CVE-2023-6185
Title: CVE-2023-6185: Improper input validation enabling arbitrary Gstreamer pipeline injection
Announced: December 11, 2023
Fixed in: LibreOffice 7.5.9/7.6.3
Description:
LibreOffice supports embedded videos in file formats via platform audio/video support. Typically under Linux this is via gstreamer. In affected version of LibreOffice the filename of the embedded video is not sufficiently escaped when passed to gstreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.
Linux Users are recommended to upgrade to 7.5.9 or 7.6.3 to avoid this flaw.
Credit:
Thanks to Reginaldo Silva of ubercomp.com for finding and reporting this issue.
Thanks to Collabora Productivity for providing a fix.
References:
Follow Us