LibreOffice Security Updates Patched Critical WebP Vulnerability
LibreOffice, developed by The Document Foundation is a free and open-source suite of office productivity software. Recently, The Document Foundation released the LibreOffice security updates with versions 7.6.2 and 7.5.7, addressing a critical vulnerability found in the WebP codec. Both versions have arrived earlier than the scheduled date to patch CVE-2023-4863 specifically.
LibreOffice 7.6.2 & 7.5.7 Security Updates
CVE-2023-4863 is a heap buffer overflow vulnerability identified in the libwebp library, which is commonly used to decode the WebP graphics format. It impacts all applications that depend on the libwebp library, including major web browsers like Mozilla Firefox, Chrome/Chromium, and Edge. It has been categorized as critical due to its potential to enable a remote attacker to execute an out-of-bounds memory write via a crafted HTML page.
The latest versions of the above-mentioned browsers have already addressed this WebP vulnerability, and it is now also fixed in the LibreOffice program if users update to either LibreOffice 7.6.2 or LibreOffice 7.5.7.
In addition to addressing this critical security vulnerability, the LibreOffice 7.6.2 release includes 54 fixes for various bugs and regressions, as outlined in the RC1 changelog. On the other hand, LibreOffice 7.5.7 features a more modest 14 bug fixes, also detailed in the RC1 changelog.
It is strongly recommended for all LibreOffice users to apply these security updates. Both LibreOffice 7.6.2 and LibreOffice 7.5.7 can be downloaded from the official website in binary format, prepared by The Document Foundation for DEB or RPM-based distributions, as well as in the form of a source tarball.
Furthermore, it is worth performing regular updates of your GNU/Linux systems to safeguard against such critical vulnerabilities. These new LibreOffice updates will also soon become available in your distribution’s stable repositories, so it’s advisable to maintain a routine update schedule to ensure your system remains protected.
The sources for this article include a story from 9to5Linux.