Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation.
In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid
This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.
Weakness
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libreoffice | Libreoffice | 24.8.0.1 (including) | 24.8.6.0 (excluding) |
| Libreoffice | Libreoffice | 25.2.0.1 (including) | 25.2.2 (excluding) |
| Libreoffice | Libreoffice | 24.8.0.0-alpha1 (including) | 24.8.0.0-alpha1 (including) |
| Libreoffice | Libreoffice | 24.8.0.0-beta1 (including) | 24.8.0.0-beta1 (including) |
| Libreoffice | Libreoffice | 25.2.0.0-alpha1 (including) | 25.2.0.0-alpha1 (including) |
| Libreoffice | Libreoffice | 25.2.0.0-beta1 (including) | 25.2.0.0-beta1 (including) |
| Libreoffice | Ubuntu | esm-infra/focal | * |
| Libreoffice | Ubuntu | focal | * |
| Libreoffice | Ubuntu | jammy | * |
| Libreoffice | Ubuntu | noble | * |
| Libreoffice | Ubuntu | oracular | * |
| Libreoffice | Ubuntu | upstream | * |