Import from CS git

2025-03-17 07:36:34 +00:00 · 2025-03-17 07:36:34 +00:00 · 857adf2f09
commit 857adf2f09
parent 938de2979d
2 changed files with 43 additions and 1 deletions
--- a/SOURCES/0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch
+++ b/SOURCES/0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch
@ -0,0 +1,38 @@
+From b79d62375e7b249c7b351b4b32a47ba310ac5fe9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Thu, 30 Jan 2025 20:37:38 +0000
+Subject: [PATCH] Filter out more unwanted command URIs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I24c95d73b4fee89bdf044d5dd6efc9cd89627c54
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/181016
+Tested-by: Jenkins
+Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
+(cherry picked from commit 7105fb698f897ddb38bd60315444c07356689e14)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/181116
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+
+erAck: backported to 7.1.8.1
+---
+ desktop/source/app/cmdlineargs.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx
+index 93d9e87..70b9f05 100644
+--- a/desktop/source/app/cmdlineargs.cxx
+++ b/desktop/source/app/cmdlineargs.cxx
+@@ -168,7 +168,7 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur
+     if (nURIlen < 0)
+         nURIlen = rest2.getLength();
+     auto const uri = rest2.copy(0, nURIlen);
+-    if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) {
+    if (INetURLObject(uri).IsExoticProtocol()) {
+         // Let the "Open" machinery process the full command URI (leading to failure, by intention,
+         // as the "Open" machinery does not know about those command URI schemes):
+         curEvt = CommandLineEvent::Open;
+-- 
+2.48.1
--- a/SPECS/libreoffice.spec
+++ b/SPECS/libreoffice.spec
@ -54,7 +54,7 @@ Summary:        Free Software Productivity Suite
 Name:           libreoffice
 Epoch:          1
 Version:        %{libo_version}.2
-Release:        18%{?libo_prerelease}%{?dist}
+Release:        19%{?libo_prerelease}%{?dist}
 License:        (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
 URL:            http://www.libreoffice.org/

@ -302,6 +302,7 @@ Patch58: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra
 Patch59: 0006-CVE-2023-6186-backporting.patch
 Patch60: 0001-CVE-2024-3044-add-notify-for-script-use.patch
 Patch61: 0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch
+Patch62: 0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch

 %if 0%{?rhel}
 # not upstreamed
@ -2308,6 +2309,9 @@ done
 %{_includedir}/LibreOfficeKit

 %changelog
+* Tue Mar 11 2025 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-19
+- Fix CVE-2025-1080 Filter out more unwanted command URIs
+
 * Thu Aug 15 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-18
 - Fix CVE-2024-6472 remove ability to trust not validated macro signatures in
  high security