From d28fda00684ac451aaf4e1492b3a9211b159bf5b Mon Sep 17 00:00:00 2001 From: Tomas Popela Date: Tue, 7 Jul 2026 09:10:54 +0200 Subject: [PATCH] Fix CVE-2026-8357 and CVE-2026-4430 And bring exclude arch to CentOS Stream Resolves: RHEL-186057 Resolves: RHEL-176582 --- ...026-4430-Conform-AlignEngine-parsing.patch | 46 +++++++++++++++++++ ...ula-of-length-L-needs-L-plus-1-slots.patch | 37 +++++++++++++++ libreoffice.spec | 20 +++++++- 3 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 0001-CVE-2026-4430-Conform-AlignEngine-parsing.patch create mode 100644 0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch diff --git a/0001-CVE-2026-4430-Conform-AlignEngine-parsing.patch b/0001-CVE-2026-4430-Conform-AlignEngine-parsing.patch new file mode 100644 index 0000000..2b2d4ab --- /dev/null +++ b/0001-CVE-2026-4430-Conform-AlignEngine-parsing.patch @@ -0,0 +1,46 @@ +From 1ec3db717fa144ddff3e9b0a2338a82355cf365b Mon Sep 17 00:00:00 2001 +From: Caolán McNamara +Date: Mon, 16 Mar 2026 17:22:23 +0000 +Subject: [PATCH] Conform AlignEngine parsing to what section 2.3.4.10 of the spec has + +Change-Id: Ibb9162b1ce7993ef74665ec0329c95b423fa8174 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/201874 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +--- + +diff -up libreoffice-7.1.8.1/oox/source/crypto/AgileEngine.cxx.cve-2026-4430 libreoffice-7.1.8.1/oox/source/crypto/AgileEngine.cxx +--- libreoffice-7.1.8.1/oox/source/crypto/AgileEngine.cxx.cve-2026-4430 2021-12-03 22:40:28.000000000 +0100 ++++ libreoffice-7.1.8.1/oox/source/crypto/AgileEngine.cxx 2026-05-18 08:51:46.431152626 +0200 +@@ -8,6 +8,8 @@ + * + */ + ++#include ++#include + #include + + #include +@@ -532,8 +534,21 @@ bool AgileEngine::readEncryptionInfo(uno + if (0 > mInfo.spinCount || mInfo.spinCount > 10000000) + return false; + +- if (1 > mInfo.saltSize|| mInfo.saltSize > 65536) // Check ++ // [MS-OFFCRYPTO] 2.3.4.10: saltSize "MUST be at least 1 and no greater than 65,536" ++ if (1 > mInfo.saltSize || mInfo.saltSize > 65536) ++ { ++ SAL_WARN("oox", "AgileEngine::readEncryptionInfo(): saltSize out of range: " << mInfo.saltSize); ++ return false; ++ } ++ ++ // [MS-OFFCRYPTO] 2.3.4.10: "The number of bytes required to decode the saltValue ++ // attribute MUST be equal to the value of the saltSize attribute" ++ if (mInfo.keyDataSalt.size() != o3tl::make_unsigned(mInfo.saltSize)) ++ { ++ SAL_WARN("oox", "AgileEngine::readEncryptionInfo(): keyDataSalt size " << mInfo.keyDataSalt.size() ++ << " does not match saltSize " << mInfo.saltSize); + return false; ++ } + + // AES 128 CBC with SHA1 + if (mInfo.keyBits == 128 && diff --git a/0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch b/0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch new file mode 100644 index 0000000..6f12f1a --- /dev/null +++ b/0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch @@ -0,0 +1,37 @@ +From a28cead4b7796642d946173b479281a6272117f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Sun, 26 Apr 2026 17:12:34 +0100 +Subject: [PATCH] A formula of length L, composed entirely of open tokens, + needs L+1 slots +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Caolán McNamara +Change-Id: I7cf1fd4fdaca780a8f0cf0d0b9d10def9b3af1ef +Reviewed-on: https://gerrit.collaboraoffice.com/c/online/+/1690 +Tested-by: Jenkins CPCI +(cherry picked from commit 0b7a9149d7c7b5e044bb4f02668297bdf41b64d6) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/205090 +Tested-by: Jenkins +Reviewed-by: Xisco Fauli +--- + sc/source/core/tool/compiler.cxx | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sc/source/core/tool/compiler.cxx b/sc/source/core/tool/compiler.cxx +index d1a6c8937ec61..f5b87efba2836 100644 +--- a/sc/source/core/tool/compiler.cxx ++++ b/sc/source/core/tool/compiler.cxx +@@ -5058,8 +5058,9 @@ std::unique_ptr ScCompiler::CompileString( const OUString& rFormul + bool bUseFunctionStack = (bPODF || bOOXML); + const size_t nAlloc = 512; + FunctionStack aFuncs[ nAlloc ]; +- FunctionStack* pFunctionStack = (bUseFunctionStack && o3tl::make_unsigned(rFormula.getLength()) > nAlloc ? +- new FunctionStack[rFormula.getLength()] : &aFuncs[0]); ++ // A formula of length L composed entirely of open tokens needs L+1 slots, ++ FunctionStack* pFunctionStack = (bUseFunctionStack && o3tl::make_unsigned(rFormula.getLength()) >= nAlloc ? ++ new FunctionStack[rFormula.getLength() + 1] : &aFuncs[0]); + pFunctionStack[0].eOp = ocNone; + pFunctionStack[0].nSep = 0; + size_t nFunction = 0; diff --git a/libreoffice.spec b/libreoffice.spec index 496a805..73f616d 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -1,3 +1,8 @@ +# RHEL-9.* without i686, not shipped and Java mismatches +%if 0%{?rhel} >= 9 +ExcludeArch: %{ix86} +%endif + # download path contains version without the last (fourth) digit %global libo_version 7.1.8 # Should contain .alphaX / .betaX, if this is pre-release (actually @@ -57,7 +62,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 15%{?libo_prerelease}%{?dist} +Release: 16%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -299,6 +304,10 @@ Patch43: 0006-CVE-2023-6186-backporting.patch Patch44: 0001-CVE-2024-3044-add-notify-for-script-use.patch Patch45: 0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch Patch46: 0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch +# https://gerrit.libreoffice.org/c/core/+/202756 +Patch47: 0001-CVE-2026-4430-Conform-AlignEngine-parsing.patch +# https://github.com/LibreOffice/core/commit/a28cead4b7796642d946173b479281a6272117f2 +Patch48: 0001-CVE-2026-8357-A-formula-of-length-L-needs-L-plus-1-slots.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch @@ -2302,6 +2311,15 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog +* Tue Jul 07 2026 Tomas Popela - 1:7.1.8.1-16 +- Fix CVE-2026-8357 Arbitrary code execution via heap buffer overflow in + formula compilation +- Resolves: RHEL-186057 +- Fix CVE-2026-4430 Conform AlignEngine parsing to what section 2.3.4.10 of + the spec has +- Resolves: RHEL-176582 +- ExcludeArch i686 for RHEL-9.* (was part of RHEL, but not brought to CentOS Stream) + * Mon Mar 10 2025 Eike Rathke - 1:7.1.8.1-15 - Fix CVE-2025-1080 Filter out more unwanted command URIs