diff --git a/SOURCES/0001-Introduceio3tl::make_unsigned-to-cast-from-signed-to-unsigned-type.patch b/SOURCES/0001-Introduceio3tl::make_unsigned-to-cast-from-signed-to-unsigned-type.patch new file mode 100644 index 0000000..6c47a6d --- /dev/null +++ b/SOURCES/0001-Introduceio3tl::make_unsigned-to-cast-from-signed-to-unsigned-type.patch @@ -0,0 +1,45 @@ +From 188972242784eb68b80cee0b0f6be7c195b54bc0 Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Thu, 09 Jan 2020 19:43:23 +0100 +Subject: [PATCH] Introduce o3tl::make_unsigned to cast from signed to unsigned type + +...without having to spell out a specific type to cast to (and also making it +more obvious what the intend of such a cast is) + +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/86502 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit 6417668b3e12d9659ac5dc4a2f60aa8ad3bca675) + +Change-Id: Id9c68b856a4ee52e5a40d15dc9d83e95d1c231cd +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130807 +Tested-by: Thorsten Behrens +Reviewed-by: Thorsten Behrens +--- + +diff --git a/include/o3tl/safeint.hxx b/include/o3tl/safeint.hxx +index ae28ca4..6d8d130 100644 +--- a/include/o3tl/safeint.hxx ++++ b/include/o3tl/safeint.hxx +@@ -12,6 +12,7 @@ + + #include + ++#include + #include + #include + +@@ -226,6 +227,13 @@ + + #endif + ++template constexpr std::enable_if_t, std::make_unsigned_t> ++make_unsigned(T value) ++{ ++ assert(value >= 0); ++ return value; ++} ++ + } + + #endif diff --git a/SOURCES/0002-CVE-2026-4430-Conform-AlignEngine-parsing.patch b/SOURCES/0002-CVE-2026-4430-Conform-AlignEngine-parsing.patch new file mode 100644 index 0000000..f714d61 --- /dev/null +++ b/SOURCES/0002-CVE-2026-4430-Conform-AlignEngine-parsing.patch @@ -0,0 +1,50 @@ +From c7378238b226a624aca78e2e890fb475e98c140a Mon Sep 17 00:00:00 2001 +From: Caolán McNamara +Date: Mon, 16 Mar 2026 17:22:23 +0000 +Subject: [PATCH] Conform AlignEngine parsing to what section 2.3.4.10 of the spec has + +Change-Id: Ibb9162b1ce7993ef74665ec0329c95b423fa8174 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/201876 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Michael Stahl +(cherry picked from commit b00f60ab7047fe7384f3551f02951b369ac6c8e4) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/202756 +Tested-by: allotropia jenkins +--- + +diff --git a/oox/source/crypto/AgileEngine.cxx b/oox/source/crypto/AgileEngine.cxx +index 81c0366..edad38e 100644 +--- a/oox/source/crypto/AgileEngine.cxx ++++ b/oox/source/crypto/AgileEngine.cxx +@@ -8,6 +8,8 @@ + * + */ + ++#include ++#include + #include + + #include +@@ -534,8 +536,21 @@ + if (0 > mInfo.spinCount || mInfo.spinCount > 10000000) + return false; + +- if (1 > mInfo.saltSize|| mInfo.saltSize > 65536) // Check ++ // [MS-OFFCRYPTO] 2.3.4.10: saltSize "MUST be at least 1 and no greater than 65,536" ++ if (1 > mInfo.saltSize || mInfo.saltSize > 65536) ++ { ++ SAL_WARN("oox", "AgileEngine::readEncryptionInfo(): saltSize out of range: " << mInfo.saltSize); + return false; ++ } ++ ++ // [MS-OFFCRYPTO] 2.3.4.10: "The number of bytes required to decode the saltValue ++ // attribute MUST be equal to the value of the saltSize attribute" ++ if (mInfo.keyDataSalt.size() != o3tl::make_unsigned(mInfo.saltSize)) ++ { ++ SAL_WARN("oox", "AgileEngine::readEncryptionInfo(): keyDataSalt size " << mInfo.keyDataSalt.size() ++ << " does not match saltSize " << mInfo.saltSize); ++ return false; ++ } + + // AES 128 CBC with SHA1 + if (mInfo.keyBits == 128 && diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 8072d38..9e7ce2a 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -54,7 +54,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.2 -Release: 19%{?libo_prerelease}%{?dist} +Release: 20%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -303,6 +303,10 @@ Patch59: 0006-CVE-2023-6186-backporting.patch Patch60: 0001-CVE-2024-3044-add-notify-for-script-use.patch Patch61: 0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch Patch62: 0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch +# https://gerrit.libreoffice.org/c/core/+/130807 +Patch63: 0001-Introduceio3tl::make_unsigned-to-cast-from-signed-to-unsigned-type.patch +# https://gerrit.libreoffice.org/c/core/+/202756 +Patch64: 0002-CVE-2026-4430-Conform-AlignEngine-parsing.patch %if 0%{?rhel} # not upstreamed @@ -2309,6 +2313,11 @@ done %{_includedir}/LibreOfficeKit %changelog +* Tue May 19 2026 Tomas Popela - 1:6.4.7.2-20 +- Fix CVE-2026-4430 Conform AlignEngine parsing to what section 2.3.4.10 of + the spec has +- Resolves: RHEL-176575 + * Tue Mar 11 2025 Eike Rathke - 1:6.4.7.2-19 - Fix CVE-2025-1080 Filter out more unwanted command URIs