CVE-2024-5261

Publication date 25 June 2024

Last updated 24 July 2024


Ubuntu priority

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4.

Status

Package Ubuntu Release Status
libreoffice 24.04 LTS noble
Fixed 4:24.2.4-0ubuntu0.24.04.2
23.10 mantic
Fixed 4:7.6.7-0ubuntu0.23.10.3
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libreoffice

References

Related Ubuntu Security Notices (USN)

    • USN-6877-1
    • LibreOffice vulnerability
    • 4 July 2024

Other references