CVE-2021-25632
Title: fileloc extension added to macOS executable denylist
Announced: May 18, 2021
Fixed in: LibreOffice 7.0.6/7.1.3
Description:
LibreOffice has a feature where hyperlinks in a document can be activated by CTRL+click. Under macOS the link can be passed to the system ‘open’ utility for handling. LibreOffice contains a denylist of extensions that it blocks from passing to ‘open’ to avoid attempting to launch executables.
In versions of LibreOffice without this fix the denylist didn’t include the .fileloc extension which could be used to launch an executable on the system.
In the fixed versions this extension has been blocked. All macOS users are recommended to upgrade to LibreOffice >= 7.0.6 or 7.1.3
References:
Thanks to Hou JingYi (@hjy79425575) of Qihoo 360 for discovering and reporting this problem
References:
CVE-2021-25632
Follow Us