Subject: CVE-2021-25636: only use X509Data
LibreOffice supports digital signatures of ODF documents and macros
within documents, presenting visual aids that no alteration of the
document occurred since the last signing and that the signature is
valid. An Improper Certificate Validation vulnerability in LibreOffice
allowed an attacker to create a digitally signed ODF document, by
manipulating the documentsignatures.xml or macrosignatures.xml stream
within the document to contain both "X509Data" and "KeyValue" children
of the "KeyInfo" tag, which when opened caused LibreOffice to verify
using the "KeyValue" but to report verification with the unrelated
"X509Data" value.
Change-Id: I52e6588f5fac04bb26d77c1f3af470db73e41f72
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127193
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
(cherry picked from commit
be446d81e07b5499152efeca6ca23034e51ea5ff)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127178
Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
(cherry picked from commit
b0404f80577de9ff69e58390c6f6ef949fdb0139)
Signed-off-by: Bastien Roucariès <rouca@debian.org>
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2021-25636
bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=
2056955
origin: https://gitlab.com/redhat/centos-stream/rpms/libreoffice/-/raw/c8s/0001-CVE-2021-25636.patch
bug: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636
Signed-off-by: Bastien Roucariès <rouca@debian.org>
Gbp-Pq: Name 0066-Subject-CVE-2021-25636-only-use-X509Data.patch
projects / libreoffice.git / commit