From 95b2641468a862d1c14510ba087ccdceab80951b Mon Sep 17 00:00:00 2001 From: Eike Rathke Date: Fri, 7 Jun 2024 12:47:03 +0200 Subject: [PATCH] Fix CVE-2024-3044 add notify for script use Resolves: RHEL-36418 --- ...-2024-3044-add-notify-for-script-use.patch | 29 +++++++++++++++++++ libreoffice.spec | 6 +++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 0001-CVE-2024-3044-add-notify-for-script-use.patch diff --git a/0001-CVE-2024-3044-add-notify-for-script-use.patch b/0001-CVE-2024-3044-add-notify-for-script-use.patch new file mode 100644 index 0000000..d9a1685 --- /dev/null +++ b/0001-CVE-2024-3044-add-notify-for-script-use.patch @@ -0,0 +1,29 @@ +From 6582f7956313e16ea7df5b7cc961d368c150de0a Mon Sep 17 00:00:00 2001 +From: Caolán McNamara +Date: Wed, 27 Mar 2024 17:07:20 +0000 +Subject: [PATCH] add notify for script use + +Change-Id: I84af197cec7755f6803a578e1e21c03966ad5f3e +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165410 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit a4a5c6b63599bca1f084bb90875f6fd8e15184ac) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/167419 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +--- + +diff --git a/xmloff/source/draw/eventimp.cxx b/xmloff/source/draw/eventimp.cxx +index 226caca..bcf67c4 100644 +--- a/xmloff/source/draw/eventimp.cxx ++++ b/xmloff/source/draw/eventimp.cxx +@@ -212,6 +212,9 @@ + + if( maData.mbValid ) + maData.mbValid = !sEventName.isEmpty(); ++ ++ if (!maData.msMacroName.isEmpty()) ++ rImp.NotifyMacroEventRead(); + } + + css::uno::Reference< css::xml::sax::XFastContextHandler > SdXMLEventContext::createFastChildContext( diff --git a/libreoffice.spec b/libreoffice.spec index 8a23890..dd2eb15 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -57,7 +57,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 12%{?libo_prerelease}%{?dist} +Release: 13%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -296,6 +296,7 @@ Patch40: 0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot Patch41: 0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch Patch42: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch Patch43: 0006-CVE-2023-6186-backporting.patch +Patch44: 0001-CVE-2024-3044-add-notify-for-script-use.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch @@ -2299,6 +2300,9 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog +* Fri Jun 07 2024 Eike Rathke - 1:7.1.8.1-13 +- Fix CVE-2024-3044 add notify for script use + * Fri Mar 08 2024 Eike Rathke - 1:7.1.8.1-12 - Fix CVE-2023-6185 escape url passed to gstreamer - Fix CVE-2023-6186 check link target protocols