Today CVE-2025-1080 popped up : > insufficient validation of "vnd.libreoffice.command" URI schemes could result > in the execution of arbitrary macro commands.
A normal apparmor profile would avoid a disastrous private data exfiltration (network/.gnupg/.ssh/...) from a mere macro abusing such a vulnerability. **But** a profile which grants read/network-access to very sensitive files/abilities in order to comply with edge-case scenarios serves no use anymore. The default profile must be strict and edge-cases be on a case-by-case basis using apparmor.d/local overrides or by simply uncommenting them. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-1080 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886092 Title: libreoffice doesn't list gpg private key for a digital signature due to apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1886092/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
