tl;dr: upgrade to LibreOffice >= 7.2.6 or >= 7.3.1, (which was already recommended)
https://www.libreoffice.org/about-us/security/advisories/CVE-2022-38745 CVE-2022-38745: Empty entry in Java class path risks arbitrary code execution Fixed in: LibreOffice 7.2.6/7.3.1 Description: Most versions of LibreOffice support and contain components written in Java. LibreOffice extends the existing Java class path with its own internal classes. In the affected versions of LibreOffice if the existing class path was empty, then when Java class files are loaded, the current working directory is searched for valid classes before using the embedded versions. If an attacker sends a zip file containing a class file alongside a document then depending on the file manager or other tool used to open the zip file, navigate to the document and launch LibreOffice to open it, then the current working directory of LibreOffice may be the directory in which the class file exists, in which case there is a risk that the arbitrary code of the class file could be executed. In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not appended to the classpath -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
