After three months of development and seven years since the last significant release, a corrective release of the Apache OpenOffice 4.1.10 office suite has been formed, in which 2 corrections are proposed. Ready packages are prepared for Linux, Windows and macOS.
This release fixes a vulnerability (CVE-2021-30245) that could allow arbitrary code to be executed on the system when clicking on a specially designed link in a document. The vulnerability is caused by a bug in the handling of hypertext links that use protocols other than "http://" and "https://", such as "smb://" and "dav://".
For example, an attacker can place an executable file on his SMB server and insert a link to it into a document. When a user clicks on this link, the specified executable file will be executed without warning. The attack capability has been demonstrated on Windows and Xubuntu. For protection, OpenOffice 4.1.10 added an additional dialog that requires the user to confirm an operation when clicking on a link in a document.
The researchers who identified the problem noted that not only Apache OpenOffice is affected by the problem, but also LibreOffice (CVE-2021-25631). For LibreOffice, the fix is ββstill available as a patch included in the LibreOffice 7.0.5 and 7.1.2 releases, but fixes the problem only on the Windows platform (the list of prohibited file extensions has been updated). The developers of LibreOffice refused to include a fix for Linux, motivating their decision by the fact that the problem lies not in their area of ββresponsibility and should be fixed on the side of distributions / user environments. In addition to the OpenOffice and LibreOffice office suites, a similar problem has also been identified in Telegram, Nextcloud, VLC, Bitcoin / Dogecoin Wallet, Wireshark and Mumble.
Source: opennet.ru