Title: CVE-2023-6185: Improper input validation enabling arbitrary Gstreamer pipeline injection

Announced: December 11, 2023

Fixed in: LibreOffice 7.5.9/7.6.3


LibreOffice supports embedded videos in file formats via platform audio/video support. Typically under Linux this is via gstreamer. In affected version of LibreOffice the filename of the embedded video is not sufficiently escaped when passed to gstreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

Linux Users are recommended to upgrade to 7.5.9 or 7.6.3 to avoid this flaw.


Thanks to Reginaldo Silva of for finding and reporting this issue.
Thanks to Collabora Productivity for providing a fix.