Bug 2182044 (CVE-2022-38745)

Summary: CVE-2022-38745 libreoffice: Empty entry in Java class path
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: LibreOffice 7.2.6, LibreOffice 7.3.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in LibreOffice. When an empty Java class path entry is configured, LibreOffice will search for Java classes in the current working directory, allowing malicious Java classes to load when opening a document using the file manager, resulting in arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182045, 2182390, 2182391, 2182392, 2182393    
Bug Blocks: 2182046    

Description Pedro Sampaio 2023-03-27 12:12:07 UTC 
Fixed in: LibreOffice 7.2.6/7.3.1

Description:

Most versions of LibreOffice support and contain components written in Java. LibreOffice extends the existing Java class path with its own internal classes.

In the affected versions of LibreOffice if the existing class path was empty, then when Java class files are loaded, the current working directory is searched for valid classes before using the embedded versions. If an attacker sends a zip file containing a class file alongside a document then, depending on the file manager or other tool used to open the zip file, when on navigating to the document and launching LibreOffice to open it, the current working directory of LibreOffice may be the directory in which the class file exists, in which case there is a risk that the arbitrary code of the class file could be executed.

In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not appended to the classpath

References:

https://www.libreoffice.org/about-us/security/advisories/cve-2022-38745/
Comment 1 Pedro Sampaio 2023-03-27 12:12:20 UTC 
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 2182045]
Comment 7 errata-xmlrpc 2023-11-07 08:18:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6508 https://access.redhat.com/errata/RHSA-2023:6508
Comment 8 errata-xmlrpc 2023-11-14 15:16:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6933 https://access.redhat.com/errata/RHSA-2023:6933