tl;dr: upgrade to LibreOffice >= 7.4.7 or >= 7.5.3 CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing
Fixed in: LibreOffice 7.4.6/7.5.1 Description: In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. In versions >= 7.4.6 (and >= 7.5.2) the count of parameters is validated Credits: * Secusmart GmbH for discovering and reporting the issue * Eike Rathke of Red Hat, Inc. for a solution https://www.libreoffice.org/about-us/security/advisories/CVE-2023-0950 CVE-2023-2255: Remote documents loaded without prompt via IFrame Fixed in: LibreOffice 7.4.7/7.5.3 Description: LibreOffice supports "Floating Frames", similar to a html IFrame. The frames display their linked document in a floating frame inside the host document. In affected versions of LibreOffice these floating frames fetch and display their linked document without prompt on loading the host document. This was inconsistent with the behavior of other linked document content such as OLE objects, Writer linked sections or Calc WEBSERVICE formulas which warn the user that there are linked documents and prompts if they should be allowed to update. In versions >= 7.4.7 (and >= 7.5.3) the existing "update link" manager has been expanded to additionally control the update of the content of IFrames, so such IFrames will not automatically refresh their content unless the user agrees via the prompts. Thanks to Amel Bouziane-Leblond for discovering this flaw. https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy