榎です tdf-discussのMLで、次の3つの脆弱性修正についてのお知らせがありましたので、転送します。 CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307
これらの脆弱性が修正されたバージョンを使うには LibreOffice 7.2系は7.2.7に、LibreOffice 7.3系は7.3.3以降にアップデートします 詳細は転送元メールの内容を確認ください。 ---------- Forwarded message --------- From: Caolán McNamara <caol...@redhat.com> Date: 2022年7月25日(月) 20:18 Subject: [tdf-discuss] security related information, CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307 To: <disc...@documentfoundation.org> tl:dr upgrade LibreOffice 7-2 to 7.2.7, and/or upgrade LibreOffice 7-3 to 7.3.3 CVE-2022-26305 Execution of Untrusted Macros Due to Improper Certificate Validation Due to a poor mechanism for comparing the authors of certificates it was possible to make a digitally signed document containing macros incorrectly appear as if it was signed by a trusted author (if the user had configured trusted certificates). Fixed in 7.2.7 and 7.3.2 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305 --- LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. There were two problems here: CVE-2022-26306 Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password The same initial vector for the encryption process was used for all encryption, leaving the password potentially vulnerable to recovery if an attacker gained access to the users config data. Fixed in 7.2.7 and 7.3.3 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306 and CVE-2022-26307 Weak Master Keys A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. Fixed in 7.2.7 and 7.3.3 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307 For CVE-2022-26306 and CVE-2022-26307 newly saved password information is saved using a more secure mechanism. In order to deal with old preexisting vulnerable data, if the old format is detected in the user's config during application startup then an infobar prompts the user to reenter your password in order to trigger replacing that old data with the new format. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy -- Shinji Enoki shinji.en...@gmail.com -- Unsubscribe instructions: E-mail to users+unsubscr...@ja.libreoffice.org Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.libreoffice.org/ja/users/ Privacy Policy: https://www.documentfoundation.org/privacy
