CVE-2021-25632

Title: fileloc extension added to macOS executable denylist

Announced: May 18, 2021

Fixed in: LibreOffice 7.0.6/7.1.3

Description:

LibreOffice has a feature where hyperlinks in a document can be activated by CTRL+click. Under macOS the link can be passed to the system 'open' utility for handling. LibreOffice contains a denylist of extensions that it blocks from passing to 'open' to avoid attempting to launch executables.

In the LibreOffice 7-1 series in versions prior to 7.1.3, and in the 7-0 series in versions prior to 7.0.6, the denylist didn't include the .fileloc extension which could be used to launch an executable on the system.

In the fixed versions this extension has been blocked. All macOS users are recommended to upgrade to LibreOffice >= 7.0.6 or >= 7.1.3

References:

Thanks to Hou JingYi (@hjy79425575) of Qihoo 360 for discovering and reporting this problem

References:

    CVE-2021-25632