[SECURITY] [DLA 4020-1] libreoffice security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4020-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
January 19, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libreoffice
Version : 1:7.0.4-4+deb11u12
CVE ID : CVE-2024-12425 CVE-2024-12426
Libreoffice an office productivity software suite,
was affected by two vulnerabilities
CVE-2024-12425
Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability allows Absolute Path Traversal.
An attacker can write to arbitrary locations, albeit suffixed
with ".ttf", by supplying a file in a format that supports
embedded font files
CVE-2024-12426
Exposure of Environmental Variables and arbitrary INI file values
to an Unauthorized Actor vulnerability.
URLs could be constructed which expanded environmental variables
or INI file values, so potentially sensitive information could
be exfiltrated to a remote server on opening a document
containing such links.
For Debian 11 bullseye, these problems have been fixed in version
1:7.0.4-4+deb11u12.
We recommend that you upgrade your libreoffice packages.
For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmeNM1oACgkQADoaLapB
CF80mw/+OWKLViNj1zrMk9BpUDQUAhqQGtiHoCgb5pS2XFEN1ltUsnI5MVRo/T5w
yytf4E9v1oeE3h5U7ewESuIyQmyO9KI3bLORza9gaJiolqG7e2xRpK4RnqBIF5vs
V0TXJ0B2pt/mpKsrtHxTVU9zpjkAi9hXub3lGsaUkhuS6Nmx7UrORFd4P5B1dcgs
65rR/4mE61IA9MMFbOMCvJMaLqN1xYOPmT94FiLZPkp9uwP2QDMznNqSSFzSEY8S
5p35/SjcSYOq0Vcix7BoPV/AZi6gNEG8uz9QKnv3N1TwDqp4+NJo9bxA6iKWDcQ5
+3I1j+mjvc5e4X7N2bOpt05npTv/qUoqwCFc9z3bqfuHkY9His6vnOdrOdj20NtM
34w8+AoPpyfsWg7niM/7rsc4kAXVUkt6K8KDQvhqE79+Hihk8EGxnNwskc0i7uRW
8EfIrq2dKuGS7bhtMXdJjKmeaENvmBtwan38ZVj+JvNXUKJc+PgR2hzhgISNvxC+
7w055fnuWunCyTps/hXiYKXdLdGL1A4dBkcPI4o5lRh4avVRdPBWfLgEErZA9OX/
TE81MgfMJj81GQ7K7qYiSJJu9qq2qPhK4gXPnuxvngvJ88mLh7LE9nERrxcj6Xc6
N1N9sQ/nB80G9tLEe0d3DE6qSjH8klBdHsIdCZ4XqKPI8IERiZ0=
=v1st
-----END PGP SIGNATURE-----
Reply to: