CVE-2021-25636 Title: Incorrect trust validation of signature with ambiguous KeyInfo children Announced: February 22, 2022 Fixed in: LibreOffice 7.2.5/7.3.0 Description: LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag[1], which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. In versions >= 7.2.5 (and >= 7.3.0) certificate validation is configured to only consider X509Data children to limit validation to X509 certificates only. [1] https://www.w3.org/TR/xmldsig-core1/#sec-KeyInfo
Created libreoffice tracking bugs for this issue: Affects: fedora-all [bug 2056956]
Upstream patches: https://gerrit.libreoffice.org/c/core/+/127193 https://gerrit.libreoffice.org/c/core/+/127179 https://gerrit.libreoffice.org/c/core/+/127178 https://gerrit.libreoffice.org/c/core/+/127177
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7461 https://access.redhat.com/errata/RHSA-2022:7461
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25636