====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN279
_____________________________________________________________________

DATE                : 18/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running LibreOffice versions prior to 7.0.6,
                                          7.1.3.

=====================================================================
https://www.libreoffice.org/about-us/security/advisories/cve-2021-25632/
_____________________________________________________________________

CVE-2021-25632

Title: fileloc extension added to macOS executable denylist

Announced: May 18, 2021

Fixed in: LibreOffice 7.0.6/7.1.3

Description:

LibreOffice has a feature where hyperlinks in a document can be
activated by CTRL+click. Under macOS the link can be passed to the
system 'open' utility for handling. LibreOffice contains a denylist of
extensions that it blocks from passing to 'open' to avoid attempting to
launch executables.

In the LibreOffice 7-1 series in versions prior to 7.1.3, and in the 7-0
series in versions prior to 7.0.6, the denylist didn't include the
.fileloc extension which could be used to launch an executable on the
system.

In the fixed versions this extension has been blocked. All macOS users
are recommended to upgrade to LibreOffice >= 7.0.6 or >= 7.1.3


References:

Thanks to Hou JingYi (@hjy79425575) of Qihoo 360 for discovering and
reporting this problem


References:

    CVE-2021-25632


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================