Debian update for libreoffice
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-12425 CVE-2024-12426 |
| CWE-ID | CWE-22 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Debian Linux Operating systems & Components / Operating system libreoffice (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU102416
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-12425
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when processing documents with embedded .ttf font files. A remote attacker can create a specially crafted document, trick the victim into opening and and overwrite arbitrary files on the system, leading to remote code execution.
Update libreoffice package to version 4:7.4.7-1+deb12u6.
Vulnerable software versionsDebian Linux: All versions
libreoffice (Debian package): before 4:7.4.7-1+deb12u6
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:libreoffice_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00008.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU102417
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-12426
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to application allows to dynamically create links to external websites using information from environmental variables or INI file values. A remote attacker can trick the victim into opening a specially crafted documents and then clicking on the link in that document to gain access to potentially sensitive information.
Update libreoffice package to version 4:7.4.7-1+deb12u6.
Vulnerable software versionsDebian Linux: All versions
libreoffice (Debian package): before 4:7.4.7-1+deb12u6
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:libreoffice_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00008.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
