Subscribe to our Security Newsletter
You can get updates in your mail, if you subscribe with the form on this page.
Fixed in Collabora Office 21.06.40, 22.05.21, 23.05.6
CVE-2023-6185 Improper input validation enabling arbitrary Gstreamer pipeline injection
Collabora Office supports embedded videos in file formats via platform audio/video support. Typically under Linux this is via gstreamer. In affected version of Collabora Office the filename of the embedded video is not sufficiently escaped when passed to gstreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system
CVE-2023-6186 Link targets allow arbitrary script execution
Collabora Office supports hyperlinks. In addition to the typical common protocols such as http/https hyperlinks can also have target URLs that can launch built-in macros or dispatch built-in internal commands. In affected version of Collabora Office there are scenarios where these can be executed without warning if the user activates such hyperlinks. In later versions the users’s explicit macro execution permissions for the document are now consulted if these non-typical hyperlinks can be executed. The possibility to use these variants of hyperlink targets for floating frames has been removed.
Credits:
- Thanks to Reginaldo Silva of ubercomp.com for finding and reporting these issues
Fixed in Collabora Office 21.06.39, 22.05.19, 23.05.4
CVE-2023-4863 Heap-Based Buffer Overflow Vulnerability in bundled libwebp < 1.3.2
Collabora Office contains libwebp. In the affected versions of libwebp (before 1.3.2) opening a malicious WebP image could lead to a heap buffer overflow.
Credits:
- Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto’s Munk School
Fixed in Collabora Office 6.4-68, 21.06.39, 22.05.19
CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing
The Spreadsheet module of Collabora Office supports various formulas that take multiple parameters. The formulas are interpreted by ‘ScInterpreter’ which extract the required parameters for a given formula off a stack.
In the affected versions of Collabora Office certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that the arbitrary code could be executed.
Credits:
- Secusmart GmbH for discovering and reporting the issue
- Eike Rathke of Red Hat, Inc. for a solution
Fixed in Collabora Office 6.4-64, 21.06.37
CVE-2022-38745 Empty entry in Java class path risks arbitrary code execution
Collabora Office supports and contain components written in Java. Collabora Office extends the existing Java class path with its own internal classes.
In the affected versions of Collabora Office, if the existing class path was empty, then when Java class files are loaded, the current working directory is searched for valid classes before using the embedded versions. If an attacker sends a zip file containing a class file alongside a document then, depending on the file manager or other tool used to open the zip file, when on navigating to the document and launching Collabora Office to open it, the current working directory of Collabora Office may be the directory in which the class file exists, in which case there is a risk that the arbitrary code of the class file could be executed.
Credits:
- European Commission’s Open Source Programme Office for sponsoring the security bug bounty which discovered the flaw
- Stephen Bergmann of Red Hat, Inc. for a solution
Fixed in Collabora Office 6.2-36, 6.4-63, 21.06.33, 22.05.6
CVE-2022-3140 Macro URL arbitrary script execution
Collabora Office supports Office URI Schemes to enable browser integration of Collabora Office with MS SharePoint server. An additional scheme ‘vnd.libreoffice.command’ specific to Collabora Office was added.
In the affected versions of Collabora Office links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning.
In patched versions such unwanted command URIs are blocked from execution.
Credits:
- TheSecurityDev working with Trend Micro Zero Day Initiative
Fixed in Collabora Office 6.4-62, 21.06.24, 22.05.2
CVE-2022-26305 Execution of Untrusted Macros Due to Improper Certificate Validation
Due to a poor mechanism for comparing the authors of certificates it was possible to make a digitally signed document containing macros incorrectly appear as if it was signed by a trusted author (if the user had configured trusted certificates).
Collabora Office supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. There were two problems here:
CVE-2022-26306 Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
The same initial vector for the encryption process was used for all encryption, leaving the password potentially vulnerable to recovery if an attacker gained access to the users config data.
and
CVE-2022-26307 Weak Master Keys
A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.
For CVE-2022-26306 and CVE-2022-26307 newly saved password information is saved using a more secure mechanism. In order to deal with old preexisting vulnerable data, if the old format is detected in the user’s config during application startup then an infobar prompts the user to reenter their password in order to trigger replacing that old data with the new format.
Fixed in Collabora Office 6.2-35, 6.4-55, and 21.06.15
Collabora Office supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.
The Network and Data Security group at Ruhr University Bochum reported a flaw with the implementation of this.
CVE-2021-25636 Incorrect trust validation of signature with ambiguous KeyInfo children
An Improper Certificate Validation vulnerability in Collabora Office allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both “X509Data” and “KeyValue” children of the “KeyInfo” tag, which when opened caused Collabora Office to verify using the “KeyValue” but to report verification with the unrelated “X509Data” value.
In versions >= 6.2-35, >= 6.4-55 and >= 21.06.15 certificate validation is now configured to only consider X509Data children to limit validation to X509 certificates only.
Fixed in Collabora Office 6.2-34, 6.4-51, and 21.06.9
CVE-2021-43527 (relevant only on Linux and macOS)
Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures
Fixed in Collabora Office 6.2-33 and 6.4-39
CVE-2021-25633 Content Manipulation with Double Certificate Attack
Collabora Office supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.
An Improper Certificate Validation vulnerability in Collabora Office allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown.
References:
NDS of Ruhr University Bochum for discovering and reporting this problem.
Thanks to Michael Stahl of allotropia software GmbH for solving this problem.
CVE-2021-25634 Timestamp Manipulation with Signature Wrapping
Collabora Office supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.
An Improper Certificate Validation vulnerability in Collabora Office allowed an attacker to modify a digitally signed ODF document to insert an additional signing time timestamp which Collabora Office would incorrectly present as a valid signature signed at the bogus signing time.
References:
Thanks to NDS of Ruhr University Bochum for discovering and reporting this problem.
Thanks to Michael Stahl of allotropia software GmbH for solving this problem.
CVE-2021-25635 Content Manipulation with Certificate Validation Attack
Collabora Office supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.
An Improper Certificate Validation vulnerability in Collabora Office allowed an attacker to self sign an ODF document, with a signature untrusted by the target, then modify it to change the signature algorithm to an invalid (or unknown to Collabora Office) algorithm and Collabora Office would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person.
References:
Thanks to NDS of Ruhr University Bochum for discovering and reporting this problem.
Fixed in Collabora Office 6.4-39
CVE-2021-25632 fileloc extension added to macOS executable denylist
Collabora Office has a feature where hyperlinks in a document can be activated by CTRL+click. Under macOS the link can be passed to the system ‘open’ utility for handling. Collabora Office contains a denylist of extensions that it blocks from passing to ‘open’ to avoid attempting to launch executables.
In the Collabora Office 6.4 series in versions prior to 6.4-39 the denylist didn’t include the .fileloc extension which could be used to launch an executable on the system.
In the fixed versions this extension has been blocked. All macOS users are recommended to upgrade to Collabora Office >= 6.4-39
References:
Thanks to Hou JingYi (@hjy79425575) of Qihoo 360 for discovering and reporting this problem
Fixed in Collabora Office 6.2-30 and 6.4-33
CVE-2021-25631 Denylist of executable filename extensions possible to bypass under Windows
Collabora Office has a feature where hyperlinks in a document can be activated by CTRL+click. Under Windows the link can be passed to the system ShellExecute function for handling. Collabora Office contains a denylist of extensions that it blocks from passing to ShellExecute to avoid attempting to launch executables.
In the Collabora Office 6.2 series in versions prior to 6.2-30, and in the 6.4 series in versions prior to 6.4-33, the denylist can be circumvented by manipulating the link so it doesn’t match the denylist but results in ShellExecute attempting to launch an executable type.
In the fixed versions this circumvention has been blocked.
Thanks to Lukas Euler of Positive Security for discovering and reporting this issue.
Fixed in Collabora Office 6.0-37 and 6.2-13
CVE-2020-12801 Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save
If Collabora Office has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, Collabora Office offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not Collabora Office’s default ODF file format, then affected versions of Collabora Office default that subsequent saves of the document are unencrypted.
This may lead to a user accidentally saving a Microsoft Office file format document unencrypted while believing it to be encrypted.
Fixed in Collabora Office 5.3-67 and 6.0-35
CVE-2019-9854 Unsafe URL assembly flaw in allowed script location check
CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution
Fixed in Collabora Office 5.3-66 and 6.0-34
CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution
Collabora Office is bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreLogo is not part of the default installation of Collabora Office (on Windows).
Collabora Office also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc
Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in Collabora Office allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers.
In the fixed versions, script urls are correctly decoded before validation
CVE-2019-9851 LibreLogo global-event script execution
Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However Collabora Office also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc
In the fixed versions, global script event handlers are validated equivalently to document script event handlers.
CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check
Collabora Office has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.
Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the Collabora Office install.
Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack.
In the fixed versions, the parsed url describing the script location is correctly encoded before further processing.
Fixed in Collabora Office 5.3-65 and 6.0-33
CVE-2019-9848: LibreLogo arbitrary script execution
Prior to 5.3-65 and 6.0-33 it is possible to construct malicious documents which can execute arbitrary python silently if the LibreLogo script is installed. LibreLogo is not installed by default in the binary builds of Collabora Office provided by Collabora Productivity Ltd.
CVE-2019-9849: remote bullet graphics retrieved in ‘stealth mode’
Collabora Office has a ‘stealth mode’ in which only documents from locations deemed ‘trusted’ are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable Collabora Office’s ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 5.3-65 and 6.0-33. Users of this feature should upgrade to 5.3-65 or 6.0-33.
Fixed in Collabora Office 5.3-64 and 6.0-28
CVE-2019-9847: Executable hyperlink targets executed unconditionally on activation
Before 5.3-64 and 6.0-28 under Windows and macOS when processing a hyperlink target explicitly activated by the user, as in you explicitly click on a hyperlink in some Collabora Office application, there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally.
In the fixed versions, such executables are not executed on hyperlink activation.
Fixed in Collabora Office 5.3-58 and 6.0-13
CVE-2018-16858 Directory traversal flaw in script execution
Fixed in Collabora Office 5.3-49 and Collabora GovOffice 5.3-49
CVE-2018-10583 Information disclosure via SMB link embedded in ODF document
Fixed in Collabora Office 5.3-46 and Collabora GovOffice 5.3-45
CVE-2018-10119 Use After Free in Structured Storage parser
CVE-2018-10120 Heap Buffer Overflow in MSWord Customizations parsing
Fixed in Collabora Office 5.3-39 and Collabora GovOffice 5.3-39
CVE-2018-1055 Remote arbitrary file disclosure vulnerability via
WEBSERVICE formula
Fixed in Collabora Office 5.3-6 and Collabora GovOffice 5.3-8
CVE-2017-7870 Heap-buffer-overflow in WMF filter
CVE-2016-10327 Heap-buffer-overflow in EMF filter
CVE-2017-7856 Heap-buffer-overflow in SVM filter
CVE-2017-7882 Heap-buffer-overflow in HWP filter
CVE-2017-8358 Heap-buffer-overflow in JPG filter
CVE-2017-3157 Arbitrary file disclosure in Calc and Writer
CVE-2016-4324 Dereference of invalid STL iterator on processing RTF file
CVE-2016-0795 LotusWordPro Bounds overflows in LwpTocSuperLayout processing
CVE-2016-0794 LotusWordPro Multiple bounds overflows in lwp filter
CVE-2017-12607 Out-of-Bounds Write in Impress’ PPT Filter
CVE-2017-12608 Out-of-Bounds Write in Writer’s ImportOldFormatStyles
CVE-2015-5214 DOC Bookmark Status Memory Corruption
CVE-2015-4551 Arbitrary file disclosure in Calc and Writer
CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length)
CVE-2015-5213 DOC piecetable Integer Overflow
CVE-2015-1774 Out of bounds write in HWP file filter
CVE-2014-3693 Use-After-Free in socket manager of Impress Remote
CVE-2014-3524 CSV Command Injection and DDE formulas
CVE-2014-3575 Arbitrary File Disclosure using crafted OLE objects
CVE-2014-0247 Microsoft Office VBA Macro Execution
CVE-2013-4156 Microsoft .docm Denial Of Service
CVE-2012-4233 Multiple file format denial of service vulnerabilities
CVE-2012-2665 Multiple heap-based buffer overflows in the XML manifest encryption handling code
CVE-2012-1149 Integer overflows in graphic object loading
CVE-2012-2334 Integer overflow flaw with malformed PPT files
CVE-2012-0037 XML Entity Expansion flaw by processing RDF file
CVE-2011-2713 Multiple vulnerabilities in the ‘Microsoft Word’ (doc) binary file format importer
CVE-2013-2189 Microsoft .doc Memory Corruption Vulnerability
CVE-2017-9806 Out-of-Bounds Write in Writer’s WW8Fonts Constructor
CVE-2011-2685 Multiple vulnerabilities in the ‘Lotus Word Pro’ (lwp) file format importer
Third Party Advisories
Fixed in Collabora Office and Collabora GovOffice 5.3-32
CVE-2017-14952 ICU: “redundant UVector entry clean up function call” issue
Fixed in Collabora Office and Collabora GovOffice 5.3-24
CVE-2017-9047 & CVE-2017-9048 & CVE-2017-9049 & CVE-2017-9050 Libxml2 fixes
Fixed in Collabora Office and Collabora GovOffice 5.3-22
CVE-2017-11742: Expat 2.2.3
Fixed in Collabora Office 5.3-6 and Collabora GovOffice 5.3-8
CVE-2014-0160 & more (a set of vulnerabilities) TLS heartbeat read overrun (4.1 line not affected)
CVE-2013-1752 & CVE-2013-4238 Python Multiple Vulnerabilities
CVE-2012-2149 libwpd: Memory overwrite flaw by processing certain WordPerfect (WPD). No version of Collabora Office is affected by this.
