diff --git a/SOURCES/0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch b/SOURCES/0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch new file mode 100644 index 0000000..c4d7734 --- /dev/null +++ b/SOURCES/0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch @@ -0,0 +1,39 @@ +From b79d62375e7b249c7b351b4b32a47ba310ac5fe9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 30 Jan 2025 20:37:38 +0000 +Subject: [PATCH] Filter out more unwanted command URIs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I24c95d73b4fee89bdf044d5dd6efc9cd89627c54 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/181016 +Tested-by: Jenkins +Reviewed-by: Xisco Fauli +(cherry picked from commit 7105fb698f897ddb38bd60315444c07356689e14) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/181116 +Reviewed-by: Caolán McNamara +Reviewed-by: Christian Lohmaier +Tested-by: Christian Lohmaier + +erAck: backported to 7.1.8.1 +--- + desktop/source/app/cmdlineargs.cxx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx +index 93d9e87..70b9f05 100644 +--- a/desktop/source/app/cmdlineargs.cxx ++++ b/desktop/source/app/cmdlineargs.cxx +@@ -168,7 +168,7 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur + if (nURIlen < 0) + nURIlen = rest2.getLength(); + auto const uri = rest2.copy(0, nURIlen); +- if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) { ++ if (INetURLObject(uri).IsExoticProtocol()) { + // Let the "Open" machinery process the full command URI (leading to failure, by intention, + // as the "Open" machinery does not know about those command URI schemes): + curEvt = CommandLineEvent::Open; +-- +2.48.1 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index d160e44..f25601a 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -57,7 +57,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 14%{?libo_prerelease}%{?dist}.alma.1 +Release: 15%{?libo_prerelease}%{?dist}.alma.1 License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -298,6 +298,7 @@ Patch42: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra Patch43: 0006-CVE-2023-6186-backporting.patch Patch44: 0001-CVE-2024-3044-add-notify-for-script-use.patch Patch45: 0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch +Patch46: 0001-CVE-2025-1080-Filter-out-more-unwanted-command-URIs.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch @@ -391,7 +392,7 @@ Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} %description base -GUI database front-end for LibreOffice. Allows creation and management of +GUI database front-end for LibreOffice. Allows creation and management of databases through a GUI. %if 0%{?fedora} @@ -477,7 +478,7 @@ BuildArch: noarch %description %{fontname}-fonts A dingbats font, OpenSymbol, suitable for use by LibreOffice for bullets and -mathematical symbols. +mathematical symbols. %package writer Summary: LibreOffice Word Processor Application @@ -491,7 +492,7 @@ Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} The LibreOffice Word Processor application. %package emailmerge -Summary: Email mail-merge component for LibreOffice +Summary: Email mail-merge component for LibreOffice Requires: %{name}-writer%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release} @@ -541,7 +542,7 @@ Requires: %{name}-pdfimport%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} -%description math +%description math The LibreOffice Equation Editor Application. %package graphicfilter @@ -1037,6 +1038,7 @@ rm -rf git-hooks */git-hooks %global __scm git_am %__scm_setup_git_am + # apply patches %autopatch -M 99 %if 0%{?rhel} @@ -1264,7 +1266,7 @@ pushd %{buildroot}%{baseinstdir}/share/autocorr %make_autocorr_aliases -l en-GB en-AG en-AU en-BS en-BW en-BZ en-CA en-DK en-GH en-HK en-IE en-IN en-JM en-NG en-NZ en-SG en-TT %make_autocorr_aliases -l en-US en-PH -#en-ZA exists and has a good autocorrect file with two or three extras that make sense for +#en-ZA exists and has a good autocorrect file with two or three extras that make sense for #neighbouring english speaking territories %make_autocorr_aliases -l en-ZA en-NA en-ZW %if %{with langpacks} @@ -1324,7 +1326,7 @@ rm -f %{buildroot}%{baseinstdir}/CREDITS.fodt %{buildroot}%{baseinstdir}/LICENSE ln -sr %{buildroot}%{lodatadocdir}/CREDITS.fodt %{buildroot}%{baseinstdir}/CREDITS.fodt ln -sr %{buildroot}%{lodatadocdir}/LICENSE.html %{buildroot}%{baseinstdir}/LICENSE.html -#ensure that no sneaky un-prelinkable, un-fpic or non executable shared libs +#ensure that no sneaky un-prelinkable, un-fpic or non executable shared libs #have snuck through pic=0 executable=0 @@ -1513,13 +1515,13 @@ export DESTDIR=%{buildroot} # appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-writer.appdata.xml \ https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/a.png \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/b.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/b.png appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-calc.appdata.xml \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-calc/a.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-calc/a.png appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-draw.appdata.xml \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-draw/a.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-draw/a.png appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-impress.appdata.xml \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-impress/a.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-impress/a.png %endif %if 0%{?flatpak} # Assemble the libreoffice-*.appdata.xml files into a single @@ -2290,9 +2292,12 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog -* Mon Aug 19 2024 Eduard Abdullin - 1:7.1.8.1-14.alma.1 +* Wed Apr 02 2025 Eduard Abdullin - 1:7.1.8.1-15.alma.1 - Debrand for AlmaLinux +* Mon Mar 10 2025 Eike Rathke - 1:7.1.8.1-15 +- Fix CVE-2025-1080 Filter out more unwanted command URIs + * Thu Aug 15 2024 Eike Rathke - 1:7.1.8.1-14 - Fix CVE-2024-6472 remove ability to trust not validated macro signatures in high security @@ -4451,7 +4456,7 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : * Wed Oct 19 2011 Caolán McNamara - 3.4.3.2-14 - Related: rhbz#743750 addXineramaScreenUnique issue - + * Fri Oct 07 2011 Stephan Bergmann - 3.4.3.2-13 - Patches to build with GCC 6.4.1