CVE-2023-1183

NameCVE-2023-1183
DescriptionA flaw was found in the Libreoffice package. An attacker can craft an odb containing a "database/script" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3467-1, DLA-3468-1, DSA-5436-1, DSA-5437-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
hsqldb (PTS)buster2.4.1-2vulnerable
buster (security)2.4.1-2+deb10u2fixed
bullseye (security), bullseye2.5.1-1+deb11u2fixed
bookworm, bookworm (security)2.7.1-1+deb12u1fixed
sid, trixie2.7.2-1fixed
hsqldb1.8.0 (PTS)buster1.8.0.10+dfsg-10vulnerable
buster (security)1.8.0.10+dfsg-10+deb10u1fixed
bullseye (security), bullseye1.8.0.10+dfsg-10+deb11u1fixed
bookworm, bookworm (security)1.8.0.10+dfsg-11+deb12u1fixed
sid, trixie1.8.0.10+dfsg-12fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
hsqldbsourcebuster2.4.1-2+deb10u2DLA-3467-1
hsqldbsourcebullseye2.5.1-1+deb11u2DSA-5437-1
hsqldbsourcebookworm2.7.1-1+deb12u1DSA-5437-1
hsqldbsource(unstable)2.7.2-1
hsqldb1.8.0sourcebuster1.8.0.10+dfsg-10+deb10u1DLA-3468-1
hsqldb1.8.0sourcebullseye1.8.0.10+dfsg-10+deb11u1DSA-5436-1
hsqldb1.8.0sourcebookworm1.8.0.10+dfsg-11+deb12u1DSA-5436-1
hsqldb1.8.0source(unstable)1.8.0.10+dfsg-12

Notes

https://www.libreoffice.org/about-us/security/advisories/cve-2023-1183/
https://gerrit.libreoffice.org/c/core/+/146905
https://sourceforge.net/p/hsqldb/svn/6639/
Search for package or bug name: Reporting problems