Security
How to Report
If you came here looking for end-user support, please send any question not related to a specific security bug to users@global.libreoffice.org.
The security teams for products associated with the code-base can be contacted at officesecurity@lists.freedesktop.org, this includes representatives of many vendors, and associated projects. This email address is solely for reporting security issues related to the software. If your virus checker is flagging a LibreOffice download as containing a virus, this is almost certainly a false positive. Please check with another anti-virus vendor, and/or file a bug report with them before bothering the security list, also please consider purchasing a more accurate virus checker.
In your report, please include the following information:
- In what version did you identify the specific security problem
- If it is platform dependent, which platform are you using
- A proof of concept if possible
Security Advisories
Fixed in LibreOffice 3.5.7
CVE-2012-4233 Multiple file format denial of service vulnerabilities
Fixed in LibreOffice 3.5.5
CVE-2012-2665 Multiple heap-based buffer overflows in the XML manifest encryption handling code
Fixed in LibreOffice 3.5.3
CVE-2012-1149 Integer overflows in graphic object loading
CVE-2012-2334 Integer overflow flaw with malformed PPT files
Fixed in LibreOffice 3.4.6/3.5.1
CVE-2012-0037 XML Entity Expansion flaw by processing RDF file
Fixed in LibreOffice 3.4.3:
CVE-2011-2713 Multiple vulnerabilities in the 'Microsoft Word' (doc) binary file format importer
Fixed in LibreOffice 3.3.3/3.4.0:
CVE-2011-2685 Multiple vulnerabilities in the 'Lotus Word Pro' (lwp) file format importer
Third Party Advisories
CVE-2012-2149 libwpd: Memory overwrite flaw by processing certain WordPerfect (WPD). No version of LibreOffice is affected by this.