Bug 2056955 (CVE-2021-25636) - CVE-2021-25636 libreoffice: Incorrect trust validation of signature with ambiguous KeyInfo children
Summary: CVE-2021-25636 libreoffice: Incorrect trust validation of signature with ambi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-25636
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2056956 2060559 2060560 2060561
Blocks: 2056958
TreeView+ depends on / blocked
 
Reported: 2022-02-22 12:34 UTC by Sandipan Roy
Modified: 2022-12-04 01:03 UTC (History)
4 users (show)

Fixed In Version: libreoffice 7.2.5, libreoffice 7.3.0
Doc Type: If docs needed, set a value
Doc Text:
A improper certificate validation flaw was found in LibreOffice allowing an attacker to manipulate a digitally signed ODF document to appear that no alteration of the document occurred since the last signing and that the signature is valid.
Clone Of:
Environment:
Last Closed: 2022-12-04 01:03:15 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7461 0 None None None 2022-11-08 09:12:21 UTC

Description Sandipan Roy 2022-02-22 12:34:49 UTC
CVE-2021-25636

Title: Incorrect trust validation of signature with ambiguous KeyInfo children

Announced: February 22, 2022

Fixed in: LibreOffice 7.2.5/7.3.0

Description:

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid.

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag[1], which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value.

In versions >= 7.2.5 (and >= 7.3.0) certificate validation is configured to only consider X509Data children to limit validation to X509 certificates only.

[1] https://www.w3.org/TR/xmldsig-core1/#sec-KeyInfo

Comment 1 Sandipan Roy 2022-02-22 12:35:15 UTC
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 2056956]

Comment 5 errata-xmlrpc 2022-11-08 09:12:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7461 https://access.redhat.com/errata/RHSA-2022:7461

Comment 6 Product Security DevOps Team 2022-12-04 01:03:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25636


Note You need to log in before you can comment on or make changes to this bug.