Almost two years after the last update, a patch release of the Apache OpenOffice 4.1.16 office suite has been published, fixing seven vulnerabilities and several bugs. The finished packages are ready for Linux, Windows и macOS.
Fixed vulnerabilities:
- CVE-2025-64406 – buffer overrun when importing specially crafted CSV files. This vulnerability could potentially lead to memory overwriting and arbitrary code execution.
- CVE-2025-64407 - The URL download function could be used to pass to an external server Environment variables and values from INI files when opening a document with specially crafted external links loaded without the user's knowledge. Various settings and environment variables were allowed to be passed as arguments to such links.
- CVE-2025-64401, CVE-2025-64402, CVE-2025-64403, CVE-2025-64404, CVE-2025-64405 — It is possible to load external content into a document without user confirmation by manipulating iframes, OLE objects, external data sources in Calc, DDE functions, and background images. The issues are caused by inserting external links into a document, whose contents are loaded without user notification.
Among the non-security changes:
- Support for encryption of documents in ODF 1.2 format using the AES-256 algorithm has been implemented.
- Improved compatibility with the MathML specification.
- Removed unused module "bmpmaker".
- On the platform macOS Automatic update checking, which was causing deadlocks, has been disabled.
- Fixed 18 issues, including downloads freezing at the update check stage, zoom sliders disappearing when changing pages in Draw/Impress, incorrect parsing of some CSV files, crashes when launching with certain fonts, and incorrect clearing of the list of recently opened documents.
Source: opennet.ru
