Title: CVE-2023-1183: Arbitrary File Write in hsqldb 1.8.0
Announced: June 19, 2023
Fixed in: LibreOffice 7.4.6/7.5.1
LibreOffice supports embedded databases in its odb file format. The most common format is hsqldb. LibreOffice typically contains a copy of hsqldb version 1.8.0 to load this format. Each odb file contains a "database/script" file which hsqldb parses to setup the database. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In affected versions of LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be writen to a new file whose location was determined by the attacker.
Users are recommended to upgrade to 7.4.6 or 7.5.1 to avoid this flaw when using the packages provided from www.libreoffice.org which include a bundled copy of hsqldb 1.8.0.
Thanks to Gregor Kopf of Secfault Security GmbH for finding and reporting this issue.
Thanks to Fred Toussi for kindly providing a solution to this issue within hsqldb.