From cd9bfb4a750c54322c2e47e2fa2cd567eaca6c34 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 6 Jul 2026 01:31:40 -0400 Subject: [PATCH] import CS git libreoffice-6.4.7.2-21.el8_10 --- ...ula-of-length-L-needs-L-plus-1-slots.patch | 40 +++++++++++++++++++ SPECS/libreoffice.spec | 9 ++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch diff --git a/SOURCES/0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch b/SOURCES/0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch new file mode 100644 index 0000000..05572c7 --- /dev/null +++ b/SOURCES/0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch @@ -0,0 +1,40 @@ +From 4a50741dd2c5bc79f0b7bd50a2e2b05a6b32d14a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Sun, 26 Apr 2026 17:12:34 +0100 +Subject: [PATCH] A formula of length L, composed entirely of open tokens, + needs L+1 slots +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Caolán McNamara +Change-Id: I7cf1fd4fdaca780a8f0cf0d0b9d10def9b3af1ef +Reviewed-on: https://gerrit.collaboraoffice.com/c/online/+/1690 +Tested-by: Jenkins CPCI +(cherry picked from commit 0b7a9149d7c7b5e044bb4f02668297bdf41b64d6) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/205090 +Tested-by: Jenkins +Reviewed-by: Xisco Fauli +--- + sc/source/core/tool/compiler.cxx | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sc/source/core/tool/compiler.cxx b/sc/source/core/tool/compiler.cxx +index e26dd00..337cd32 100644 +--- a/sc/source/core/tool/compiler.cxx ++++ b/sc/source/core/tool/compiler.cxx +@@ -4509,8 +4509,9 @@ std::unique_ptr ScCompiler::CompileString( const OUString& rFormul + bool bUseFunctionStack = (bPODF || bOOXML); + const size_t nAlloc = 512; + FunctionStack aFuncs[ nAlloc ]; +- FunctionStack* pFunctionStack = (bUseFunctionStack && static_cast(rFormula.getLength()) > nAlloc ? +- new FunctionStack[rFormula.getLength()] : &aFuncs[0]); ++ // A formula of length L composed entirely of open tokens needs L+1 slots, ++ FunctionStack* pFunctionStack = (bUseFunctionStack && static_cast(rFormula.getLength()) >= nAlloc ? ++ new FunctionStack[rFormula.getLength() + 1] : &aFuncs[0]); + pFunctionStack[0].eOp = ocNone; + pFunctionStack[0].nSep = 0; + size_t nFunction = 0; +-- +2.52.0 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 9e7ce2a..ca15f6c 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -54,7 +54,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.2 -Release: 20%{?libo_prerelease}%{?dist} +Release: 21%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -307,6 +307,8 @@ Patch62: 0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch Patch63: 0001-Introduceio3tl::make_unsigned-to-cast-from-signed-to-unsigned-type.patch # https://gerrit.libreoffice.org/c/core/+/202756 Patch64: 0002-CVE-2026-4430-Conform-AlignEngine-parsing.patch +# https://github.com/LibreOffice/core/commit/a28cead4b7796642d946173b479281a6272117f2 +Patch65: 0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch %if 0%{?rhel} # not upstreamed @@ -2313,6 +2315,11 @@ done %{_includedir}/LibreOfficeKit %changelog +* Tue Jun 23 2026 RHEL Packaging Agent - 1:6.4.7.2-21 +- Fix CVE-2026-8357 buffer overflow in Calc formula compiler with + formulas composed entirely of open tokens +- Resolves: RHEL-186059 + * Tue May 19 2026 Tomas Popela - 1:6.4.7.2-20 - Fix CVE-2026-4430 Conform AlignEngine parsing to what section 2.3.4.10 of the spec has