CVE-2023-6185: 
NixOS vulnerability analysis and mitigation

CVE-2023-6185 is an Improper Input Validation vulnerability discovered in the GStreamer integration of LibreOffice. The vulnerability was disclosed on December 11, 2023, affecting LibreOffice versions from 7.5.0 up to (excluding) 7.5.9 and versions from 7.6.0 up to (excluding) 7.6.3. The vulnerability exists in the way LibreOffice handles embedded video filenames when passing them to GStreamer (LibreOffice Advisory).

The vulnerability stems from insufficient escaping of embedded video filenames when they are passed to GStreamer in affected LibreOffice versions. This improper input validation could allow an attacker to execute arbitrary GStreamer plugins, with the scope of execution depending on the plugins installed on the target system. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows an attacker to execute arbitrary GStreamer plugins on the target system, potentially leading to code execution within the context of the LibreOffice application. The actual impact depends on the GStreamer plugins installed on the affected system (Debian Security).

The vulnerability has been fixed in LibreOffice versions 7.5.9 and 7.6.3. Users are strongly recommended to upgrade to these or later versions. Various Linux distributions have also released security updates: Debian has fixed the issue in version 1:7.0.4-4+deb11u8 for oldstable and 4:7.4.7-1+deb12u1 for stable distributions (Debian Security).

The vulnerability was discovered and reported by Reginaldo Silva of ubercomp.com, with Collabora Productivity providing the fix. The issue has received attention from major Linux distributions, with Debian, Fedora, and others quickly releasing security updates to address the vulnerability (LibreOffice Advisory).