CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in H (fwd)

[Cy Schubert]

Hi,

This looks significant. Considering the age of the bug it probably affects 
Libreoffice too.

Original announcement below.


-- 
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX:  <cy at FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy at nwtime.org>    Web:  https://nwtime.org

	The need of the many outweighs the greed of the few.


------- Forwarded Message

Date:    Thu, 15 Apr 2021 12:23:05 -0700
From:    Dave Fisher <wave at apache.org>
To:      announce at apache.org
Subject: CVE-2021-30245: Code execution in Apache OpenOffice via 
non-http(s) sc
	  hemes in Hyperlinks

Severity: moderate

Description:

The project received a report that all versions of Apache OpenOffice 
through 4.
1.8 can open non-http(s) hyperlinks. The problem has existed since about 
2006 a
nd the issue is also in 4.1.9. If the link is specifically crafted this 
could l
ead to untrusted code execution. It is always best practice to be careful 
openi
ng documents from unknown and unverified sources. The mitigation in Apache 
Open
Office 4.1.10 (unreleased) assures that a security warning is displayed 
giving
the user the option of continuing to open the hyperlink.

Credit:

Fabian Bräunlein and Lukas Euler of Positive Security

------- End of Forwarded Message