SB2023122041 - SUSE update for libreoffice

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2023-6185)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of filenames of the embedded video files before passing it to gstreamer. A remote attacker can create a specially crafted document with embedded video inside, trick the victim into opening it and execute arbitrary OS commands on the system.

2) Security features bypass (CVE-ID: CVE-2023-6186)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper validation of hyperlinks within the document. A remote attacker can create a specially crafted hyperlink, trick the victim into clicking on the link inside the document and execute arbitrary macro without a warning, resulting in a code execution.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2023/suse-su-20234932-1/