CVE-2024-12425

Publication date 7 January 2025

Last updated 27 January 2025


Ubuntu priority

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal. An attacker can write to arbitrary locations, albeit suffixed with ”.ttf”, by supplying a file in a format that supports embedded font files. This issue affects LibreOffice: from 24.8 before < 24.8.4.

Read the notes from the security team

Status

Package Ubuntu Release Status
libreoffice 24.10 oracular
Fixed 4:24.8.4-0ubuntu0.24.10.2
24.04 LTS noble
Fixed 4:24.2.7-0ubuntu0.24.04.2
22.04 LTS jammy
Fixed 1:7.3.7-0ubuntu0.22.04.8
20.04 LTS focal
Fixed 1:6.4.7-0ubuntu0.20.04.13

Notes


mdeslaur

likely affects earlier releases than 24.8, contrary to description

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libreoffice

References

Related Ubuntu Security Notices (USN)

    • USN-7228-1
    • LibreOffice vulnerabilities
    • 27 January 2025

Other references