diff --git a/.gitignore b/.gitignore index 6b149d0..527f1de 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,6 @@ SOURCES/185d60944ea767075d27247c3162b3bc-unowinreg.dll SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip SOURCES/dtoa-20180411.tgz SOURCES/f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf -SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc SOURCES/libreoffice-7.1.8.1.tar.xz SOURCES/libreoffice-help-7.1.8.1.tar.xz SOURCES/libreoffice-translations-7.1.8.1.tar.xz diff --git a/.libreoffice.metadata b/.libreoffice.metadata index 8ff9125..1305b8b 100644 --- a/.libreoffice.metadata +++ b/.libreoffice.metadata @@ -3,7 +3,6 @@ 2d49e11b0b711970f494294dc3698f05eb294853 SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip 083509db5ad9d1680830be9add727d58b54ca0d3 SOURCES/dtoa-20180411.tgz dd55efd721df8a013709e27836bdf26623e5320e SOURCES/f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf -7b5fd93d787fbc6d9c2d4025d543730ee8dc4559 SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc 58642377b80001f41884b2fff3d74fe66426b182 SOURCES/libreoffice-7.1.8.1.tar.xz 48afe3a1a30861904bf31b387d6bc56360f5ac19 SOURCES/libreoffice-help-7.1.8.1.tar.xz cb1238f7b182c8bfb16086d2eb9305b43b8a6d16 SOURCES/libreoffice-translations-7.1.8.1.tar.xz diff --git a/SOURCES/0001-CVE-2024-3044-add-notify-for-script-use.patch b/SOURCES/0001-CVE-2024-3044-add-notify-for-script-use.patch new file mode 100644 index 0000000..d9a1685 --- /dev/null +++ b/SOURCES/0001-CVE-2024-3044-add-notify-for-script-use.patch @@ -0,0 +1,29 @@ +From 6582f7956313e16ea7df5b7cc961d368c150de0a Mon Sep 17 00:00:00 2001 +From: Caolán McNamara +Date: Wed, 27 Mar 2024 17:07:20 +0000 +Subject: [PATCH] add notify for script use + +Change-Id: I84af197cec7755f6803a578e1e21c03966ad5f3e +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165410 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit a4a5c6b63599bca1f084bb90875f6fd8e15184ac) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/167419 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +--- + +diff --git a/xmloff/source/draw/eventimp.cxx b/xmloff/source/draw/eventimp.cxx +index 226caca..bcf67c4 100644 +--- a/xmloff/source/draw/eventimp.cxx ++++ b/xmloff/source/draw/eventimp.cxx +@@ -212,6 +212,9 @@ + + if( maData.mbValid ) + maData.mbValid = !sEventName.isEmpty(); ++ ++ if (!maData.msMacroName.isEmpty()) ++ rImp.NotifyMacroEventRead(); + } + + css::uno::Reference< css::xml::sax::XFastContextHandler > SdXMLEventContext::createFastChildContext( diff --git a/SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc b/SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc new file mode 100644 index 0000000..5f4f64d --- /dev/null +++ b/SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBEyzEr0BEADT441wUITsTwDA2nM3kmUhGrzTdxZB5xv/E1ZJCw63qWdmdTdW +NZDfNDuLs4r2VjlEoA3xGK6jgnQvyAoNj0yiEbW/JedHHgOiVdXDlkgkY58myafT +FXqDLzTXVrsNnay0GS8XrNjptZJPhEPBvNUdkqpA9B7RTkfaXj779Pf/AeFMZVLl +UAci5RA0NNF910GHwoXT6SEv2PGoawsphnfmMVdKh9wz7asbtKXEmotCwX3k045x +LsIVK5ANOi+BI9C3LkrrFJWw2XHqDW2ulwCJ0L5QNSjOuY/v8REODwIXamvvdZOz +XBKSIzDOalJqFCHls3YlGyFw1knr6BAOmVOm32YtNTCLbVA/iK55fZWnUCjD3a4G +xz4qpQYWfpxhOmlHpk5JkraSNHzCc7SB43DwcHF5ecXHttMhO8MoN/bAZBgCuLGF +EwNvwFbDwIWo07mlv7wD8i1rtUCvLywJc5YL2PbjCLfB1Q4YzDX1EWnjKdnAsxxK +ftrx1DFlxzUF+TaHbLTPttUcsWQaL8wITznoWIwdIWlo2woPgWIpUXMOYwYV31Oo +fgmroHa3V4NOvkke09uhaZawg5yZCoRFohhfKPqT1ZrJ9SnRbW/WR3VTVY76ht5k +RuV3eb2VWBmPU9zn56Tbe6dvFkBuzHH1JdECAqy1BzFcmQQFBebFzf1XAQARAQAB +tEhMaWJyZU9mZmljZSBCdWlsZCBUZWFtIChDT0RFIFNJR05JTkcgS0VZKSA8YnVp +bGRAZG9jdW1lbnRmb3VuZGF0aW9uLm9yZz6JAjcEEwEKACEFAkyzEr0CGwMFCwkI +BwMFFQoJCAsFFgIDAQACHgECF4AACgkQ9DSh76/urqOc4w//X+74QlyRalcuLNw3 +oJKB1+1z6xxhhpwg1kw5cMMrGu0w0YoPvLDKaiS02DdkIaXDECcQTOoEh7/bYbZq +6OtE1WyxqHYYOPK5yul5FRwZ5k5HZ7pDFcKCQ72UgWhz+QznRhgZ0jwEWl5Ln3rw +JpSynIvTXHmQogId0xmcrNQPyckzzugGx4qZFinSOmDGwTgG14NU3vat2iek37Ph +BLh5V8ohlEoccwwPejtKEWQudg0Q8K7uBuqLUhnJoZodEytqpOvtysuPtGxGXnmD +7oXtBVEF3X6eFRXDIp81cx2isHK4Krf4z4T9KUimNLHjWRa+ZQtp2pZLHQlblfsn +CUf6TYZ0Yi909EhcM/hxAgBZXellOCQ/8U2cJsTUyN5Dp1wbf6X0uK4uaed1/037 +EGLAO6PP6WQz6jWd1/hhsQ5oAmdjkzlMFEfKNeIIDuKMOjXcTvM8/KRXhufwICvS +FBlSIveHfDFWCvOVgq0VjAY7NFMFKRUnRHB58qBamtyhOyscRIvT5QH8HYfUA/YN +l9FguczYUIQi3t+H1hoHIywdtmRuhYx5WlIUe8FO9QD5RMPbBjVbkCYgdHdxgnJD +KCoRGsoKlLB7UZc4Ak9j6plZbYtFRonm2MjU4zxblCFNuEqVQ0V/y6/OIGpBYF9Y +aEAtTgEJd9OmmDCM3d8O0zZHYma5Ag0ETLMSvQEQAMDp0HxSDWd+2Od/aJutCMFe +8tfw7+nP9gfHOCUqesb88QvRMJgVY6z1aNdMllxTKlsxUiuA6uNcrUAkzDp/qRWR +58rWIO642PLifng3urJ1cDbSKC+K4RHpQC+hXllMKLqq8dwNy1LO4fPo9SdtUF4B +ev6enKmo4yCiOGv2tvztPh9gMGYoDncaOsS0t2UPr2MMQIVUmmIzfJBkdOxbZiWO +doeNbWsYJHQaO+Ahal6SjPHKzhdjeXhZzHl1vqeDkV4MXHprrOwXNXwPiEpkZe2O +dc7yaMkQc0k8WRrfKHApbnwDx6Mi8HYaf+LvRq7P0eMO9osD1q44wQQvVzk199zp +MMHS5/kAv7RBNmDOSJQIZ4zT4lzRDODjMf01Ljn02zon12GfJo0WbbpmLulta7uj +HgMrUU54by8WPFGW0fljXiDX0EpkHhxUsUsfaNfBsFnE+sRxQjNF/ljvofkyApI2 +1OjtEa9krwvgDqaXsL+a2076OsoFpORlTZ30REb0eRS6rEt8M+7s4xTaA7GFxlY/ +N+bnaM8m+ItygfFHHW4H0wLbbgajDeooSTgaheVNF5V9HS0EkN4MNVvtJH7J6drd +iR1QVhX87n7+JtQzTtCOyfeKjaB+kcbAm/2VOFOeHdig5+BygpXt3IixVq72xmGz +h0jhY565MjXrqg5O3pvLABEBAAGJAh8EGAEKAAkFAkyzEr0CGwwACgkQ9DSh76/u +rqPaeg//avI2/a94XlSYtSZb2hVdW3qa9AEypQurqtVrKJfEKFV+ZQBPXbPRy8Mz +5LMEH1sfD6B4SVGIGJ8opSyieJkcKIke+GMekTWvSqDpFOgY2rw7eHNn/33ZJs3O +zQOyWz8smE/AIM/5lyiVGuSlU7RjYncf1V9bIBc91q9Edqk4IYUo/7W+yafC0VW/ +8oHUFYjHNaujiOsEoLiXsh9Y0R/6Jxs6fvE4XbCANV/ecN5UX+9BBrNZNN/9GbNr +6CYGZ57M2f1Pgywy/XvOnEPnJ8aWXUyGLqq34KvMPFPSOeAmFbkFEsB4mdDMFaDw +rzziiZE/zS8/nKiH4X2JgmLgFsadEihdfYxeDcGbhREK/qA1f3bGnr1j05V07yko +2FFZdiOr4OgiT5ymgwVUXQ2Aiz+J/C8URjfpcPxetmuDQT9AYfgmMKPNVXPFWuNQ +dzN5GZbI+E1/cb5+uLNknvjngw2G4PR/4uPHX1HCSftlNawBqWzyun1k+B7/u3Oe +FebWXcdqSmZuLQ7l0Pkuz/Nlp6M6cKpceL+9zCgaiR5+v9h94VvtXKd/mw9ZLACc +VcOANiwCtsJP3lt7jRSHtkuUe6vUm5tLS582RfXxoI1BlPjNtG9xAQ3JKBHIXbal +T18pAFO3t74cxg3h0iI1G51F3oL0DwILP2MBBmardVEp5CMnB/M= +=1iQB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 3f6ddaf..e06594b 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -57,7 +57,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 12%{?libo_prerelease}%{?dist}.alma.1 +Release: 13%{?libo_prerelease}%{?dist}.alma.1 License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -289,7 +289,6 @@ Patch33: 0001-set-Referer-on-loading-IFrames.patch Patch34: 0002-put-floating-frames-under-managed-links-control.patch Patch35: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch Patch36: 0001-disable-script-dump.patch -# Patches were taken from the latest OL relase Patch37: 0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch Patch38: 0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch Patch39: 0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch @@ -297,6 +296,7 @@ Patch40: 0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot Patch41: 0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch Patch42: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch Patch43: 0006-CVE-2023-6186-backporting.patch +Patch44: 0001-CVE-2024-3044-add-notify-for-script-use.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch @@ -1039,6 +1039,9 @@ rm -rf git-hooks */git-hooks # apply patches %autopatch -M 99 %if 0%{?rhel} +# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1954999 +# From https://src.fedoraproject.org/rpms/python3.9/pull-request/60 +# Make at least a local rhpkg prep on Fedora work.. %{?!apply_patch:%define apply_patch(qp:m:) {%__apply_patch %**}} %apply_patch -q %{PATCH500} %endif @@ -1058,10 +1061,10 @@ sed -i -e /CppunitTest_dbaccess_hsqlbinary_import/d dbaccess/Module_dbaccess.mk sed -i -e /CppunitTest_vcl_svm_test/d vcl/Module_vcl.mk sed -i -e /CustomTarget_uno_test/d testtools/Module_testtools.mk %endif +# Broken with system nss. See also upstream commit ac519af951541b7313a4c98e1bee463bf47356be sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_ODT);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_DOCX);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx - git commit -q -a -m 'temporarily disable failing tests' # Seeing .git dir makes some of the build tools change their behavior. @@ -2286,20 +2289,16 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog -* Thu Mar 21 2024 Eduard Abdullin - 1:7.1.8.1-12.alma.1 -- escape url passed to gstreamer -- add some protocols that don't make sense as floating frame - targets -- warn about exotic protocols as well -- default to ignoring libreoffice special-purpose protocols - in calc hyperlink -- reuse AllowedLinkProtocolFromDocument in writer -- reuse AllowedLinkProtocolFromDocument in impress/draw -- CVE-2023-6186 backporting - -* Thu Sep 21 2023 Eduard Abdullin - 1:7.1.8.1-11.alma +* Wed Jul 24 2024 Eduard Abdullin - 1:7.1.8.1-13.alma.1 - Debrand for AlmaLinux +* Fri Jun 07 2024 Eike Rathke - 1:7.1.8.1-13 +- Fix CVE-2024-3044 add notify for script use + +* Fri Mar 08 2024 Eike Rathke - 1:7.1.8.1-12 +- Fix CVE-2023-6185 escape url passed to gstreamer +- Fix CVE-2023-6186 check link target protocols + * Tue Jun 20 2023 Stephan Bergmann - 1:7.1.8.1-11 - Resolves: rhbz#2210193 CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing