The Document Foundation released today two security updates for its popular LibreOffice open-source office suite, 7.6.2 and 7.5.7, to address a recently disclosed vulnerability in the WebP codec.
Arriving earlier than initially planned, the LibreOffice 7.6.2 and LibreOffice 7.5.7 updates contain a fix for CVE 2023-4863, a heap buffer overflow discovered in the widely used libwebp library, which is used to decode the now popular WebP graphics format.
This security issue affects all applications that use the libwebp library, including major web browsers like Mozilla Firefox, Chrome/Chromium, or Edge. It is marked as critical and it could allow a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.
The WebP vulnerability is now patched in the latest version of the aforementioned apps, and it’s now also patched in the LibreOffice office suite if you update your installations to either LibreOffice 7.6.2 or LibreOffice 7.5.7.
In addition to patching this critical vulnerability, the LibreOffice 7.6.2 release also contains 54 fixes for bugs and regressions, according to the RC1 changelog, while the LibreOffice 7.5.7 carries only 14 bug fixes, according to the RC1 changelog.
As you can imagine, these updates are highly recommended to all LibreOffice users. Both LibreOffice 7.6.2 and LibreOffice 7.5.7 are available for download from the official website as binaries packed by The Document Foundation for DEB or RPM-based distribution, as well as a source tarball.
On this occasion, I would like to remind you to always keep your GNU/Linux systems up to date if you want to be protected from such critical vulnerabilities. These new LibreOffice updates will also arrive in your distro’s stable repositories in the coming days, so make sure that you update on a regular basis.
Last updated 2 months ago