Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN125

_____________________________________________________________________

DATE                : 26/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running LibreOffice versions prior to
                                            24.8.5.

=====================================================================
https://www.libreoffice.org/about-us/security/advisories/cve-2025-0514/
_____________________________________________________________________

CVE-2025-0514

Title: Executable hyperlink Windows path targets executed
unconditionally on activation

Announced: February 25, 2025

Fixed in: LibreOffice 24.8.5


Description:

LibreOffice has a feature where hyperlinks in a document can be
activated by CTRL+click. Under Windows the link can be passed to the
system ShellExecute function for handling. LibreOffice uses a
mechanism to block paths to executable targets to ShellExecute to
avoid attempting to launch executables.

In versious < 24.8.5 this mechanism could be bypassed by use of
non-file URLs that could be interpreted by ShellExecute as Windows
file paths.

In the fixed versions this circumvention has been blocked. All
Windows users are recommended to upgrade to LibreOffice >= 24.8.5.


Credits:

    Thanks to Amel Bouziane-Leblond for finding and reporting this
issue.
    Thanks to Caolán McNamara of Collabora Productivity and Stephen
Bergman of allotropia for providing a fix.


References:

    CVE-2025-0514


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================