 9 | libreoffice | Will not fix |
Показывать по
Дополнительная информация
Статус:
7.8 High
CVSS3
Связанные уязвимости
Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.
Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.
Improper Digital Signature Invalidation vulnerability in Zip Repair Mo ...
Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.
Уязвимость пакета офисных программ LibreOffice, связанная с некорректной проверкой криптографической подписи, позволяющая нарушителю создать специально сформированный документ, который после восстановления сообщал о действительном статусе электронной подписи
7.8 High
CVSS3