Title: CVE-2023-1183: Arbitrary File Write in hsqldb 1.8.0

Announced: June 19, 2023

Fixed in: LibreOffice 7.4.6/7.5.1


LibreOffice supports embedded databases in its odb file format. The most common format is hsqldb. LibreOffice typically contains a copy of hsqldb version 1.8.0 to load this format. Each odb file contains a "database/script" file which hsqldb parses to setup the database. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In affected versions of LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be writen to a new file whose location was determined by the attacker.

Users are recommended to upgrade to 7.4.6 or 7.5.1 to avoid this flaw when using the packages provided from which include a bundled copy of hsqldb 1.8.0.


Thanks to Gregor Kopf of Secfault Security GmbH for finding and reporting this issue.
Thanks to Fred Toussi for kindly providing a solution to this issue within hsqldb.