SB20220615127 - Anolis OS update for libreoffice

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2021-25633)

The vulnerability allows a remote user to perform spoofing attack.

The vulnerability exists due to application does not properly check for digital signatures of ODF files. A remote attacker can create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown.

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-25634)

The vulnerability allows a remote user to perform spoofing attack.

The vulnerability exists due to application does not properly check for digital signatures of ODF files. A remote attacker can change the signature algorithm in the document to an invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person.

3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-25635)

The vulnerability allows a remote user to perform spoofing attack.

The vulnerability exists due to application does not properly check for digital signatures of ODF files. A remote attacker can change the signature algorithm in the document to an invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2022:0406