PublicDateAtUSN: 2022-02-24 15:15:00 UTC
Candidate: CVE-2021-25636
PublicDate: 2022-02-24 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25636
 https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636
 https://ubuntu.com/security/notices/USN-5330-1
Description:
 LibreOffice supports digital signatures of ODF documents and macros within
 documents, presenting visual aids that no alteration of the document
 occurred since the last signing and that the signature is valid. An
 Improper Certificate Validation vulnerability in LibreOffice allowed an
 attacker to create a digitally signed ODF document, by manipulating the
 documentsignatures.xml or macrosignatures.xml stream within the document to
 contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which
 when opened caused LibreOffice to verify using the "KeyValue" but to report
 verification with the unrelated "X509Data" value. This issue affects: The
 Document Foundation LibreOffice 7.2 versions prior to 7.2.5.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=2056955
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_libreoffice:
 upstream: https://github.com/LibreOffice/core/commit/b0404f80577de9ff69e58390c6f6ef949fdb0139
upstream_libreoffice: released (1:7.3.0-1,7.2.5)
esm-infra/xenial_libreoffice: needs-triage
trusty_libreoffice: ignored (out of standard support)
xenial_libreoffice: ignored (out of standard support)
bionic_libreoffice: released (1:6.0.7-0ubuntu0.18.04.11)
focal_libreoffice: released (1:6.4.7-0ubuntu0.20.04.4)
impish_libreoffice: released (1:7.2.5-0ubuntu0.21.10.3)
jammy_libreoffice: not-affected (1:7.2.5~rc2-0ubuntu1)
devel_libreoffice: not-affected (1:7.2.5~rc2-0ubuntu1)