Import from CS git

.gitignore

@@ -2,7 +2,6 @@ SOURCES/17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip
 SOURCES/185d60944ea767075d27247c3162b3bc-unowinreg.dll
 SOURCES/884ed41809687c3e168fc7c19b16585149ff058eca79acbf3ee784f6630704cc-opens___.ttf
 SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip
-SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc
 SOURCES/libreoffice-6.4.7.2.tar.xz
 SOURCES/libreoffice-help-6.4.7.2.tar.xz
 SOURCES/libreoffice-translations-6.4.7.2.tar.xz

.libreoffice.metadata

@@ -2,7 +2,6 @@
 0619ed3a89644bef318df67db12045b2b590585b SOURCES/185d60944ea767075d27247c3162b3bc-unowinreg.dll
 d336802a36ed2c87dd243e7c2f1d0542dace5cca SOURCES/884ed41809687c3e168fc7c19b16585149ff058eca79acbf3ee784f6630704cc-opens___.ttf
 2d49e11b0b711970f494294dc3698f05eb294853 SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip
-7b5fd93d787fbc6d9c2d4025d543730ee8dc4559 SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc
 b29d8cdb3db8d6b317e1cb9117b020d7e676e601 SOURCES/libreoffice-6.4.7.2.tar.xz
 ca7e087ef62f30c033db84ceb0f6a4021f53653e SOURCES/libreoffice-help-6.4.7.2.tar.xz
 0f74fd6286e71ff2b7c7bc01f41c8972e354d81c SOURCES/libreoffice-translations-6.4.7.2.tar.xz

SOURCES/0001-CVE-2021-25636.patch

@@ -0,0 +1,69 @@
+From ae1bd20a2d4d7b7d64edc3b06d7f901c05175b7d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 20 Dec 2021 17:05:44 +0000
+Subject: [PATCH] only use X509Data
+
+Change-Id: I52e6588f5fac04bb26d77c1f3af470db73e41f72
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127193
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit be446d81e07b5499152efeca6ca23034e51ea5ff)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127178
+Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
+(cherry picked from commit b0404f80577de9ff69e58390c6f6ef949fdb0139)
+---
+ .../source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx      | 6 ++++++
+ xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx      | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+index db400e6..39f9d7f 100644
+--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
++++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+@@ -21,6 +21,8 @@
+ #include <sal/log.hxx>
+ #include <rtl/uuid.h>
+ 
++#include <xmlsec/mscng/x509.h>
++
+ #include <com/sun/star/xml/crypto/SecurityOperationStatus.hpp>
+ #include <com/sun/star/xml/crypto/XXMLSignature.hpp>
+ 
+@@ -229,6 +231,10 @@ SAL_CALL XMLSignature_MSCryptImpl::validate(
+     // We do certificate verification ourselves.
+     pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+ 
++    // limit possible key data to valid X509 certificates only, no KeyValues
++    if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecMSCngKeyDataX509GetKlass()) < 0)
++        throw RuntimeException("failed to limit allowed key data");
++
+     //Verify signature
+     //The documentation says that the signature is only valid if the return value is 0 (that is, not < 0)
+     //AND pDsigCtx->status == xmlSecDSigStatusSucceeded. That is, we must not make any assumptions, if
+diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+index 827580b..8f4d6f8 100644
+--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
++++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+@@ -19,6 +19,8 @@
+ 
+ #include <sal/config.h>
+ 
++#include <xmlsec/nss/x509.h>
++
+ #include <xmlelementwrapper_xmlsecimpl.hxx>
+ #include <xmlsec/xmlstreamio.hxx>
+ #include <xmlsec/errorcallback.hxx>
+@@ -243,6 +245,10 @@ SAL_CALL XMLSignature_NssImpl::validate(
+         // We do certificate verification ourselves.
+         pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+ 
++        // limit possible key data to valid X509 certificates only, no KeyValues
++        if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecNssKeyDataX509GetKlass()) < 0)
++            throw RuntimeException("failed to limit allowed key data");
++
+         //Verify signature
+         int rs = xmlSecDSigCtxVerify( pDsigCtx.get() , pNode );
+ 
+-- 
+2.33.1
+

SOURCES/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch

@@ -0,0 +1,63 @@
+From 77f30ada1156ca1e1357776fea8e9dc113f6898d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 3 Mar 2022 14:22:37 +0000
+Subject: [PATCH 1/4] CVE-2022-26305 compare authors using Thumbprint
+
+Change-Id: I338f58eb07cbf0a3d13a7dafdaddac09252a8546
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130929
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit 65442205b5b274ad309308162f150f8d41648f72)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130866
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit a7aaa78acea4c1d51283c2fce54ff9f5339026f8)
+---
+ .../component/documentdigitalsignatures.cxx   | 23 +++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx
+index b9066ea92cac..5a21c8421bec 100644
+--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
++++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
+@@ -19,9 +19,10 @@
+ 
+ #include <resourcemanager.hxx>
+ 
+-#include <digitalsignaturesdialog.hxx>
++#include <certificate.hxx>
+ #include <certificatechooser.hxx>
+ #include <certificateviewer.hxx>
++#include <digitalsignaturesdialog.hxx>
+ #include <macrosecurity.hxx>
+ #include <biginteger.hxx>
+ #include <strings.hrc>
+@@ -666,9 +667,23 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
+     Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors();
+ 
+     return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(),
+-        [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) {
+-            return xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName())
+-                && ( rAuthor[1] == sSerialNum );
++        [this, &xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) {
++            if (!xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName()))
++                return false;
++            if (rAuthor[1] != sSerialNum)
++                return false;
++
++            DocumentSignatureManager aSignatureManager(mxCtx, {});
++            if (!aSignatureManager.init())
++                return false;
++            uno::Reference<css::security::XCertificate> xCert = aSignatureManager.getSecurityEnvironment()->createCertificateFromAscii(rAuthor[2]);
++
++            auto pAuthor = dynamic_cast<xmlsecurity::Certificate*>(xAuthor.get());
++            auto pCert = dynamic_cast<xmlsecurity::Certificate*>(xCert.get());
++            if (pAuthor && pCert)
++                return pCert->getSHA256Thumbprint() == pAuthor->getSHA256Thumbprint();
++
++            return xCert->getSHA1Thumbprint() == xAuthor->getSHA1Thumbprint();
+         });
+ }
+ 
+-- 
+2.37.1
+

SOURCES/0001-CVE-2022-3140.patch

@@ -0,0 +1,279 @@
+From 3831e68bffc233f581e3eb1cb3c7ed925daab86f Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Tue, 30 Aug 2022 14:04:52 +0200
+Subject: [PATCH] Filter out unwanted command URIs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139225
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit 27d29f7df428885865a8e2313283839b20f2a34b)
+Conflicts:
+	desktop/source/app/cmdlineargs.cxx
+
+Change-Id: I0b7e5329af8cc053d14d5c60ec14fe7f364ef993
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139182
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit da291e2960b75153f41d440a1b41961567432e8c)
+
+These commands are always URLs already
+
+Change-Id: I5083765c879689d7f933bbe00ad70bb68e635a21
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139042
+Tested-by: Jean-Pierre Ledure <jp@ledure.be>
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit e61701e1ee6763de72b397e6ade1124eca9400f3)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138980
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 5b4025bb56999f5c895c6f7e0b52f521800d65b0)
+
+check IFrame "FrameURL" target
+
+similiar to
+
+commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627
+Date:   Wed Aug 7 17:37:11 2019 +0100
+
+    warn on load when a document binds an event to a macro
+
+Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit c7450d0b9d02c64ae3da467d329040787039767e)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139117
+Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+(cherry picked from commit f5e3b0a7966d7d28817292adbb58fb43f28b7c6d)
+
+check impress/calc IFrame "FrameURL" target
+
+similar to
+
+commit c7450d0b9d02c64ae3da467d329040787039767e
+Date:   Tue Aug 30 17:01:08 2022 +0100
+
+    check IFrame "FrameURL" target
+
+Change-Id: Ibf28c29acb4476830431d02772f3ecd4b23a6a27
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139495
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit d0312786571221c2dd4f63fa69f6f0489d7d39ec)
+---
+ desktop/source/app/cmdlineargs.cxx   | 10 +++++++++-
+ sfx2/source/appl/macroloader.cxx     |  9 +++++++--
+ sfx2/source/doc/iframe.cxx           | 21 ++++++++++++++++-----
+ sfx2/source/inc/macroloader.hxx      |  2 ++
+ sw/source/filter/html/htmlplug.cxx   |  7 ++++++-
+ sw/source/filter/xml/xmltexti.cxx    |  9 +++++++--
+ wizards/source/access2base/DoCmd.xba |  2 +-
+ xmloff/source/draw/ximpshap.cxx      |  4 ++++
+ 8 files changed, 52 insertions(+), 12 deletions(-)
+
+diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx
+index 381147c..5babfbe 100644
+--- a/desktop/source/app/cmdlineargs.cxx
++++ b/desktop/source/app/cmdlineargs.cxx
+@@ -27,6 +27,7 @@
+ 
+ #include "cmdlineargs.hxx"
+ #include <tools/stream.hxx>
++#include <tools/urlobj.hxx>
+ #include <vcl/svapp.hxx>
+ #include <rtl/uri.hxx>
+ #include <rtl/ustring.hxx>
+@@ -169,7 +170,14 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur
+     }
+     if (nURIlen < 0)
+         nURIlen = rest2.getLength();
+-    arg = rest2.copy(0, nURIlen);
++    auto const uri = rest2.copy(0, nURIlen);
++    if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) {
++        // Let the "Open" machinery process the full command URI (leading to failure, by intention,
++        // as the "Open" machinery does not know about those command URI schemes):
++        curEvt = CommandLineEvent::Open;
++    } else {
++        arg = uri;
++    }
+     return curEvt;
+ }
+ 
+diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx
+index 98e036e..b50d1e6 100644
+--- a/sfx2/source/appl/macroloader.cxx
++++ b/sfx2/source/appl/macroloader.cxx
+@@ -76,10 +76,10 @@ css::uno::Sequence<OUString> SAL_CALL SfxMacroLoader::getSupportedServiceNames()
+     return aSeq;
+ }
+ 
+-SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
++SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference <XFrame>& xFrame)
+ {
+     SfxObjectShell* pDocShell = nullptr;
+-    Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
++
+     if ( xFrame.is() )
+     {
+         SfxFrame* pFrame=nullptr;
+@@ -96,6 +96,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
+     return pDocShell;
+ }
+ 
++SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
++{
++    Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
++    return SfxMacroLoader::GetObjectShell(xFrame);
++}
+ 
+ uno::Reference<frame::XDispatch> SAL_CALL SfxMacroLoader::queryDispatch(
+     const util::URL&   aURL            ,
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index 8b12715..b5291b2 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -39,11 +39,13 @@
+ #include <svl/ownlist.hxx>
+ #include <svl/itemprop.hxx>
+ #include <sfx2/frmdescr.hxx>
++#include <sfx2/objsh.hxx>
+ #include <sfx2/sfxdlg.hxx>
+ #include <sfx2/sfxsids.hrc>
+ #include <toolkit/helper/vclunohelper.hxx>
+ #include <vcl/window.hxx>
+ #include <tools/debug.hxx>
++#include <macroloader.hxx>
+ 
+ using namespace ::com::sun::star;
+ 
+@@ -159,6 +161,19 @@ sal_Bool SAL_CALL IFrameObject::load(
+ {
+     if ( SvtMiscOptions().IsPluginsEnabled() )
+     {
++        util::URL aTargetURL;
++        aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
++        uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
++        xTrans->parseStrict( aTargetURL );
++
++        if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
++        {
++            uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
++            SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
++            if (pDoc && !pDoc->AdjustMacroMode())
++                return false;
++        }
++
+         DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
+         VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
+         VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
+@@ -181,16 +196,12 @@ sal_Bool SAL_CALL IFrameObject::load(
+         if ( xFramesSupplier.is() )
+             mxFrame->setCreator( xFramesSupplier );
+ 
+-        util::URL aTargetURL;
+-        aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+-        uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+-        xTrans->parseStrict( aTargetURL );
+-
+         uno::Sequence < beans::PropertyValue > aProps(2);
+         aProps[0].Name = "PluginMode";
+         aProps[0].Value <<= sal_Int16(2);
+         aProps[1].Name = "ReadOnly";
+         aProps[1].Value <<= true;
++
+         uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
+         if ( xDisp.is() )
+             xDisp->dispatch( aTargetURL, aProps );
+diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx
+index 9e1dfba..b3e7a5e 100644
+--- a/sfx2/source/inc/macroloader.hxx
++++ b/sfx2/source/inc/macroloader.hxx
+@@ -82,6 +82,8 @@ public:
+     virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
+ 
+     virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
++
++    static SfxObjectShell* GetObjectShell(const css::uno::Reference<css::frame::XFrame>& xFrame);
+ };
+ 
+ #endif
+diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
+index a0da671..eb70704 100644
+--- a/sw/source/filter/html/htmlplug.cxx
++++ b/sw/source/filter/html/htmlplug.cxx
+@@ -1087,7 +1087,12 @@ void SwHTMLParser::InsertFloatingFrame()
+                 bool bHasBorder = aFrameDesc.HasFrameBorder();
+                 Size aMargin = aFrameDesc.GetMargin();
+ 
+-                xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) );
++                OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
++
++                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                    NotifyMacroEventRead();
++
++                xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
+                 xSet->setPropertyValue("FrameName", uno::makeAny( aName ) );
+ 
+                 if ( eScroll == ScrollingMode::Auto )
+diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
+index 788bec5..72a14b9 100644
+--- a/sw/source/filter/xml/xmltexti.cxx
++++ b/sw/source/filter/xml/xmltexti.cxx
+@@ -853,9 +853,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
+             uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY );
+             if ( xSet.is() )
+             {
++                OUString sHRef = URIHelper::SmartRel2Abs(
++                            INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
++
++                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                    GetXMLImport().NotifyMacroEventRead();
++
+                 xSet->setPropertyValue("FrameURL",
+-                    makeAny( URIHelper::SmartRel2Abs(
+-                            INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) );
++                    makeAny( rHRef ) );
+ 
+                 xSet->setPropertyValue("FrameName",
+                     makeAny( rName ) );
+diff --git a/wizards/source/access2base/DoCmd.xba b/wizards/source/access2base/DoCmd.xba
+index 27b0d74..26755a8 100644
+--- a/wizards/source/access2base/DoCmd.xba
++++ b/wizards/source/access2base/DoCmd.xba
+@@ -2655,7 +2655,7 @@ Private Sub _ShellExecute(sCommand As String)
+ 
+ Dim oShell As Object
+ 	Set oShell = createUnoService(&quot;com.sun.star.system.SystemShellExecute&quot;)
+-	oShell.execute(sCommand, &quot;&quot; , com.sun.star.system.SystemShellExecuteFlags.DEFAULTS)
++	oShell.execute(sCommand, &quot;&quot; , com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY)
+ 
+ End Sub				&apos;	_ShellExecute			V0.8.5
+ 
+diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
+index 2e509f8..ae35f1e 100644
+--- a/xmloff/source/draw/ximpshap.cxx
++++ b/xmloff/source/draw/ximpshap.cxx
+@@ -87,6 +87,7 @@
+ #include <basegfx/polygon/b2dpolypolygon.hxx>
+ #include <basegfx/polygon/b2dpolypolygontools.hxx>
+ #include <basegfx/vector/b2dvector.hxx>
++#include <tools/urlobj.hxx>
+ #include <o3tl/safeint.hxx>
+ 
+ using namespace ::com::sun::star;
+@@ -3243,6 +3244,9 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
+ 
+             if( !maHref.isEmpty() )
+             {
++                if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
++                    GetImport().NotifyMacroEventRead();
++
+                 xProps->setPropertyValue("FrameURL", Any(maHref) );
+             }
+         }
+-- 
+2.37.3
+

SOURCES/0001-CVE-2022-38745.patch

@@ -0,0 +1,93 @@
+From 36c5c16b7846ff31f403913ad5cdddf8b22fda43 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Mon, 21 Feb 2022 11:55:21 +0100
+Subject: [PATCH] Avoid unnecessary empty -Djava.class.path=
+
+Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+---
+ .../plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 +++++++++++++---
+ jvmfwk/source/framework.cxx                      |  8 ++++++--
+ jvmfwk/source/fwkbase.cxx                        |  3 +++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+index 4760ab6..ea133ea 100644
+--- a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
++++ b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+@@ -687,17 +687,22 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+     // all versions below 1.5.1
+     options.emplace_back("abort", reinterpret_cast<void*>(abort_handler));
+     bool hasStackSize = false;
++#ifdef UNX
++    // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
++    // in the class path in order to have applet support:
++    OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
++#endif
+     for (int i = 0; i < cOptions; i++)
+     {
+         OString opt(arOptions[i].optionString);
+ #ifdef UNX
+-        // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
+-        // in the class path in order to have applet support:
+         if (opt.startsWith("-Djava.class.path="))
+         {
+-            OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
+             if (!sAddPath.isEmpty())
++            {
+                 opt += OStringChar(SAL_PATHSEPARATOR) + sAddPath;
++                sAddPath.clear();
++            }
+         }
+ #endif
+         if (opt == "-Xint") {
+@@ -742,6 +747,11 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+         }
+ #endif
+     }
++#ifdef UNX
++    if (!sAddPath.isEmpty()) {
++        options.emplace_back("-Djava.class.path=" + sAddPath, nullptr);
++    }
++#endif
+ 
+     std::unique_ptr<JavaVMOption[]> sarOptions(new JavaVMOption[options.size()]);
+     for (std::vector<Option>::size_type i = 0; i != options.size(); ++i) {
+diff --git a/jvmfwk/source/framework.cxx b/jvmfwk/source/framework.cxx
+index 3212030..f532ebd 100644
+--- a/jvmfwk/source/framework.cxx
++++ b/jvmfwk/source/framework.cxx
+@@ -210,8 +210,12 @@ javaFrameworkError jfw_startVM(
+                 //In direct mode the options are specified by bootstrap variables
+                 //of the form UNO_JAVA_JFW_PARAMETER_1 .. UNO_JAVA_JFW_PARAMETER_n
+                 vmParams = jfw::BootParams::getVMParameters();
+-                sUserClassPath =
+-                    "-Djava.class.path=" + jfw::BootParams::getClasspath();
++                auto const cp = jfw::BootParams::getClasspath();
++                if (!cp.isEmpty())
++                {
++                    sUserClassPath =
++                        "-Djava.class.path=" + cp;
++                }
+             }
+             else
+                 OSL_ASSERT(false);
+diff --git a/jvmfwk/source/fwkbase.cxx b/jvmfwk/source/fwkbase.cxx
+index ece4dd2..93c32a7 100644
+--- a/jvmfwk/source/fwkbase.cxx
++++ b/jvmfwk/source/fwkbase.cxx
+@@ -460,6 +460,9 @@ OString makeClassPathOption(OUString const & sUserClassPath)
+ 
+     sPaths = OUStringToOString(
+         sBufCP.makeStringAndClear(), osl_getThreadTextEncoding());
++    if (sPaths.isEmpty()) {
++        return "";
++    }
+ 
+     OString sOptionClassPath = "-Djava.class.path=" + sPaths;
+     return sOptionClassPath;
+-- 
+2.39.2
+

SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch

@@ -0,0 +1,69 @@
+From 6167f5815aefa78a70517c8e2acbdd7b9c9be27d Mon Sep 17 00:00:00 2001
+Message-ID: <6167f5815aefa78a70517c8e2acbdd7b9c9be27d.1703003067.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 14:20:07 +0000
+Subject: [PATCH] escape url passed to gstreamer
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158894
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit f41dcadf6492a6ffd32696d50f818e44355b9ad9)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159583
+
+erAck: backported to 7.1.8.1
+
+---
+ avmedia/source/gstreamer/gstframegrabber.cxx | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-escape-url-passed-to-gstreamer.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-escape-url-passed-to-gstreamer.patch"
+
+diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx b/avmedia/source/gstreamer/gstframegrabber.cxx
+index ece799d87530..25170a296e66 100644
+--- a/avmedia/source/gstreamer/gstframegrabber.cxx
++++ b/avmedia/source/gstreamer/gstframegrabber.cxx
+@@ -51,11 +51,9 @@ void FrameGrabber::disposePipeline()
+ FrameGrabber::FrameGrabber( const OUString &rURL ) :
+     FrameGrabber_BASE()
+ {
+-    gchar *pPipelineStr;
+-    pPipelineStr = g_strdup_printf(
+-        "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink "
+-        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"",
+-        OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() );
++    const char pPipelineStr[] =
++        "uridecodebin name=source ! videoconvert ! videoscale ! appsink "
++        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"";
+ 
+     GError *pError = nullptr;
+     mpPipeline = gst_parse_launch( pPipelineStr, &pError );
+@@ -66,6 +64,12 @@ FrameGrabber::FrameGrabber( const OUString &rURL ) :
+     }
+ 
+     if( mpPipeline ) {
++
++        if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline), "source"))
++            g_object_set(pUriDecode, "uri", OUStringToOString(rURL, RTL_TEXTENCODING_UTF8).getStr(), nullptr);
++        else
++            g_warning("Missing 'source' element in gstreamer pipeline");
++
+         // pre-roll
+         switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) {
+         case GST_STATE_CHANGE_FAILURE:
+
+--------------erAck-patch-parts--
+
+

SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch

@@ -0,0 +1,93 @@
+From 37d73a1ab94b43e03866d5a910cb58331543b8c3 Mon Sep 17 00:00:00 2001
+Message-ID: <37d73a1ab94b43e03866d5a910cb58331543b8c3.1703086247.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 17:14:26 +0000
+Subject: [PATCH] add some protocols that don't make sense as floating frame
+ targets
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Change-Id: Id900a5eef248731d1184c1df501a2cf7a2de7eb9
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158910
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 11ebdfef16501c6d35c3e3d0d62507f706557c71)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158900
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit bab433911bdecb344f7ea94dbd00690241a08c54)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159582
+
+erAck: backported to 7.1.8.1
+
+---
+ include/tools/urlobj.hxx     | 5 +++++
+ sfx2/source/doc/iframe.cxx   | 5 ++++-
+ tools/source/fsys/urlobj.cxx | 8 ++++++++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch"
+
+diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx
+index 9d6820ddf241..dfd658722826 100644
+--- a/include/tools/urlobj.hxx
++++ b/include/tools/urlobj.hxx
+@@ -915,6 +915,11 @@ public:
+ 
+     void changeScheme(INetProtocol eTargetScheme);
+ 
++    // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot,
++    // vnd.sun.star.script, etc. All the types of URLs which shouldn't
++    // be accepted from an outside controlled source
++    bool IsExoticProtocol() const;
++
+ private:
+     // General Structure:
+ 
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index 150218b436e9..b81ce82fd32e 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -168,8 +168,11 @@ sal_Bool SAL_CALL IFrameObject::load(
+         xTrans->parseStrict( aTargetURL );
+ 
+         INetURLObject aURLObject(aTargetURL.Complete);
+-        if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script"))
++        if (aURLObject.IsExoticProtocol())
++        {
++            //SAL_WARN("sfx", "IFrameObject::load ignoring: " << aTargetURL.Complete);
+             return false;
++        }
+ 
+         uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+         SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index 764bb28ef623..2a9f7bc3d7dc 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4829,4 +4829,12 @@ OUString INetURLObject::CutExtension()
+         ? aTheExtension : OUString();
+ }
+ 
++bool INetURLObject::IsExoticProtocol() const
++{
++    return m_eScheme == INetProtocol::Slot ||
++           m_eScheme == INetProtocol::Macro ||
++           m_eScheme == INetProtocol::Uno ||
++           isSchemeEqualTo(u"vnd.sun.star.script");
++}
++
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+
+--------------erAck-patch-parts--
+
+

SOURCES/0001-CVE-2024-3044-add-notify-for-script-use.patch

@@ -0,0 +1,29 @@
+From 3c25a1e4885a91b1a2fbfd873633f055caa50745 Mon Sep 17 00:00:00 2001
+From: Caolán McNamara <caolan.mcnamara@collabora.com>
+Date: Wed, 27 Mar 2024 17:07:20 +0000
+Subject: [PATCH] add notify for script use
+
+Change-Id: I84af197cec7755f6803a578e1e21c03966ad5f3e
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165410
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit a4a5c6b63599bca1f084bb90875f6fd8e15184ac)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/167421
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+---
+
+diff --git a/xmloff/source/draw/eventimp.cxx b/xmloff/source/draw/eventimp.cxx
+index f9e10c1..fcc36f9 100644
+--- a/xmloff/source/draw/eventimp.cxx
++++ b/xmloff/source/draw/eventimp.cxx
+@@ -231,6 +231,9 @@
+ 
+     if( maData.mbValid )
+         maData.mbValid = !sEventName.isEmpty();
++
++    if (!maData.msMacroName.isEmpty())
++        rImp.NotifyMacroEventRead();
+ }
+ 
+ SvXMLImportContextRef SdXMLEventContext::CreateChildContext( sal_uInt16 nPrefix, const OUString& rLocalName, const Reference< XAttributeList>& xAttrList )

SOURCES/0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch

@@ -0,0 +1,81 @@
+From 4e997c62fd6edf6c3fe9e553cc92c77fd48f039c Mon Sep 17 00:00:00 2001
+Message-ID: <4e997c62fd6edf6c3fe9e553cc92c77fd48f039c.1723718921.git.erack@redhat.com>
+From: Sarper Akdemir <sarper.akdemir@allotropia.de>
+Date: Tue, 11 Jun 2024 12:39:36 +0200
+Subject: [PATCH] remove ability to trust not validated macro signatures in
+ high security
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Giving the user the option to determine if they should trust an
+invalid signature in HIGH macro security doesn't make sense.
+CommonName of the signature is the most prominent feature presented
+and the CommonName of a certificate can be easily forged for an
+invalid signature, tricking the user into accepting an invalid
+signature.
+
+in the HIGH macro security setting only show the pop-up to
+enable/disable signed macro if the certificate signature can be
+validated.
+
+cherry-picked without UI/String altering bits for 24-2
+
+Change-Id: Ia766fb701660160ee5dc9f6e077f4012a44ce721
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168667
+Tested-by: Jenkins
+Reviewed-by: Sarper Akdemir <sarper.akdemir@allotropia.de>
+(cherry picked from commit 2beaa3be3829303e948d401f492dbfd239d60aad)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169525
+Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171306
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171314
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171315
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171317
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171323
+---
+ sfx2/source/doc/docmacromode.cxx | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-remove-ability-to-trust-not-validated-macro-signatur.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-remove-ability-to-trust-not-validated-macro-signatur.patch"
+
+diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx
+index 8a617b1785c6..997a8f739395 100644
+--- a/sfx2/source/doc/docmacromode.cxx
++++ b/sfx2/source/doc/docmacromode.cxx
+@@ -229,14 +229,18 @@ namespace sfx2
+             // check whether the document is signed with trusted certificate
+             if ( nMacroExecutionMode != MacroExecMode::FROM_LIST )
+             {
++                SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState();
++
+                 // the trusted macro check will also retrieve the signature state ( small optimization )
+                 const SvtSecurityOptions aSecOption;
+                 const bool bAllowUIToAddAuthor = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
+                                                  && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
+-                                                     || !aSecOption.IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors));
++                                                     || !aSecOption.IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors))
++                                                 && (nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_WARN
++                                                     || nSignatureState == SignatureState::OK);
++
+                 const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUIToAddAuthor);
+ 
+-                SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState();
+                 if ( nSignatureState == SignatureState::BROKEN )
+                 {
+                     if (!bAllowUIToAddAuthor)
+
+--------------erAck-patch-parts--
+
+

SOURCES/0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch

@@ -0,0 +1,80 @@
+From b66d735cf3dc8b80783cb161c0aff5b990db1bb0 Mon Sep 17 00:00:00 2001
+From: Eike Rathke <erack@redhat.com>
+Date: Thu, 16 Feb 2023 20:20:31 +0100
+Subject: [PATCH 1/3] Obtain actual 0-parameter count for OR(), AND() and
+ 1-parameter functions
+
+OR and AND for legacy infix notation are classified as binary
+operators but in fact are functions with parameter count. In case
+no argument is supplied, GetByte() returns 0 and for that case the
+implicit binary operator 2 parameters were wrongly assumed.
+Similar for functions expecting 1 parameter, without argument 1
+was assumed. For "real" unary and binary operators the compiler
+already checks parameters. Omit OR and AND and 1-parameter
+functions from this implicit assumption and return the actual 0
+count.
+
+Change-Id: Ie05398c112a98021ac2875cf7b6de994aee9d882
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147173
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Tested-by: Jenkins
+
+(cherry picked from commit e7ce9bddadb2db222eaa5f594ef1de2e36d57e5c)
+Conflicts:
+        sc/source/core/tool/interpr4.cxx
+---
+ formula/source/core/api/token.cxx | 13 +++++--------
+ sc/source/core/tool/interpr4.cxx  | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/formula/source/core/api/token.cxx b/formula/source/core/api/token.cxx
+index 17594207234f..0db0c3464610 100644
+--- a/formula/source/core/api/token.cxx
++++ b/formula/source/core/api/token.cxx
+@@ -95,17 +95,14 @@ sal_uInt8 FormulaToken::GetParamCount() const
+         return 0;       // parameters and specials
+                         // ocIf... jump commands not for FAP, have cByte then
+ //2do: bool parameter whether FAP or not?
+-    else if ( GetByte() )
++    else if (GetByte())
+         return GetByte();   // all functions, also ocExternal and ocMacro
+-    else if (SC_OPCODE_START_BIN_OP <= eOp && eOp < SC_OPCODE_STOP_BIN_OP)
+-        return 2;           // binary
+-    else if ((SC_OPCODE_START_UN_OP <= eOp && eOp < SC_OPCODE_STOP_UN_OP)
+-            || eOp == ocPercentSign)
+-        return 1;           // unary
++    else if (SC_OPCODE_START_BIN_OP <= eOp && eOp < SC_OPCODE_STOP_BIN_OP && eOp != ocAnd && eOp != ocOr)
++        return 2;           // binary operators, compiler checked; OR and AND legacy but are functions
++    else if ((SC_OPCODE_START_UN_OP <= eOp && eOp < SC_OPCODE_STOP_UN_OP) || eOp == ocPercentSign)
++        return 1;           // unary operators, compiler checked
+     else if (SC_OPCODE_START_NO_PAR <= eOp && eOp < SC_OPCODE_STOP_NO_PAR)
+         return 0;           // no parameter
+-    else if (SC_OPCODE_START_1_PAR <= eOp && eOp < SC_OPCODE_STOP_1_PAR)
+-        return 1;           // one parameter
+     else if (FormulaCompiler::IsOpCodeJumpCommand( eOp ))
+         return 1;           // only the condition counts as parameter
+     else
+diff --git a/sc/source/core/tool/interpr4.cxx b/sc/source/core/tool/interpr4.cxx
+index eb3fb987c034..94235c33eaef 100644
+--- a/sc/source/core/tool/interpr4.cxx
++++ b/sc/source/core/tool/interpr4.cxx
+@@ -4012,7 +4012,15 @@ StackVar ScInterpreter::Interpret()
+                 else if (sp >= pCur->GetParamCount())
+                     nStackBase = sp - pCur->GetParamCount();
+                 else
+-                    nStackBase = sp;    // underflow?!?
++                {
++                    SAL_WARN("sc.core", "Stack anomaly at " << aPos.Format(
++                                ScRefFlags::VALID | ScRefFlags::FORCE_DOC | ScRefFlags::TAB_3D, pDok)
++                            << "  eOp: " << static_cast<int>(eOp)
++                            << "  params: " << static_cast<int>(pCur->GetParamCount())
++                            << "  nStackBase: " << nStackBase << "  sp: " << sp);
++                    nStackBase = sp;
++                    assert(!"underflow");
++                }
+             }
+ 
+             switch( eOp )
+-- 
+2.41.0
+

SOURCES/0001-disable-script-dump.patch

@@ -0,0 +1,99 @@
+From ff68c22161071ce89851c6d81e80ba51b67e8e0c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 13 Feb 2023 13:56:10 +0000
+Subject: [PATCH] disable script dump
+
+Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146986
+Tested-by: Jenkins
+Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147051
+Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147255
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+Reviewed-by: Andras Timar <andras.timar@collabora.com>
+(cherry picked from commit ae3a7dcbb60bb73700737b9ca8940ce3103648d9)
+---
+ .../source/drivers/hsqldb/HDriver.cxx         | 31 +++++++++++++++++++
+ external/hsqldb/UnpackedTarball_hsqldb.mk     |  1 +
+ .../hsqldb/patches/disable-dump-script.patch  | 14 +++++++++
+ 3 files changed, 46 insertions(+)
+ create mode 100644 external/hsqldb/patches/disable-dump-script.patch
+
+diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx b/connectivity/source/drivers/hsqldb/HDriver.cxx
+index de76ecbba29de..95c610843efab 100644
+--- a/connectivity/source/drivers/hsqldb/HDriver.cxx
++++ b/connectivity/source/drivers/hsqldb/HDriver.cxx
+@@ -300,6 +300,37 @@ namespace connectivity
+                         } // if ( xStream.is() )
+                         ::comphelper::disposeComponent(xStream);
+                     }
++
++                    // disallow any database/script files that contain a "SCRIPT[.*]" entry (this is belt and braces
++                    // in that bundled hsqldb 1.8.0 is patched to also reject them)
++                    //
++                    // hsqldb 2.6.0 release notes have: added system role SCRIPT_OPS for export / import of database structure and data
++                    // which seems to provide a builtin way to do this with contemporary hsqldb
++                    const OUString sScript( "script" );
++                    if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
++                    {
++                        Reference<XStream > xStream = xStorage->openStreamElement(sScript, ElementModes::READ);
++                        if (xStream.is())
++                        {
++                            std::unique_ptr<SvStream> pStream(::utl::UcbStreamHelper::CreateStream(xStream));
++                            if (pStream)
++                            {
++                                OString sLine;
++                                while (pStream->ReadLine(sLine))
++                                {
++                                    OString sText = sLine.trim();
++                                    if (sText.startsWithIgnoreAsciiCase("SCRIPT"))
++                                    {
++                                        ::connectivity::SharedResources aResources;
++                                        sMessage = aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$", sSystemPath);
++                                        break;
++                                    }
++                                }
++                            }
++                        } // if ( xStream.is() )
++                        ::comphelper::disposeComponent(xStream);
++                    }
++
+                 }
+                 catch(Exception&)
+                 {
+diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk b/external/hsqldb/UnpackedTarball_hsqldb.mk
+index cbba770f19a07..ed262cccf4caa 100644
+--- a/external/hsqldb/UnpackedTarball_hsqldb.mk
++++ b/external/hsqldb/UnpackedTarball_hsqldb.mk
+@@ -29,6 +29,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
+ 		external/hsqldb/patches/jdbc-4.1.patch \
+ 		external/hsqldb/patches/multipleResultSets.patch \
+ 	) \
++	external/hsqldb/patches/disable-dump-script.patch \
+ ))
+ 
+ # vim: set noet sw=4 ts=4:
+diff --git a/external/hsqldb/patches/disable-dump-script.patch b/external/hsqldb/patches/disable-dump-script.patch
+new file mode 100644
+index 0000000000000..401dd38abc9a2
+--- /dev/null
++++ b/external/hsqldb/patches/disable-dump-script.patch
+@@ -0,0 +1,14 @@
++--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java	2023-02-13 11:08:11.297243034 +0000
+++++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java	2023-02-13 13:49:17.973089433 +0000
++@@ -403,6 +403,11 @@
++                     throw Trace.error(Trace.INVALID_IDENTIFIER);
++                 }
++ 
+++                // added condition to avoid execution of spurious command in .script or .log file
+++                if (session.isProcessingScript() || session.isProcessingLog()) {
+++                    return new Result(ResultConstants.UPDATECOUNT);
+++                }
+++
++                 dsw = new ScriptWriterText(database, token, true, true, true);
++ 
++                 dsw.writeAll();
+-- 
+2.41.0
+

SOURCES/0001-rhbz-1980800-allow-convert-to-csv-to-write-each-shee.patch

@@ -1,4 +1,4 @@
-From c5a9fb7f00fe4d701d98c4058ad0f506c8dd146f Mon Sep 17 00:00:00 2001
+From b49380bd288e642352cb7ddc1c050e2fb34b5b43 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
 Date: Tue, 13 Jul 2021 12:38:07 +0100
 Subject: [PATCH] rhbz#1980800 allow --convert-to csv to write each sheet to a
@@ -45,15 +45,24 @@ Tested-by: Jenkins
 Change-Id: Ib99a120f1a2c8d1008a7a3c59a6b39f572fb346e
 b9248c9561e4e340c88458ac5dfd159e443a4cfd
 9431221aadf97739bb197871f25fa151ef4c391c
+
+Plus follow-up fix
+<https://git.libreoffice.org/core/+/d768757872ad25219fa291acd623ab98924acaaa%5E%21>
+"tdf#129829 sfx2: fix handling of password to open vs modify" (which happens to
+also fix saving to smb shares, in addition to the Windows-specific issue it was
+originally meant to fix), plus the relevant parts of its preceding
+<https://git.libreoffice.org/core/+/037cd13af81f8a1169d01e95036ed942f261f9a6%5E%21>
+"sw reqif-xhtml export: add a new RTFOLEMimeType parameter" introducing
+SfxMedium::SetArgs.
 ---
  desktop/source/app/dispatchwatcher.cxx |  50 +++++++--
- include/sfx2/docfile.hxx               |   1 +
+ include/sfx2/docfile.hxx               |   2 +
  sc/source/ui/dbgui/imoptdlg.cxx        |  16 ++-
  sc/source/ui/docshell/docsh.cxx        | 141 +++++++++++++++++++++----
  sc/source/ui/inc/docsh.hxx             |   2 +-
  sc/source/ui/inc/imoptdlg.hxx          |   6 +-
- sfx2/source/doc/docfile.cxx            |   4 +
- 7 files changed, 184 insertions(+), 36 deletions(-)
+ sfx2/source/doc/docfile.cxx            |  13 +++
+ 7 files changed, 194 insertions(+), 36 deletions(-)
 
 diff --git a/desktop/source/app/dispatchwatcher.cxx b/desktop/source/app/dispatchwatcher.cxx
 index 04140173c6d1..a5365da618e8 100644
@@ -154,13 +163,14 @@ index 04140173c6d1..a5365da618e8 100644
                                  }
                                  try
 diff --git a/include/sfx2/docfile.hxx b/include/sfx2/docfile.hxx
-index 2019b5738c01..09aae02b1976 100644
+index 2019b5738c01..2886348 100644
 --- a/include/sfx2/docfile.hxx
 +++ b/include/sfx2/docfile.hxx
-@@ -108,6 +108,7 @@ public:
+@@ -108,6 +108,8 @@ public:
      const OUString&     GetOrigURL() const;
  
      SfxItemSet  *       GetItemSet() const;
++    void SetArgs(const css::uno::Sequence<css::beans::PropertyValue>& rArgs);
 +    css::uno::Sequence<css::beans::PropertyValue> GetArgs() const;
      void                Close(bool bInDestruction = false);
      void                CloseAndRelease();
@@ -439,7 +449,7 @@ index bac941c2a377..382067d67813 100644
  
  #endif // INCLUDED_SC_SOURCE_UI_INC_IMOPTDLG_HXX
 diff --git a/sfx2/source/doc/docfile.cxx b/sfx2/source/doc/docfile.cxx
-index 5d00d39bd837..ccdd3632e6e5 100644
+index 5d00d39bd837..4e4e74a 100644
 --- a/sfx2/source/doc/docfile.cxx
 +++ b/sfx2/source/doc/docfile.cxx
 @@ -328,6 +328,8 @@ public:
@@ -455,14 +465,23 @@ index 5d00d39bd837..ccdd3632e6e5 100644
      SfxAllItemSet *pParams = new SfxAllItemSet( SfxGetpApp()->GetPool() );
      pImpl->m_pSet.reset( pParams );
      TransformParameters( SID_OPENDOC, aArgs, *pParams );
-+    pImpl->m_aArgs = aArgs;
++    SetArgs(aArgs);
  
      OUString aFilterProvider, aFilterName;
      {
-@@ -3301,6 +3304,7 @@ SfxMedium::SfxMedium( const uno::Sequence<beans::PropertyValue>& aArgs ) :
+@@ -3301,6 +3304,16 @@ SfxMedium::SfxMedium( const uno::Sequence<beans::PropertyValue>& aArgs ) :
      Init_Impl();
  }
  
++void SfxMedium::SetArgs(const uno::Sequence<beans::PropertyValue>& rArgs)
++{
++    pImpl->m_aArgs = rArgs;
++    comphelper::SequenceAsHashMap aArgsMap(rArgs);
++    aArgsMap.erase("Stream");
++    aArgsMap.erase("InputStream");
++    pImpl->m_aArgs = aArgsMap.getAsConstPropertyValueList();
++}
++
 +uno::Sequence<beans::PropertyValue> SfxMedium::GetArgs() const { return pImpl->m_aArgs; }
  
  SfxMedium::SfxMedium( const uno::Reference < embed::XStorage >& rStor, const OUString& rBaseURL, const std::shared_ptr<SfxItemSet>& p ) :

SOURCES/0001-set-Referer-on-loading-IFrames.patch

@@ -0,0 +1,93 @@
+From a7bc0ab5215734cb2bd4162cb5cdcc69fef23ef4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 11 Apr 2023 10:13:37 +0100
+Subject: [PATCH 1/3] set Referer on loading IFrames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+so tools, options, security, options,
+"block any links from document not..."
+applies to their contents.
+
+Change-Id: I04839aea6b07a4a76ac147a85045939ccd9c3c79
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150221
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150751
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit acff9ca0579333b45d10ae5f8cd48172f563dddd)
+(cherry picked from commit 04c8176fb40d2eb983aa0bd0a6ce65804d3f6ecd)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152094
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+
+(cherry picked from commit 789155b523b384df020d86228ac200a63a68b154)
+Conflicts:
+	sfx2/source/doc/iframe.cxx
+---
+ sfx2/source/doc/iframe.cxx | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index b5291b239164b..5a0ea96a234da 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -32,12 +32,14 @@
+ #include <com/sun/star/ui/dialogs/XExecutableDialog.hpp>
+ #include <com/sun/star/embed/XEmbeddedObject.hpp>
+ 
++#include <comphelper/propertyvalue.hxx>
+ #include <cppuhelper/implbase.hxx>
+ #include <cppuhelper/supportsservice.hxx>
+ #include <rtl/ref.hxx>
+ #include <svtools/miscopt.hxx>
+ #include <svl/ownlist.hxx>
+ #include <svl/itemprop.hxx>
++#include <sfx2/docfile.hxx>
+ #include <sfx2/frmdescr.hxx>
+ #include <sfx2/objsh.hxx>
+ #include <sfx2/sfxdlg.hxx>
+@@ -166,14 +168,19 @@ sal_Bool SAL_CALL IFrameObject::load(
+         uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+         xTrans->parseStrict( aTargetURL );
+ 
++        uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
++        SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
++
+         if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
+         {
+-            uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+-            SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+             if (pDoc && !pDoc->AdjustMacroMode())
+                 return false;
+         }
+ 
++        OUString sReferer;
++        if (pDoc && pDoc->HasName())
++            sReferer = pDoc->GetMedium()->GetName();
++
+         DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
+         VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
+         VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
+@@ -196,12 +203,11 @@ sal_Bool SAL_CALL IFrameObject::load(
+         if ( xFramesSupplier.is() )
+             mxFrame->setCreator( xFramesSupplier );
+ 
+-        uno::Sequence < beans::PropertyValue > aProps(2);
+-        aProps[0].Name = "PluginMode";
+-        aProps[0].Value <<= sal_Int16(2);
+-        aProps[1].Name = "ReadOnly";
+-        aProps[1].Value <<= true;
+-
++        uno::Sequence < beans::PropertyValue > aProps{
++            comphelper::makePropertyValue("PluginMode", sal_Int16(2)),
++            comphelper::makePropertyValue("ReadOnly", true),
++            comphelper::makePropertyValue("Referer", sReferer)
++        };
+         uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
+         if ( xDisp.is() )
+             xDisp->dispatch( aTargetURL, aProps );
+-- 
+2.41.0
+

SOURCES/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch

@@ -0,0 +1,198 @@
+From 61f8673fb44150bd629d88f6626aff8d5b026449 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 21 Mar 2022 20:58:34 +0000
+Subject: [PATCH] make hash encoding match decoding
+
+Seeing as old versions of the hash may be in the users config, add a
+StorageVersion field to the office config Passwords section which
+defaults to 0 to indicate the old hash is in use.
+
+Try the old varient when StorageVersion is 0. When a new encoded master
+password it set write StorageVersion of 1 to indicate a new hash is in
+use and use the new style when StorageVersion is 1.
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132080
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit e890f54dbac57f3ab5acf4fbd31222095d3e8ab6)
+
+svl: fix crash if user cancels/closes master password dialog
+
+(regression from d7ba5614d90381d68f880ca7e7c5ef8bbb1b1c43)
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133932
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit bbb8617ece6d946957c2eb96287081029bce530f)
+
+Change-Id: I3174c37a5891bfc849984e0ec5c2c392b9c6e7b1
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133905
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+---
+ .../schema/org/openoffice/Office/Common.xcs   |  6 +++
+ .../passwordcontainer/passwordcontainer.cxx   | 47 ++++++++++++++++++-
+ .../passwordcontainer/passwordcontainer.hxx   |  6 +++
+ uui/source/iahndl-authentication.cxx          |  5 +-
+ 4 files changed, 60 insertions(+), 4 deletions(-)
+
+diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+index b317f616deeb..b033b29b60d7 100644
+--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+@@ -911,6 +911,12 @@
+         </info>
+         <value>false</value>
+       </prop>
++      <prop oor:name="StorageVersion" oor:type="xs:int" oor:nillable="false">
++        <info>
++          <desc>Specifies what version of encoding scheme the password container uses.</desc>
++        </info>
++        <value>0</value>
++      </prop>
+       <prop oor:name="HasMaster" oor:type="xs:boolean" oor:nillable="false">
+         <info>
+           <desc>Specifies if there is a valid master password.</desc>
+diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx
+index 02947cd3892c..ff0b40df4016 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.cxx
++++ b/svl/source/passwordcontainer/passwordcontainer.cxx
+@@ -17,6 +17,8 @@
+  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+  */
+ 
++#include <sal/config.h>
++#include <sal/log.hxx>
+ 
+ #include "passwordcontainer.hxx"
+ 
+@@ -259,6 +261,23 @@ bool StorageItem::useStorage()
+     return aResult;
+ }
+ 
++sal_Int32 StorageItem::getStorageVersion()
++{
++    Sequence<OUString> aNodeNames { "StorageVersion" };
++
++    Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames );
++
++    if( aPropertyValues.getLength() != aNodeNames.getLength() )
++    {
++        OSL_FAIL( "Problems during reading" );
++        return 0;
++    }
++
++    sal_Int32 nResult = 0;
++    aPropertyValues[0] >>= nResult;
++
++    return nResult;
++}
+ 
+ bool StorageItem::getEncodedMP( OUString& aResult )
+ {
+@@ -291,15 +310,17 @@ bool StorageItem::getEncodedMP( OUString& aResult )
+ 
+ void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty )
+ {
+-    Sequence< OUString > sendNames(2);
+-    Sequence< uno::Any > sendVals(2);
++    Sequence< OUString > sendNames(3);
++    Sequence< uno::Any > sendVals(3);
+ 
+     sendNames[0] = "HasMaster";
+     sendNames[1] = "Master";
++    sendNames[2] = "StorageVersion";
+ 
+     bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty );
+     sendVals[0] <<= bHasMaster;
+     sendVals[1] <<= aEncoded;
++    sendVals[2] <<= nCurrentStorageVersion;
+ 
+     ConfigItem::SetModified();
+     ConfigItem::PutProperties( sendNames, sendVals );
+@@ -800,6 +821,18 @@ OUString PasswordContainer::RequestPasswordFromUser( PasswordRequestMode aRMode,
+     return aResult;
+ }
+ 
++// Mangle the key to match an old bug
++static OUString ReencodeAsOldHash(const OUString& rPass)
++{
++    OUStringBuffer aBuffer;
++    for (int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ++ind)
++    {
++        unsigned char i = static_cast<char>(rPass.copy(ind * 2, 2).toUInt32(16));
++        aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4)));
++        aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15)));
++    }
++    return aBuffer.makeStringAndClear();
++}
+ 
+ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInteractionHandler >& aHandler )
+ {
+@@ -838,6 +871,9 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
+                     }
+                     else
+                     {
++                        if (m_pStorageFile->getStorageVersion() == 0)
++                            aPass = ReencodeAsOldHash(aPass);
++
+                         std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) );
+                         if( aRM.empty() || aPass != aRM[0] )
+                         {
+@@ -1042,6 +1078,13 @@ sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::R
+ 
+                 do {
+                     aPass = RequestPasswordFromUser( aRMode, xTmpHandler );
++
++
++                    if (!aPass.isEmpty() && m_pStorageFile->getStorageVersion() == 0)
++                    {
++                        aPass = ReencodeAsOldHash(aPass);
++                    }
++
+                     bResult = ( !aPass.isEmpty() && aPass == m_aMasterPasswd );
+                     aRMode = PasswordRequestMode_PASSWORD_REENTER; // further questions with error notification
+                 } while( !bResult && !aPass.isEmpty() );
+diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx
+index 09fb7e03629d..cf5c717d0c9e 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.hxx
++++ b/svl/source/passwordcontainer/passwordcontainer.hxx
+@@ -167,6 +167,10 @@ public:
+ typedef ::std::pair< const OUString, ::std::vector< NamePassRecord > > PairUrlRecord;
+ typedef ::std::map< OUString, ::std::vector< NamePassRecord > > PassMap;
+ 
++// org.openoffice.Office.Common/Passwords/StorageVersion bump if details of
++// how password details are saved changes. Enables migration from previous
++// schemes.
++constexpr sal_Int32 nCurrentStorageVersion = 1;
+ 
+ class PasswordContainer;
+ 
+@@ -195,6 +199,8 @@ public:
+     void remove( const OUString& url, const OUString& rec );
+     void clear();
+ 
++    sal_Int32 getStorageVersion();
++
+     bool getEncodedMP( OUString& aResult );
+     void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false );
+     void setUseStorage( bool bUse );
+diff --git a/uui/source/iahndl-authentication.cxx b/uui/source/iahndl-authentication.cxx
+index 4835a485dd2a..5764e62cb1c6 100644
+--- a/uui/source/iahndl-authentication.cxx
++++ b/uui/source/iahndl-authentication.cxx
+@@ -436,8 +436,9 @@ executeMasterPasswordDialog(
+     OUStringBuffer aBuffer;
+     for (sal_uInt8 i : aKey)
+     {
+-        aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4)));
+-        aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15)));
++        // match PasswordContainer::DecodePasswords aMasterPasswd.copy(index * 2, 2).toUInt32(16));
++        aBuffer.append(OUString::number(i >> 4, 16));
++        aBuffer.append(OUString::number(i & 15, 16));
+     }
+     rInfo.SetPassword(aBuffer.makeStringAndClear());
+ }
+-- 
+2.37.1
+

SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch

@@ -0,0 +1,87 @@
+From 99b453dfac5ed44a02c6e1a51b871ee50709a405 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Sat, 4 Nov 2023 19:57:51 +0000
+Subject: [PATCH] warn about exotic protocols as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I50dcf4f36cd20d75f5ad3876353143268740a50f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151834
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 1305f70cff8a81a58a5a6d9c96c5bb032005389e)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159034
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159881
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159911
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+
+erAck: backported to 6.4.7.2
+
+---
+ sw/source/filter/html/htmlplug.cxx | 2 +-
+ sw/source/filter/xml/xmltexti.cxx  | 2 +-
+ tools/source/fsys/urlobj.cxx       | 3 ++-
+ xmloff/source/draw/ximpshap.cxx    | 2 +-
+ 4 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
+index eb70704..112975f 100644
+--- a/sw/source/filter/html/htmlplug.cxx
++++ b/sw/source/filter/html/htmlplug.cxx
+@@ -1089,7 +1089,7 @@ void SwHTMLParser::InsertFloatingFrame()
+ 
+                 OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+ 
+-                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(sHRef).IsExoticProtocol())
+                     NotifyMacroEventRead();
+ 
+                 xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
+diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
+index 72a14b9..e015575 100644
+--- a/sw/source/filter/xml/xmltexti.cxx
++++ b/sw/source/filter/xml/xmltexti.cxx
+@@ -856,7 +856,7 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
+                 OUString sHRef = URIHelper::SmartRel2Abs(
+                             INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
+ 
+-                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(sHRef).IsExoticProtocol())
+                     GetXMLImport().NotifyMacroEventRead();
+ 
+                 xSet->setPropertyValue("FrameURL",
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index ab6e885..1ef2b7e 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4776,7 +4776,8 @@ bool INetURLObject::IsExoticProtocol() const
+     return m_eScheme == INetProtocol::Slot ||
+            m_eScheme == INetProtocol::Macro ||
+            m_eScheme == INetProtocol::Uno ||
+-           isSchemeEqualTo(u"vnd.sun.star.script");
++           isSchemeEqualTo(u"vnd.sun.star.script") ||
++           isSchemeEqualTo(u"service");
+ }
+ 
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
+index bd5f30a..b58da79 100644
+--- a/xmloff/source/draw/ximpshap.cxx
++++ b/xmloff/source/draw/ximpshap.cxx
+@@ -3269,7 +3269,7 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
+ 
+             if( !maHref.isEmpty() )
+             {
+-                if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(maHref).IsExoticProtocol())
+                     GetImport().NotifyMacroEventRead();
+ 
+                 xProps->setPropertyValue("FrameURL", Any(maHref) );
+-- 
+2.43.0
+

SOURCES/0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch

@@ -0,0 +1,82 @@
+From c0e926365dc7651dcb5eee48f50e6990523662ad Mon Sep 17 00:00:00 2001
+From: Eike Rathke <erack@redhat.com>
+Date: Fri, 17 Feb 2023 12:03:54 +0100
+Subject: [PATCH 2/3] Stack check safety belt before fishing in muddy waters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Have it hit hard in debug builds.
+
+Change-Id: I9ea54844a0661fd7a75616a2876983a74b2d5bad
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147205
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Tested-by: Jenkins
+(cherry picked from commit 9d91fbba6f374fa1c10b38eae003da89bd4e6d4b)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147245
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 166a07062dd4ffedca6106f439a6fcddaeee5eb5)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147391
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit f8efb098f2abbf054a15dcf7daaaacfa575685ae)
+---
+ sc/source/core/inc/interpre.hxx  | 12 ++++++++++++
+ sc/source/core/tool/interpr1.cxx |  4 ++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/sc/source/core/inc/interpre.hxx b/sc/source/core/inc/interpre.hxx
+index 3b902524d901..c7d4527dbf57 100644
+--- a/sc/source/core/inc/interpre.hxx
++++ b/sc/source/core/inc/interpre.hxx
+@@ -235,6 +235,7 @@ private:
+     inline bool MustHaveParamCount( short nAct, short nMust );
+     inline bool MustHaveParamCount( short nAct, short nMust, short nMax );
+     inline bool MustHaveParamCountMin( short nAct, short nMin );
++    inline bool MustHaveParamCountMinWithStackCheck( short nAct, short nMin );
+     void PushParameterExpected();
+     void PushIllegalParameter();
+     void PushIllegalArgument();
+@@ -1086,6 +1087,17 @@ inline bool ScInterpreter::MustHaveParamCountMin( short nAct, short nMin )
+     return false;
+ }
+ 
++inline bool ScInterpreter::MustHaveParamCountMinWithStackCheck( short nAct, short nMin )
++{
++    assert(sp >= nAct);
++    if (sp < nAct)
++    {
++        PushParameterExpected();
++        return false;
++    }
++    return MustHaveParamCountMin( nAct, nMin);
++}
++
+ inline bool ScInterpreter::CheckStringPositionArgument( double & fVal )
+ {
+     if (!rtl::math::isFinite( fVal))
+diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx
+index e375f1626ec5..4b093cb62d4f 100644
+--- a/sc/source/core/tool/interpr1.cxx
++++ b/sc/source/core/tool/interpr1.cxx
+@@ -7524,7 +7524,7 @@ void ScInterpreter::ScVLookup()
+ void ScInterpreter::ScSubTotal()
+ {
+     sal_uInt8 nParamCount = GetByte();
+-    if ( MustHaveParamCountMin( nParamCount, 2 ) )
++    if ( MustHaveParamCountMinWithStackCheck( nParamCount, 2 ) )
+     {
+         // We must fish the 1st parameter deep from the stack! And push it on top.
+         const FormulaToken* p = pStack[ sp - nParamCount ];
+@@ -7571,7 +7571,7 @@ void ScInterpreter::ScSubTotal()
+ void ScInterpreter::ScAggregate()
+ {
+     sal_uInt8 nParamCount = GetByte();
+-    if ( MustHaveParamCountMin( nParamCount, 3 ) )
++    if ( MustHaveParamCountMinWithStackCheck( nParamCount, 3 ) )
+     {
+         // fish the 1st parameter from the stack and push it on top.
+         const FormulaToken* p = pStack[ sp - nParamCount ];
+-- 
+2.41.0
+

SOURCES/0002-put-floating-frames-under-managed-links-control.patch

@@ -0,0 +1,907 @@
+From 0ea515e760325b3d9f33824e917d0d549f4509e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 13 Apr 2023 11:31:17 +0100
+Subject: [PATCH 2/3] put floating frames under managed links control
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+like we do for sections and ole objects that link to their content
+
+individual commits in trunk are:
+
+extract a OCommonEmbeddedObject::SetInplaceActiveState for reuse
+
+no behaviour change intended
+
+Change-Id: Ia1d12aa5c9afdc1347f6d4364bc6a0b7f41ee168
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150341
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 183e34a3f8c429c0698951e24c17844e416a3825)
+
+use parent window as dialog parent
+
+it makes no odds, but is more convenient for upcoming modification
+
+Change-Id: Ibc5333b137d2da089b3b701ff615c6ddf43063d0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150342
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit f93edf343658abd489bde3639d2ffaefd50c0f99)
+
+adjust IFrameObject so it could reuse mxFrame for a reload of content
+
+Change-Id: I7eec3132a23faafd9a2878215a0a117a67bc9bf2
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150343
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 3a727d26fd9eb6fa140bc3f5cadf3db079d42206)
+
+query getUserAllowsLinkUpdate for the case of content in a floating frame
+
+similarly to how it works for the more common "normal" embedded objects
+
+Change-Id: I83e38dfa2f84907c2de9680e91f779d34864a9ad
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149971
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 52aa46468531918eabfa2031dedf50377ae72cf7)
+
+add a route to get writer Floating Frame links under 'manage links'
+
+Change-Id: If90ff71d6a96342574799312f764badaf97980eb
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150349
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 8b8a2844addbd262befb1a2d193dfb590dfa20be)
+
+allow SvxOle2Shape::resetModifiedState to survive having no SdrObject
+
+Change-Id: Iea059262c124e3f44249e49b4189732310d28156
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150538
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 02379929bd0e1d1676635f0ca1920422702ebb7c)
+
+create the FloatingFrameShape in a separate step to inserting it
+
+this is derived from the path taken by the AddShape(const OUString&)
+function for this case. No change in behavior is intended.
+
+Change-Id: Id09ae0c65a55a37743ad7c184070fb8dd97d8a7f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150526
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit bafec47847a0b9697b3bbe9358e53f8118af3024)
+
+add a route to get calc Floating Frame links under 'manage links'
+
+much harder than writer because the organization and ordering
+of properties and object activation etc is different.
+
+This ended up ugly, but functions.
+
+We set FrameURL before AddShape, we have to do it again later because it
+gets cleared when the SdrOle2Obj is attached to the XShape.  But we want
+FrameURL to exist when AddShape triggers SetPersistName which itself
+triggers SdrOle2Obj::CheckFileLink_Impl and at that point we want to
+know what URL will end up being used. So bodge this by setting FrameURL
+to the temp pre-SdrOle2Obj attached properties and we can smuggle it
+eventually into SdrOle2Obj::SetPersistName at the right point after
+PersistName is set but before SdrOle2Obj::CheckFileLink_Impl is called
+in order to inform the link manager that this is an IFrame that links to
+a URL
+
+Change-Id: I67fc199fef9e67fa12ca7873f0fe12137aa16d8f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150539
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 07179a5a5bd00f34acfa8a3f260dd834ae003c63)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150755
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit b91ea614c0b753ab3d378acd0e2db8262e9dbd72)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151107
+Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+
+(cherry picked from commit 8b35b17ffaab23d72ddec2d9f41be0e30fcaa6c4)
+Conflicts:
+	embeddedobj/source/commonembedding/specialobject.cxx
+	embeddedobj/source/inc/specialobject.hxx
+	include/svx/svdoole2.hxx
+	sfx2/source/doc/iframe.cxx
+	svx/source/svdraw/svdoole2.cxx
+	sw/source/core/ole/ndole.cxx
+	xmloff/source/draw/ximpshap.cxx
+---
+ .../source/commonembedding/embedobj.cxx       |  60 +++++-----
+ .../source/commonembedding/specialobject.cxx  |   9 ++
+ embeddedobj/source/inc/commonembobj.hxx       |   3 +
+ embeddedobj/source/inc/specialobject.hxx      |   6 +
+ include/svx/svdoole2.hxx                      |  17 ++-
+ include/svx/unoshape.hxx                      |   2 +
+ sc/source/ui/docshell/documentlinkmgr.cxx     |   9 +-
+ sfx2/source/doc/iframe.cxx                    |  55 +++++----
+ svx/source/svdraw/svdoole2.cxx                | 104 ++++++++++++++----
+ svx/source/unodraw/shapeimpl.hxx              |   5 +
+ svx/source/unodraw/unoshap4.cxx               |  23 +++-
+ sw/inc/ndole.hxx                              |   4 +-
+ sw/source/core/ole/ndole.cxx                  |  89 ++++++++++++--
+ xmloff/source/draw/ximpshap.cxx               |  29 ++++-
+ xmloff/source/draw/ximpshap.hxx               |   2 +
+ 15 files changed, 335 insertions(+), 90 deletions(-)
+
+diff --git a/embeddedobj/source/commonembedding/embedobj.cxx b/embeddedobj/source/commonembedding/embedobj.cxx
+index e6e5bec2a3160..b402dff22042a 100644
+--- a/embeddedobj/source/commonembedding/embedobj.cxx
++++ b/embeddedobj/source/commonembedding/embedobj.cxx
+@@ -155,6 +155,37 @@ void OCommonEmbeddedObject::StateChangeNotification_Impl( bool bBeforeChange, sa
+     }
+ }
+ 
++void OCommonEmbeddedObject::SetInplaceActiveState()
++{
++    if ( !m_xClientSite.is() )
++        throw embed::WrongStateException( "client site not set, yet", *this );
++
++    uno::Reference< embed::XInplaceClient > xInplaceClient( m_xClientSite, uno::UNO_QUERY );
++    if ( !xInplaceClient.is() || !xInplaceClient->canInplaceActivate() )
++        throw embed::WrongStateException(); //TODO: can't activate inplace
++    xInplaceClient->activatingInplace();
++
++    uno::Reference< embed::XWindowSupplier > xClientWindowSupplier( xInplaceClient, uno::UNO_QUERY_THROW );
++
++    m_xClientWindow = xClientWindowSupplier->getWindow();
++    m_aOwnRectangle = xInplaceClient->getPlacement();
++    m_aClipRectangle = xInplaceClient->getClipRectangle();
++    awt::Rectangle aRectangleToShow = GetRectangleInterception( m_aOwnRectangle, m_aClipRectangle );
++
++    // create own window based on the client window
++    // place and resize the window according to the rectangles
++    uno::Reference< awt::XWindowPeer > xClientWindowPeer( m_xClientWindow, uno::UNO_QUERY_THROW );
++
++    // dispatch provider may not be provided
++    uno::Reference< frame::XDispatchProvider > xContainerDP = xInplaceClient->getInplaceDispatchProvider();
++    bool bOk = m_xDocHolder->ShowInplace( xClientWindowPeer, aRectangleToShow, xContainerDP );
++    m_nObjectState = embed::EmbedStates::INPLACE_ACTIVE;
++    if ( !bOk )
++    {
++        SwitchStateTo_Impl( embed::EmbedStates::RUNNING );
++        throw embed::WrongStateException(); //TODO: can't activate inplace
++    }
++}
+ 
+ void OCommonEmbeddedObject::SwitchStateTo_Impl( sal_Int32 nNextState )
+ {
+@@ -228,34 +259,7 @@ void OCommonEmbeddedObject::SwitchStateTo_Impl( sal_Int32 nNextState )
+         {
+             if ( nNextState == embed::EmbedStates::INPLACE_ACTIVE )
+             {
+-                if ( !m_xClientSite.is() )
+-                    throw embed::WrongStateException( "client site not set, yet", *this );
+-
+-                uno::Reference< embed::XInplaceClient > xInplaceClient( m_xClientSite, uno::UNO_QUERY );
+-                if ( !xInplaceClient.is() || !xInplaceClient->canInplaceActivate() )
+-                    throw embed::WrongStateException(); //TODO: can't activate inplace
+-                xInplaceClient->activatingInplace();
+-
+-                uno::Reference< embed::XWindowSupplier > xClientWindowSupplier( xInplaceClient, uno::UNO_QUERY_THROW );
+-
+-                m_xClientWindow = xClientWindowSupplier->getWindow();
+-                m_aOwnRectangle = xInplaceClient->getPlacement();
+-                m_aClipRectangle = xInplaceClient->getClipRectangle();
+-                awt::Rectangle aRectangleToShow = GetRectangleInterception( m_aOwnRectangle, m_aClipRectangle );
+-
+-                // create own window based on the client window
+-                // place and resize the window according to the rectangles
+-                uno::Reference< awt::XWindowPeer > xClientWindowPeer( m_xClientWindow, uno::UNO_QUERY_THROW );
+-
+-                // dispatch provider may not be provided
+-                uno::Reference< frame::XDispatchProvider > xContainerDP = xInplaceClient->getInplaceDispatchProvider();
+-                bool bOk = m_xDocHolder->ShowInplace( xClientWindowPeer, aRectangleToShow, xContainerDP );
+-                m_nObjectState = nNextState;
+-                if ( !bOk )
+-                {
+-                    SwitchStateTo_Impl( embed::EmbedStates::RUNNING );
+-                    throw embed::WrongStateException(); //TODO: can't activate inplace
+-                }
++                SetInplaceActiveState();
+             }
+             else if ( nNextState == embed::EmbedStates::ACTIVE )
+             {
+diff --git a/embeddedobj/source/commonembedding/specialobject.cxx b/embeddedobj/source/commonembedding/specialobject.cxx
+index 683fe0aab3f25..c17a39accf2c7 100644
+--- a/embeddedobj/source/commonembedding/specialobject.cxx
++++ b/embeddedobj/source/commonembedding/specialobject.cxx
+@@ -47,6 +47,7 @@ uno::Any SAL_CALL OSpecialEmbeddedObject::queryInterface( const uno::Type& rType
+     uno::Any aReturn = ::cppu::queryInterface( rType,
+                                         static_cast< embed::XEmbeddedObject* >( this ),
+                                         static_cast< embed::XInplaceObject* >( this ),
++                                        static_cast< embed::XCommonEmbedPersist* >( static_cast< embed::XEmbedPersist* >( this ) ),
+                                         static_cast< embed::XVisualObject* >( this ),
+                                         static_cast< embed::XClassifiedObject* >( this ),
+                                         static_cast< embed::XComponentSupplier* >( this ),
+@@ -160,4 +161,12 @@ void SAL_CALL OSpecialEmbeddedObject::doVerb( sal_Int32 nVerbID )
+         OCommonEmbeddedObject::doVerb( nVerbID );
+ }
+ 
++void SAL_CALL OSpecialEmbeddedObject::reload(
++                const uno::Sequence< beans::PropertyValue >&,
++                const uno::Sequence< beans::PropertyValue >&)
++{
++    // Allow IFrames to reload their content
++    SetInplaceActiveState();
++}
++
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/embeddedobj/source/inc/commonembobj.hxx b/embeddedobj/source/inc/commonembobj.hxx
+index b2c9acd9ec1e7..73282a00deac4 100644
+--- a/embeddedobj/source/inc/commonembobj.hxx
++++ b/embeddedobj/source/inc/commonembobj.hxx
+@@ -226,6 +226,9 @@ private:
+                     const css::uno::Sequence< css::beans::PropertyValue >& lArguments,
+                     const css::uno::Sequence< css::beans::PropertyValue >& lObjArgs );
+ 
++protected:
++    void SetInplaceActiveState();
++
+ public:
+     OCommonEmbeddedObject(
+         const css::uno::Reference< css::uno::XComponentContext >& rxContext,
+diff --git a/embeddedobj/source/inc/specialobject.hxx b/embeddedobj/source/inc/specialobject.hxx
+index 32ad61a7a5828..ce5c01b35ae7f 100644
+--- a/embeddedobj/source/inc/specialobject.hxx
++++ b/embeddedobj/source/inc/specialobject.hxx
+@@ -48,6 +48,12 @@ public:
+     virtual void SAL_CALL changeState( sal_Int32 nNewState ) override;
+ 
+     virtual void SAL_CALL doVerb( sal_Int32 nVerbID ) override;
++
++// XCommonEmbedPersist
++
++    virtual void SAL_CALL reload(
++                const css::uno::Sequence< css::beans::PropertyValue >& lArguments,
++                const css::uno::Sequence< css::beans::PropertyValue >& lObjArgs ) override;
+ };
+ 
+ #endif
+diff --git a/include/svx/svdoole2.hxx b/include/svx/svdoole2.hxx
+index b192a438bc190..da5f094ab1553 100644
+--- a/include/svx/svdoole2.hxx
++++ b/include/svx/svdoole2.hxx
+@@ -42,6 +42,7 @@ namespace frame { class XModel; }
+ namespace svt { class EmbeddedObjectRef; }
+ 
+ class SdrOle2ObjImpl;
++class SvxOle2Shape;
+ 
+ class SVX_DLLPUBLIC SdrOle2Obj : public SdrRectObj
+ {
+@@ -49,7 +50,7 @@ private:
+     std::unique_ptr<SdrOle2ObjImpl> mpImpl;
+ 
+ private:
+-    SVX_DLLPRIVATE void Connect_Impl();
++    SVX_DLLPRIVATE void Connect_Impl(SvxOle2Shape* pCreator = nullptr);
+     SVX_DLLPRIVATE void Disconnect_Impl();
+     SVX_DLLPRIVATE void AddListeners_Impl();
+     SVX_DLLPRIVATE void RemoveListeners_Impl();
+@@ -105,7 +106,7 @@ public:
+     // OLE object has got a separate PersistName member now;
+     // !!! use ::SetPersistName( ... ) only, if you know what you do !!!
+     const OUString& GetPersistName() const;
+-    void        SetPersistName( const OUString& rPersistName );
++    void        SetPersistName( const OUString& rPersistName, SvxOle2Shape* pCreator = nullptr );
+ 
+     // One can add an application name to a SdrOle2Obj, which can be queried for
+     // later on (SD needs this for presentation objects).
+@@ -153,7 +154,7 @@ public:
+                                          sal_Int64 nAspect );
+     static bool Unload( const css::uno::Reference< css::embed::XEmbeddedObject >& xObj, sal_Int64 nAspect );
+     bool Unload();
+-    void Connect();
++    void Connect(SvxOle2Shape* pCreator = nullptr);
+     void Disconnect();
+     void ObjectLoaded();
+ 
+@@ -200,6 +201,16 @@ public:
+     void                Connect() { GetRealObject(); }
+ };
+ 
++class SVX_DLLPUBLIC SdrIFrameLink final : public sfx2::SvBaseLink
++{
++    SdrOle2Obj* m_pObject;
++
++public:
++    explicit SdrIFrameLink(SdrOle2Obj* pObject);
++    virtual ::sfx2::SvBaseLink::UpdateResult DataChanged(
++        const OUString& rMimeType, const css::uno::Any & rValue ) override;
++};
++
+ #endif // INCLUDED_SVX_SVDOOLE2_HXX
+ 
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/include/svx/unoshape.hxx b/include/svx/unoshape.hxx
+index 0b48d1e433d6e..712552a55281a 100644
+--- a/include/svx/unoshape.hxx
++++ b/include/svx/unoshape.hxx
+@@ -597,6 +597,8 @@ public:
+     bool createObject( const SvGlobalName &aClassName );
+ 
+     void createLink( const OUString& aLinkURL );
++
++    virtual OUString GetAndClearInitialFrameURL();
+ };
+ 
+ 
+diff --git a/sc/source/ui/docshell/documentlinkmgr.cxx b/sc/source/ui/docshell/documentlinkmgr.cxx
+index cb3467c8bb691..8ea3c2cce5fb4 100644
+--- a/sc/source/ui/docshell/documentlinkmgr.cxx
++++ b/sc/source/ui/docshell/documentlinkmgr.cxx
+@@ -142,7 +142,7 @@ bool DocumentLinkManager::hasDdeOrOleOrWebServiceLinks(bool bDde, bool bOle, boo
+         sfx2::SvBaseLink* pBase = rLink.get();
+         if (bDde && dynamic_cast<ScDdeLink*>(pBase))
+             return true;
+-        if (bOle && dynamic_cast<SdrEmbedObjectLink*>(pBase))
++        if (bOle && (dynamic_cast<SdrEmbedObjectLink*>(pBase) || dynamic_cast<SdrIFrameLink*>(pBase)))
+             return true;
+         if (bWebService && dynamic_cast<ScWebServiceLink*>(pBase))
+             return true;
+@@ -173,6 +173,13 @@ bool DocumentLinkManager::updateDdeOrOleOrWebServiceLinks(weld::Window* pWin)
+             continue;
+         }
+ 
++        SdrIFrameLink* pIFrameLink = dynamic_cast<SdrIFrameLink*>(pBase);
++        if (pIFrameLink)
++        {
++            pIFrameLink->Update();
++            continue;
++        }
++
+         ScWebServiceLink* pWebserviceLink = dynamic_cast<ScWebServiceLink*>(pBase);
+         if (pWebserviceLink)
+         {
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index 5a0ea96a234da..fce6cb48ea08f 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -177,31 +177,46 @@ sal_Bool SAL_CALL IFrameObject::load(
+                 return false;
+         }
+ 
++        bool bUpdateAllowed(true);
++        if (pDoc)
++        {
++            // perhaps should only check for file targets, but lets default to making it strong
++            // unless there is a known need to distinguish
++            comphelper::EmbeddedObjectContainer& rEmbeddedObjectContainer = pDoc->getEmbeddedObjectContainer();
++            bUpdateAllowed = rEmbeddedObjectContainer.getUserAllowsLinkUpdate();
++        }
++        if (!bUpdateAllowed)
++            return false;
++
+         OUString sReferer;
+         if (pDoc && pDoc->HasName())
+             sReferer = pDoc->GetMedium()->GetName();
+ 
+-        DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
+-        VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
+-        VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
+-        pWin->SetSizePixel( pParent->GetOutputSizePixel() );
+-        pWin->SetBackground();
+-        pWin->Show();
+-
+-        uno::Reference < awt::XWindow > xWindow( pWin->GetComponentInterface(), uno::UNO_QUERY );
+-        xFrame->setComponent( xWindow, uno::Reference < frame::XController >() );
++        uno::Reference<css::awt::XWindow> xParentWindow(xFrame->getContainerWindow());
+ 
+-        // we must destroy the IFrame before the parent is destroyed
+-        xWindow->addEventListener( this );
+-
+-        mxFrame = frame::Frame::create( mxContext );
+-        uno::Reference < awt::XWindow > xWin( pWin->GetComponentInterface(), uno::UNO_QUERY );
+-        mxFrame->initialize( xWin );
+-        mxFrame->setName( maFrmDescr.GetName() );
+-
+-        uno::Reference < frame::XFramesSupplier > xFramesSupplier( xFrame, uno::UNO_QUERY );
+-        if ( xFramesSupplier.is() )
+-            mxFrame->setCreator( xFramesSupplier );
++        if (!mxFrame.is())
++        {
++            VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow(xParentWindow);
++            VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
++            pWin->SetSizePixel( pParent->GetOutputSizePixel() );
++            pWin->SetBackground();
++            pWin->Show();
++
++            uno::Reference < awt::XWindow > xWindow( pWin->GetComponentInterface(), uno::UNO_QUERY );
++            xFrame->setComponent( xWindow, uno::Reference < frame::XController >() );
++
++            // we must destroy the IFrame before the parent is destroyed
++            xWindow->addEventListener( this );
++
++            mxFrame = frame::Frame::create( mxContext );
++            uno::Reference < awt::XWindow > xWin( pWin->GetComponentInterface(), uno::UNO_QUERY );
++            mxFrame->initialize( xWin );
++            mxFrame->setName( maFrmDescr.GetName() );
++
++            uno::Reference < frame::XFramesSupplier > xFramesSupplier( xFrame, uno::UNO_QUERY );
++            if ( xFramesSupplier.is() )
++                mxFrame->setCreator( xFramesSupplier );
++        }
+ 
+         uno::Sequence < beans::PropertyValue > aProps{
+             comphelper::makePropertyValue("PluginMode", sal_Int16(2)),
+diff --git a/svx/source/svdraw/svdoole2.cxx b/svx/source/svdraw/svdoole2.cxx
+index 16617ecaf94fe..dc5f74811723d 100644
+--- a/svx/source/svdraw/svdoole2.cxx
++++ b/svx/source/svdraw/svdoole2.cxx
+@@ -78,6 +78,7 @@
+ #include <sdr/contact/viewcontactofsdrole2obj.hxx>
+ #include <svx/svdograf.hxx>
+ #include <sdr/properties/oleproperties.hxx>
++#include <svx/unoshape.hxx>
+ #include <svx/xlineit0.hxx>
+ #include <svx/xlnclit.hxx>
+ #include <svx/xbtmpit.hxx>
+@@ -598,6 +599,35 @@ void SdrEmbedObjectLink::Closed()
+     SvBaseLink::Closed();
+ }
+ 
++SdrIFrameLink::SdrIFrameLink(SdrOle2Obj* pObject)
++    : ::sfx2::SvBaseLink(::SfxLinkUpdateMode::ONCALL, SotClipboardFormatId::SVXB)
++    , m_pObject(pObject)
++{
++    SetSynchron( false );
++}
++
++::sfx2::SvBaseLink::UpdateResult SdrIFrameLink::DataChanged(
++    const OUString&, const uno::Any& )
++{
++    uno::Reference<embed::XEmbeddedObject> xObject = m_pObject->GetObjRef();
++    uno::Reference<embed::XCommonEmbedPersist> xPersObj(xObject, uno::UNO_QUERY);
++    if (xPersObj.is())
++    {
++        // let the IFrameObject reload the link
++        try
++        {
++            xPersObj->reload(uno::Sequence<beans::PropertyValue>(), uno::Sequence<beans::PropertyValue>());
++        }
++        catch (const uno::Exception&)
++        {
++        }
++
++        m_pObject->SetChanged();
++    }
++
++    return SUCCESS;
++}
++
+ class SdrOle2ObjImpl
+ {
+ public:
+@@ -615,7 +645,7 @@ public:
+     bool mbLoadingOLEObjectFailed:1; // New local var to avoid repeated loading if load of OLE2 fails
+     bool mbConnected:1;
+ 
+-    SdrEmbedObjectLink* mpObjectLink;
++    sfx2::SvBaseLink* mpObjectLink;
+     OUString maLinkURL;
+ 
+     rtl::Reference<SvxUnoShapeModifyListener> mxModifyListener;
+@@ -815,7 +845,7 @@ bool SdrOle2Obj::IsEmpty() const
+     return !mpImpl->mxObjRef.is();
+ }
+ 
+-void SdrOle2Obj::Connect()
++void SdrOle2Obj::Connect(SvxOle2Shape* pCreator)
+ {
+     if( IsEmptyPresObj() )
+         return;
+@@ -828,7 +858,7 @@ void SdrOle2Obj::Connect()
+         return;
+     }
+ 
+-    Connect_Impl();
++    Connect_Impl(pCreator);
+     AddListeners_Impl();
+ }
+ 
+@@ -927,24 +957,51 @@ void SdrOle2Obj::CheckFileLink_Impl()
+     {
+         try
+         {
+-            uno::Reference< embed::XLinkageSupport > xLinkSupport( mpImpl->mxObjRef.GetObject(), uno::UNO_QUERY );
++            uno::Reference<embed::XEmbeddedObject> xObject = mpImpl->mxObjRef.GetObject();
++            if (!xObject)
++                return;
+ 
+-            if ( xLinkSupport.is() && xLinkSupport->isLink() )
+-            {
+-                OUString aLinkURL = xLinkSupport->getLinkURL();
++            bool bIFrame = false;
+ 
+-                if ( !aLinkURL.isEmpty() )
++            OUString aLinkURL;
++            uno::Reference<embed::XLinkageSupport> xLinkSupport(xObject, uno::UNO_QUERY);
++            if (xLinkSupport)
++            {
++                if (xLinkSupport->isLink())
++                    aLinkURL = xLinkSupport->getLinkURL();
++            }
++            else
++            {
++                // get IFrame (Floating Frames) listed and updatable from the
++                // manage links dialog
++                SvGlobalName aClassId(xObject->getClassID());
++                if (aClassId == SvGlobalName(SO3_IFRAME_CLASSID))
+                 {
+-                    // this is a file link so the model link manager should handle it
+-                    sfx2::LinkManager* pLinkManager(getSdrModelFromSdrObject().GetLinkManager());
++                    uno::Reference<beans::XPropertySet> xSet(xObject->getComponent(), uno::UNO_QUERY);
++                    if (xSet.is())
++                        xSet->getPropertyValue("FrameURL") >>= aLinkURL;
++                    bIFrame = true;
++                }
++            }
++
++            if (!aLinkURL.isEmpty()) // this is a file link so the model link manager should handle it
++            {
++                sfx2::LinkManager* pLinkManager(getSdrModelFromSdrObject().GetLinkManager());
+ 
+-                    if ( pLinkManager )
++                if ( pLinkManager )
++                {
++                    SdrEmbedObjectLink* pEmbedObjectLink = nullptr;
++                    if (!bIFrame)
+                     {
+-                        mpImpl->mpObjectLink = new SdrEmbedObjectLink( this );
+-                        mpImpl->maLinkURL = aLinkURL;
+-                        pLinkManager->InsertFileLink( *mpImpl->mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
+-                        mpImpl->mpObjectLink->Connect();
++                        pEmbedObjectLink = new SdrEmbedObjectLink(this);
++                        mpImpl->mpObjectLink = pEmbedObjectLink;
+                     }
++                    else
++                        mpImpl->mpObjectLink = new SdrIFrameLink(this);
++                    mpImpl->maLinkURL = aLinkURL;
++                    pLinkManager->InsertFileLink( *mpImpl->mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
++                    if (pEmbedObjectLink)
++                        pEmbedObjectLink->Connect();
+                 }
+             }
+         }
+@@ -955,7 +1012,7 @@ void SdrOle2Obj::CheckFileLink_Impl()
+     }
+ }
+ 
+-void SdrOle2Obj::Connect_Impl()
++void SdrOle2Obj::Connect_Impl(SvxOle2Shape* pCreator)
+ {
+     if(!mpImpl->aPersistName.isEmpty() )
+     {
+@@ -995,6 +1052,17 @@ void SdrOle2Obj::Connect_Impl()
+                 }
+             }
+ 
++            if (pCreator)
++            {
++                OUString sFrameURL(pCreator->GetAndClearInitialFrameURL());
++                if (!sFrameURL.isEmpty() && svt::EmbeddedObjectRef::TryRunningState(mpImpl->mxObjRef.GetObject()))
++                {
++                    uno::Reference<beans::XPropertySet> xSet(mpImpl->mxObjRef->getComponent(), uno::UNO_QUERY);
++                    if (xSet.is())
++                        xSet->setPropertyValue("FrameURL", uno::Any(sFrameURL));
++                }
++            }
++
+             if ( mpImpl->mxObjRef.is() )
+             {
+                 if ( !mpImpl->mxLightClient.is() )
+@@ -1308,14 +1376,14 @@ SdrObjectUniquePtr SdrOle2Obj::getFullDragClone() const
+     return createSdrGrafObjReplacement(false);
+ }
+ 
+-void SdrOle2Obj::SetPersistName( const OUString& rPersistName )
++void SdrOle2Obj::SetPersistName( const OUString& rPersistName, SvxOle2Shape* pCreator )
+ {
+     DBG_ASSERT( mpImpl->aPersistName.isEmpty(), "Persist name changed!");
+ 
+     mpImpl->aPersistName = rPersistName;
+     mpImpl->mbLoadingOLEObjectFailed = false;
+ 
+-    Connect();
++    Connect(pCreator);
+     SetChanged();
+ }
+ 
+diff --git a/svx/source/unodraw/shapeimpl.hxx b/svx/source/unodraw/shapeimpl.hxx
+index a1a4e69630206..4381094d380a3 100644
+--- a/svx/source/unodraw/shapeimpl.hxx
++++ b/svx/source/unodraw/shapeimpl.hxx
+@@ -64,8 +64,11 @@ public:
+ 
+     virtual void Create( SdrObject* pNewOpj, SvxDrawPage* pNewPage ) override;
+ };
++
+ class SvxFrameShape : public SvxOle2Shape
+ {
++private:
++    OUString m_sInitialFrameURL;
+ protected:
+     // override these for special property handling in subcasses. Return true if property is handled
+     virtual bool setPropertyValueImpl( const OUString& rName, const SfxItemPropertySimpleEntry* pProperty, const css::uno::Any& rValue ) override;
+@@ -82,6 +85,8 @@ public:
+     virtual void SAL_CALL setPropertyValues( const css::uno::Sequence< OUString >& aPropertyNames, const css::uno::Sequence< css::uno::Any >& aValues ) override;
+ 
+     virtual void Create( SdrObject* pNewOpj, SvxDrawPage* pNewPage ) override;
++
++    virtual OUString GetAndClearInitialFrameURL() override;
+ };
+ 
+ 
+diff --git a/svx/source/unodraw/unoshap4.cxx b/svx/source/unodraw/unoshap4.cxx
+index f7629f3388587..6dc18d6cf9e48 100644
+--- a/svx/source/unodraw/unoshap4.cxx
++++ b/svx/source/unodraw/unoshap4.cxx
+@@ -180,7 +180,7 @@ bool SvxOle2Shape::setPropertyValueImpl( const OUString& rName, const SfxItemPro
+ #else
+             pOle = static_cast<SdrOle2Obj*>(GetSdrObject());
+ #endif
+-            pOle->SetPersistName( aPersistName );
++            pOle->SetPersistName( aPersistName, this );
+             return true;
+         }
+         break;
+@@ -501,10 +501,11 @@ void SvxOle2Shape::createLink( const OUString& aLinkURL )
+ 
+ void SvxOle2Shape::resetModifiedState()
+ {
+-    ::comphelper::IEmbeddedHelper* pPersist = GetSdrObject()->getSdrModelFromSdrObject().GetPersist();
++    SdrObject* pObject = GetSdrObject();
++    ::comphelper::IEmbeddedHelper* pPersist = pObject ? pObject->getSdrModelFromSdrObject().GetPersist() : nullptr;
+     if( pPersist && !pPersist->isEnableSetModified() )
+     {
+-        SdrOle2Obj* pOle = dynamic_cast< SdrOle2Obj* >( GetSdrObject() );
++        SdrOle2Obj* pOle = dynamic_cast< SdrOle2Obj* >(pObject);
+         if( pOle && !pOle->IsEmpty() )
+         {
+             uno::Reference < util::XModifiable > xMod( pOle->GetObjRef(), uno::UNO_QUERY );
+@@ -554,6 +555,11 @@ SvGlobalName SvxOle2Shape::GetClassName_Impl(OUString& rHexCLSID)
+     return aClassName;
+ }
+ 
++OUString SvxOle2Shape::GetAndClearInitialFrameURL()
++{
++    return OUString();
++}
++
+ SvxAppletShape::SvxAppletShape(SdrObject* pObject)
+     : SvxOle2Shape( pObject, getSvxMapProvider().GetMap(SVXMAP_APPLET), getSvxMapProvider().GetPropertySet(SVXMAP_APPLET, SdrObject::GetGlobalDrawObjectItemPool())  )
+ {
+@@ -707,8 +713,19 @@ SvxFrameShape::~SvxFrameShape() throw()
+ {
+ }
+ 
++OUString SvxFrameShape::GetAndClearInitialFrameURL()
++{
++    OUString sRet(m_sInitialFrameURL);
++    m_sInitialFrameURL.clear();
++    return sRet;
++}
++
+ void SvxFrameShape::Create( SdrObject* pNewObj, SvxDrawPage* pNewPage )
+ {
++    uno::Reference<beans::XPropertySet> xSet(static_cast<OWeakObject *>(this), uno::UNO_QUERY);
++    if (xSet)
++        xSet->getPropertyValue("FrameURL") >>= m_sInitialFrameURL;
++
+     SvxShape::Create( pNewObj, pNewPage );
+     const SvGlobalName aIFrameClassId( SO3_IFRAME_CLASSID );
+     createObject(aIFrameClassId);
+diff --git a/sw/inc/ndole.hxx b/sw/inc/ndole.hxx
+index 852fffd84e3d7..a2d9749420970 100644
+--- a/sw/inc/ndole.hxx
++++ b/sw/inc/ndole.hxx
+@@ -28,7 +28,7 @@ class SwGrfFormatColl;
+ class SwDoc;
+ class SwOLENode;
+ class SwOLEListener_Impl;
+-class SwEmbedObjectLink;
++namespace sfx2 { class SvBaseLink; }
+ class DeflateData;
+ 
+ class SW_DLLPUBLIC SwOLEObj
+@@ -90,7 +90,7 @@ class SW_DLLPUBLIC SwOLENode: public SwNoTextNode
+     bool   mbOLESizeInvalid; /**< Should be considered at SwDoc::PrtOLENotify
+                                    (e.g. copied). Is not persistent. */
+ 
+-    SwEmbedObjectLink*  mpObjectLink;
++    sfx2::SvBaseLink*  mpObjectLink;
+     OUString maLinkURL;
+ 
+     SwOLENode(  const SwNodeIndex &rWhere,
+diff --git a/sw/source/core/ole/ndole.cxx b/sw/source/core/ole/ndole.cxx
+index 9000d6ef1b9ee..7501fcdd09d7a 100644
+--- a/sw/source/core/ole/ndole.cxx
++++ b/sw/source/core/ole/ndole.cxx
+@@ -147,6 +147,8 @@ void SAL_CALL SwOLEListener_Impl::disposing( const lang::EventObject& )
+ // TODO/LATER: actually SwEmbedObjectLink should be used here, but because different objects are used to control
+ //             embedded object different link objects with the same functionality had to be implemented
+ 
++namespace {
++
+ class SwEmbedObjectLink : public sfx2::SvBaseLink
+ {
+     SwOLENode*          pOleNode;
+@@ -209,6 +211,44 @@ void SwEmbedObjectLink::Closed()
+     SvBaseLink::Closed();
+ }
+ 
++class SwIFrameLink : public sfx2::SvBaseLink
++{
++    SwOLENode* m_pOleNode;
++
++public:
++    explicit SwIFrameLink(SwOLENode* pNode)
++        : ::sfx2::SvBaseLink(::SfxLinkUpdateMode::ONCALL, SotClipboardFormatId::SVXB)
++        , m_pOleNode(pNode)
++    {
++        SetSynchron( false );
++    }
++
++    ::sfx2::SvBaseLink::UpdateResult DataChanged(
++        const OUString&, const uno::Any& )
++    {
++        uno::Reference<embed::XEmbeddedObject> xObject = m_pOleNode->GetOLEObj().GetOleRef();
++        uno::Reference<embed::XCommonEmbedPersist> xPersObj(xObject, uno::UNO_QUERY);
++        if (xPersObj.is())
++        {
++            // let the IFrameObject reload the link
++            try
++            {
++                xPersObj->reload(uno::Sequence<beans::PropertyValue>(), uno::Sequence<beans::PropertyValue>());
++            }
++            catch (const uno::Exception&)
++            {
++            }
++
++            m_pOleNode->SetChanged();
++        }
++
++        return SUCCESS;
++    }
++
++};
++
++}
++
+ SwOLENode::SwOLENode( const SwNodeIndex &rWhere,
+                     const svt::EmbeddedObjectRef& xObj,
+                     SwGrfFormatColl *pGrfColl,
+@@ -606,18 +646,49 @@ void SwOLENode::CheckFileLink_Impl()
+     {
+         try
+         {
+-            uno::Reference< embed::XLinkageSupport > xLinkSupport( maOLEObj.m_xOLERef.GetObject(), uno::UNO_QUERY_THROW );
+-            if ( xLinkSupport->isLink() )
++            uno::Reference<embed::XEmbeddedObject> xObject = maOLEObj.m_xOLERef.GetObject();
++            if (!xObject)
++                return;
++
++            bool bIFrame = false;
++
++            OUString aLinkURL;
++            uno::Reference<embed::XLinkageSupport> xLinkSupport(xObject, uno::UNO_QUERY);
++            if (xLinkSupport)
++            {
++                if (xLinkSupport->isLink())
++                    aLinkURL = xLinkSupport->getLinkURL();
++            }
++            else
+             {
+-                const OUString aLinkURL = xLinkSupport->getLinkURL();
+-                if ( !aLinkURL.isEmpty() )
++                // get IFrame (Floating Frames) listed and updatable from the
++                // manage links dialog
++                SvGlobalName aClassId(xObject->getClassID());
++                if (aClassId == SvGlobalName(SO3_IFRAME_CLASSID))
++                {
++                    uno::Reference<beans::XPropertySet> xSet(xObject->getComponent(), uno::UNO_QUERY);
++                    if (xSet.is())
++                        xSet->getPropertyValue("FrameURL") >>= aLinkURL;
++                    bIFrame = true;
++                }
++            }
++
++            if (!aLinkURL.isEmpty()) // this is a file link so the model link manager should handle it
++            {
++                SwEmbedObjectLink* pEmbedObjectLink = nullptr;
++                if (!bIFrame)
++                {
++                    pEmbedObjectLink = new SwEmbedObjectLink(this);
++                    mpObjectLink = pEmbedObjectLink;
++                }
++                else
+                 {
+-                    // this is a file link so the model link manager should handle it
+-                    mpObjectLink = new SwEmbedObjectLink( this );
+-                    maLinkURL = aLinkURL;
+-                    GetDoc()->getIDocumentLinksAdministration().GetLinkManager().InsertFileLink( *mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
+-                    mpObjectLink->Connect();
++                    mpObjectLink = new SwIFrameLink(this);
+                 }
++                maLinkURL = aLinkURL;
++                GetDoc()->getIDocumentLinksAdministration().GetLinkManager().InsertFileLink( *mpObjectLink, OBJECT_CLIENT_OLE, aLinkURL );
++                if (pEmbedObjectLink)
++                    pEmbedObjectLink->Connect();
+             }
+         }
+         catch( uno::Exception& )
+diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
+index ae35f1e21a87b..bd5f30af7d708 100644
+--- a/xmloff/source/draw/ximpshap.cxx
++++ b/xmloff/source/draw/ximpshap.cxx
+@@ -3223,9 +3223,35 @@ SdXMLFloatingFrameShapeContext::~SdXMLFloatingFrameShapeContext()
+ {
+ }
+ 
++uno::Reference<drawing::XShape> SdXMLFloatingFrameShapeContext::CreateFloatingFrameShape() const
++{
++    uno::Reference<lang::XMultiServiceFactory> xServiceFact(GetImport().GetModel(), uno::UNO_QUERY);
++    if (!xServiceFact.is())
++        return nullptr;
++    uno::Reference<drawing::XShape> xShape(
++            xServiceFact->createInstance("com.sun.star.drawing.FrameShape"), uno::UNO_QUERY);
++    return xShape;
++}
++
+ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< css::xml::sax::XAttributeList >& )
+ {
+-    AddShape("com.sun.star.drawing.FrameShape");
++    uno::Reference<drawing::XShape> xShape(SdXMLFloatingFrameShapeContext::CreateFloatingFrameShape());
++
++    uno::Reference< beans::XPropertySet > xProps(xShape, uno::UNO_QUERY);
++    // set FrameURL before AddShape, we have to do it again later because it
++    // gets cleared when the SdrOle2Obj is attached to the XShape.  But we want
++    // FrameURL to exist when AddShape triggers SetPersistName which itself
++    // triggers SdrOle2Obj::CheckFileLink_Impl and at that point we want to
++    // know what URL will end up being used. So bodge this by setting FrameURL
++    // to the temp pre-SdrOle2Obj attached properties and we can smuggle it
++    // eventually into SdrOle2Obj::SetPersistName at the right point after
++    // PersistName is set but before SdrOle2Obj::CheckFileLink_Impl is called
++    // in order to inform the link manager that this is an IFrame that links to
++    // a URL
++    if (xProps && !maHref.isEmpty())
++        xProps->setPropertyValue("FrameURL", Any(maHref));
++
++    AddShape(xShape);
+ 
+     if( mxShape.is() )
+     {
+@@ -3234,7 +3260,6 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
+         // set pos, size, shear and rotate
+         SetTransformation();
+ 
+-        uno::Reference< beans::XPropertySet > xProps( mxShape, uno::UNO_QUERY );
+         if( xProps.is() )
+         {
+             if( !maFrameName.isEmpty() )
+diff --git a/xmloff/source/draw/ximpshap.hxx b/xmloff/source/draw/ximpshap.hxx
+index fae45f88f00a9..a00c87e8a0dab 100644
+--- a/xmloff/source/draw/ximpshap.hxx
++++ b/xmloff/source/draw/ximpshap.hxx
+@@ -513,6 +513,8 @@ private:
+     OUString maFrameName;
+     OUString maHref;
+ 
++    css::uno::Reference<css::drawing::XShape> CreateFloatingFrameShape() const;
++
+ public:
+ 
+     SdXMLFloatingFrameShapeContext( SvXMLImport& rImport, sal_uInt16 nPrfx,
+-- 
+2.41.0
+

SOURCES/0003-Always-push-a-result-even-if-it-s-only-an-error.patch

@@ -0,0 +1,50 @@
+From 7e128f02a7cb513e4e57dbb1970fa316f456aa45 Mon Sep 17 00:00:00 2001
+From: Eike Rathke <erack@redhat.com>
+Date: Mon, 27 Feb 2023 16:10:06 +0100
+Subject: [PATCH 3/3] Always push a result, even if it's only an error
+
+PERCENTILE() and QUARTILE() if an error was passed as argument (or
+an error encountered during obtaining arguments) omitted to push
+an error result, only setting the error.
+
+Fallout from
+
+    commit f336f63da900d76c2bf6e5690f1c8a7bd15a0aa2
+    CommitDate: Thu Mar 3 16:28:59 2016 +0000
+
+        tdf#94635 Add FORECAST.ETS functions to Calc
+
+Change-Id: I23e276fb0ce735cfd6383cc963446499dcf819f4
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147922
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Tested-by: Jenkins
+(cherry picked from commit 64914560e279c71ff1233f4bab851e2a292797e6)
+---
+ sc/source/core/tool/interpr3.cxx | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sc/source/core/tool/interpr3.cxx b/sc/source/core/tool/interpr3.cxx
+index f219beca9386..d442d4eee224 100644
+--- a/sc/source/core/tool/interpr3.cxx
++++ b/sc/source/core/tool/interpr3.cxx
+@@ -3474,7 +3474,7 @@ void ScInterpreter::ScPercentile( bool bInclusive )
+     GetNumberSequenceArray( 1, aArray, false );
+     if ( aArray.empty() || nGlobalError != FormulaError::NONE )
+     {
+-        SetError( FormulaError::NoValue );
++        PushNoValue();
+         return;
+     }
+     if ( bInclusive )
+@@ -3497,7 +3497,7 @@ void ScInterpreter::ScQuartile( bool bInclusive )
+     GetNumberSequenceArray( 1, aArray, false );
+     if ( aArray.empty() || nGlobalError != FormulaError::NONE )
+     {
+-        SetError( FormulaError::NoValue );
++        PushNoValue();
+         return;
+     }
+     if ( bInclusive )
+-- 
+2.41.0
+

SOURCES/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch

@@ -0,0 +1,586 @@
+From a3046cfa58bdfa2a1b9ea6287a021230830f056f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 22 Mar 2022 17:22:22 +0000
+Subject: [PATCH] add Initialization Vectors to password storage
+
+old ones default to the current all zero case and continue to work
+as before
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131974
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit 192fa1e3bfc6269f2ebb91716471485a56074aea)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132306
+Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+(cherry picked from commit ab77587ec300f5c30084471000663c46ddf25dad)
+
+Change-Id: I6fe3b02fafcce1b5e7133e77e76a5118177d77af
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133907
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+---
+ .../schema/org/openoffice/Office/Common.xcs   |  10 ++
+ .../passwordcontainer/passwordcontainer.cxx   | 127 ++++++++++++------
+ .../passwordcontainer/passwordcontainer.hxx   |  63 +++++++--
+ 3 files changed, 151 insertions(+), 49 deletions(-)
+
+diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+index b033b29b60d7..e57d26ab3366 100644
+--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+@@ -27,6 +27,11 @@
+       <info>
+         <desc>Contains a container for passwords.</desc>
+       </info>
++      <prop oor:name="InitializationVector" oor:type="xs:string">
++        <info>
++          <desc>Contains an initialization vector for the password encryption.</desc>
++        </info>
++      </prop>
+       <prop oor:name="Password" oor:type="xs:string" oor:localized="false">
+         <info>
+           <desc>Contains a password encoded with the master password.</desc>
+@@ -923,6 +928,11 @@
+         </info>
+         <value>false</value>
+       </prop>
++      <prop oor:name="MasterInitializationVector" oor:type="xs:string">
++        <info>
++          <desc>Contains an initialization vector for the master password encryption.</desc>
++        </info>
++      </prop>
+       <prop oor:name="Master" oor:type="xs:string" oor:nillable="false">
+         <info>
+           <desc>Contains the master password encrypted by itself.</desc>
+diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx
+index ff0b40df4016..380188ef495c 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.cxx
++++ b/svl/source/passwordcontainer/passwordcontainer.cxx
+@@ -184,15 +184,18 @@ PassMap StorageItem::getInfo()
+ 
+     Sequence< OUString > aNodeNames     = ConfigItem::GetNodeNames( "Store" );
+     sal_Int32 aNodeCount = aNodeNames.getLength();
+-    Sequence< OUString > aPropNames( aNodeCount );
++    Sequence< OUString > aPropNames( aNodeCount * 2);
+ 
+     std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.begin(),
+         [](const OUString& rName) -> OUString {
+             return "Store/Passwordstorage['" + rName + "']/Password"; });
++    std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.getArray() + aNodeCount,
++        [](const OUString& rName) -> OUString {
++            return "Store/Passwordstorage['" + rName + "']/InitializationVector"; });
+ 
+     Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aPropNames );
+ 
+-    if( aPropertyValues.getLength() != aNodeCount )
++    if( aPropertyValues.getLength() != aNodeCount * 2)
+     {
+         OSL_FAIL( "Problems during reading" );
+         return aResult;
+@@ -208,14 +211,16 @@ PassMap StorageItem::getInfo()
+             OUString aName = aUrlUsr[1];
+ 
+             OUString aEPasswd;
++            OUString aIV;
+             aPropertyValues[aNodeInd] >>= aEPasswd;
++            aPropertyValues[aNodeInd + aNodeCount] >>= aIV;
+ 
+             PassMap::iterator aIter = aResult.find( aUrl );
+             if( aIter != aResult.end() )
+-                aIter->second.emplace_back( aName, aEPasswd );
++                aIter->second.emplace_back( aName, aEPasswd, aIV );
+             else
+             {
+-                NamePassRecord aNewRecord( aName, aEPasswd );
++                NamePassRecord aNewRecord( aName, aEPasswd, aIV );
+                 std::vector< NamePassRecord > listToAdd( 1, aNewRecord );
+ 
+                 aResult.insert( PairUrlRecord( aUrl, listToAdd ) );
+@@ -279,17 +284,19 @@ sal_Int32 StorageItem::getStorageVersion()
+     return nResult;
+ }
+ 
+-bool StorageItem::getEncodedMP( OUString& aResult )
++bool StorageItem::getEncodedMP( OUString& aResult, OUString& aResultIV )
+ {
+     if( hasEncoded )
+     {
+         aResult = mEncoded;
++        aResultIV = mEncodedIV;
+         return true;
+     }
+ 
+-    Sequence< OUString > aNodeNames( 2 );
++    Sequence< OUString > aNodeNames( 3 );
+     aNodeNames[0] = "HasMaster";
+     aNodeNames[1] = "Master";
++    aNodeNames[2] = "MasterInitializationVector";
+ 
+     Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames );
+ 
+@@ -301,32 +308,37 @@ bool StorageItem::getEncodedMP( OUString& aResult )
+ 
+     aPropertyValues[0] >>= hasEncoded;
+     aPropertyValues[1] >>= mEncoded;
++    aPropertyValues[2] >>= mEncodedIV;
+ 
+     aResult = mEncoded;
++    aResultIV = mEncodedIV;
+ 
+     return hasEncoded;
+ }
+ 
+ 
+-void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty )
++void StorageItem::setEncodedMP( const OUString& aEncoded, const OUString& aEncodedIV, bool bAcceptEmpty )
+ {
+-    Sequence< OUString > sendNames(3);
+-    Sequence< uno::Any > sendVals(3);
++    Sequence< OUString > sendNames(4);
++    Sequence< uno::Any > sendVals(4);
+ 
+     sendNames[0] = "HasMaster";
+     sendNames[1] = "Master";
+-    sendNames[2] = "StorageVersion";
++    sendNames[2] = "MasterInitializationVector";
++    sendNames[3] = "StorageVersion";
+ 
+     bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty );
+     sendVals[0] <<= bHasMaster;
+     sendVals[1] <<= aEncoded;
+-    sendVals[2] <<= nCurrentStorageVersion;
++    sendVals[2] <<= aEncodedIV;
++    sendVals[3] <<= nCurrentStorageVersion;
+ 
+     ConfigItem::SetModified();
+     ConfigItem::PutProperties( sendNames, sendVals );
+ 
+     hasEncoded = bHasMaster;
+     mEncoded = aEncoded;
++    mEncodedIV = aEncodedIV;
+ }
+ 
+ 
+@@ -362,11 +374,13 @@ void StorageItem::update( const OUString& aURL, const NamePassRecord& aRecord )
+     forIndex.push_back( aURL );
+     forIndex.push_back( aRecord.GetUserName() );
+ 
+-    Sequence< beans::PropertyValue > sendSeq(1);
++    Sequence< beans::PropertyValue > sendSeq(2);
+ 
+-    sendSeq[0].Name  = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password";
++    sendSeq[0].Name  = "Store/Passwordstorage['" + createIndex( { aURL, aRecord.GetUserName() } ) + "']/InitializationVector";
++    sendSeq[0].Value <<= aRecord.GetPersistentIV();
+ 
+-    sendSeq[0].Value <<= aRecord.GetPersPasswords();
++    sendSeq[1].Name  = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password";
++    sendSeq[1].Value <<= aRecord.GetPersPasswords();
+ 
+     ConfigItem::SetModified();
+     ConfigItem::SetSetProperties( "Store", sendSeq );
+@@ -427,7 +441,7 @@ void SAL_CALL PasswordContainer::disposing( const EventObject& )
+     }
+ }
+ 
+-std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode )
++std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode )
+ {
+     if( !aMasterPasswd.isEmpty() )
+     {
+@@ -442,9 +456,16 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin
+             for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
+                 code[ ind ] = static_cast<char>(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16));
+ 
++            unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0};
++            if (!aIV.isEmpty())
++            {
++                for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
++                    iv[ ind ] = static_cast<char>(aIV.copy( ind*2, 2 ).toUInt32(16));
++            }
++
+             rtlCipherError result = rtl_cipher_init (
+                     aDecoder, rtl_Cipher_DirectionDecode,
+-                    code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 );
++                    code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 );
+ 
+             if( result == rtl_Cipher_E_None )
+             {
+@@ -477,7 +498,7 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin
+         "Can't decode!", css::uno::Reference<css::uno::XInterface>(), mode);
+ }
+ 
+-OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPasswd )
++OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPasswd)
+ {
+     if( !aMasterPasswd.isEmpty() )
+     {
+@@ -494,9 +515,16 @@ OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines
+             for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
+                 code[ ind ] = static_cast<char>(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16));
+ 
++            unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0};
++            if (!aIV.isEmpty())
++            {
++                for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
++                    iv[ ind ] = static_cast<char>(aIV.copy( ind*2, 2 ).toUInt32(16));
++            }
++
+             rtlCipherError result = rtl_cipher_init (
+                     aEncoder, rtl_Cipher_DirectionEncode,
+-                    code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 );
++                    code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 );
+ 
+             if( result == rtl_Cipher_E_None )
+             {
+@@ -564,7 +592,7 @@ void PasswordContainer::UpdateVector( const OUString& aURL, std::vector< NamePas
+ 
+             if( aRecord.HasPasswords( PERSISTENT_RECORD ) )
+             {
+-                aNPIter.SetPersPasswords( aRecord.GetPersPasswords() );
++                aNPIter.SetPersPasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV() );
+ 
+                 if( writeFile )
+                 {
+@@ -597,7 +625,8 @@ UserRecord PasswordContainer::CopyToUserRecord( const NamePassRecord& aRecord, b
+     {
+         try
+         {
+-            ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER );
++            ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV(),
++                                                                           GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER );
+             aPasswords.insert( aPasswords.end(), aDecodedPasswords.begin(), aDecodedPasswords.end() );
+         }
+         catch( NoMasterException& )
+@@ -642,6 +671,19 @@ void SAL_CALL PasswordContainer::addPersistent( const OUString& Url, const OUStr
+     PrivateAdd( Url, UserName, Passwords, PERSISTENT_RECORD, aHandler );
+ }
+ 
++OUString PasswordContainer::createIV()
++{
++    rtlRandomPool randomPool = mRandomPool.get();
++    unsigned char iv[RTL_DIGEST_LENGTH_MD5];
++    rtl_random_getBytes(randomPool, iv, RTL_DIGEST_LENGTH_MD5);
++    OUStringBuffer aBuffer;
++    for (sal_uInt8 i : iv)
++    {
++        aBuffer.append(OUString::number(i >> 4, 16));
++        aBuffer.append(OUString::number(i & 15, 16));
++    }
++    return aBuffer.makeStringAndClear();
++}
+ 
+ void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserName, const Sequence< OUString >& Passwords, char Mode, const Reference< XInteractionHandler >& aHandler )
+ {
+@@ -649,7 +691,11 @@ void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserNam
+     ::std::vector< OUString > aStorePass = comphelper::sequenceToContainer< std::vector<OUString> >( Passwords );
+ 
+     if( Mode == PERSISTENT_RECORD )
+-        aRecord.SetPersPasswords( EncodePasswords( aStorePass, GetMasterPassword( aHandler ) ) );
++    {
++        OUString sIV = createIV();
++        OUString sEncodedPasswords = EncodePasswords( aStorePass, sIV, GetMasterPassword( aHandler ) );
++        aRecord.SetPersPasswords( sEncodedPasswords, sIV );
++    }
+     else if( Mode == MEMORY_RECORD )
+         aRecord.SetMemPasswords( aStorePass );
+     else
+@@ -842,10 +888,10 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
+ 
+     if( m_aMasterPasswd.isEmpty() && aHandler.is() )
+     {
+-        OUString aEncodedMP;
++        OUString aEncodedMP, aEncodedMPIV;
+         bool bDefaultPassword = false;
+ 
+-        if( !m_pStorageFile->getEncodedMP( aEncodedMP ) )
++        if( !m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
+             aRMode = PasswordRequestMode_PASSWORD_CREATE;
+         else if ( aEncodedMP.isEmpty() )
+         {
+@@ -867,14 +913,15 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
+                         m_aMasterPasswd = aPass;
+                         std::vector< OUString > aMaster( 1, m_aMasterPasswd );
+ 
+-                        m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) );
++                        OUString sIV = createIV();
++                        m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, sIV, m_aMasterPasswd ), sIV );
+                     }
+                     else
+                     {
+                         if (m_pStorageFile->getStorageVersion() == 0)
+                             aPass = ReencodeAsOldHash(aPass);
+ 
+-                        std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) );
++                        std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aEncodedMPIV, aPass, aRMode ) );
+                         if( aRM.empty() || aPass != aRM[0] )
+                         {
+                             bAskAgain = true;
+@@ -1031,7 +1078,8 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere
+             {
+                 sal_Int32 oldLen = aUsers.getLength();
+                 aUsers.realloc( oldLen + 1 );
+-                aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) );
++                aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), aNP.GetPersistentIV(),
++                                                                                                                    GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) );
+             }
+ 
+         if( aUsers.hasElements() )
+@@ -1048,12 +1096,12 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere
+ sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+     bool bResult = false;
+-    OUString aEncodedMP;
++    OUString aEncodedMP, aEncodedMPIV;
+     uno::Reference< task::XInteractionHandler > xTmpHandler = xHandler;
+     ::osl::MutexGuard aGuard( mMutex );
+ 
+     // the method should fail if there is no master password
+-    if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) )
++    if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
+     {
+         if ( aEncodedMP.isEmpty() )
+         {
+@@ -1122,8 +1170,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference<
+ 
+         bool bCanChangePassword = true;
+         // if there is already a stored master password it should be entered by the user before the change happen
+-        OUString aEncodedMP;
+-        if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP ) )
++        OUString aEncodedMP, aEncodedMPIV;
++        if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
+             bCanChangePassword = authorizateWithMasterPassword( xTmpHandler );
+ 
+         if ( bCanChangePassword )
+@@ -1142,7 +1190,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference<
+                 // store the new master password
+                 m_aMasterPasswd = aPass;
+                 std::vector< OUString > aMaster( 1, m_aMasterPasswd );
+-                m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) );
++                OUString aIV = createIV();
++                m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, aIV, m_aMasterPasswd ), aIV );
+ 
+                 // store all the entries with the new password
+                 for ( const auto& rURL : aPersistent )
+@@ -1167,7 +1216,7 @@ void SAL_CALL PasswordContainer::removeMasterPassword()
+     if ( m_pStorageFile )
+     {
+         m_aMasterPasswd.clear();
+-        m_pStorageFile->setEncodedMP( OUString() ); // let the master password be removed from configuration
++        m_pStorageFile->setEncodedMP( OUString(), OUString() ); // let the master password be removed from configuration
+     }
+ }
+ 
+@@ -1178,8 +1227,8 @@ sal_Bool SAL_CALL PasswordContainer::hasMasterPassword(  )
+     if ( !m_pStorageFile )
+         throw uno::RuntimeException();
+ 
+-    OUString aEncodedMP;
+-    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) );
++    OUString aEncodedMP, aEncodedMPIV;
++    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) );
+ }
+ 
+ sal_Bool SAL_CALL PasswordContainer::allowPersistentStoring( sal_Bool bAllow )
+@@ -1226,8 +1275,8 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere
+ 
+         bool bCanChangePassword = true;
+         // if there is already a stored nondefault master password it should be entered by the user before the change happen
+-        OUString aEncodedMP;
+-        if( m_pStorageFile->getEncodedMP( aEncodedMP ) && !aEncodedMP.isEmpty() )
++        OUString aEncodedMP, aEncodedMPIV;
++        if( m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && !aEncodedMP.isEmpty() )
+             bCanChangePassword = authorizateWithMasterPassword( xTmpHandler );
+ 
+         if ( bCanChangePassword )
+@@ -1244,7 +1293,7 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere
+ 
+                 // store the empty string to flag the default master password
+                 m_aMasterPasswd = aPass;
+-                m_pStorageFile->setEncodedMP( OUString(), true );
++                m_pStorageFile->setEncodedMP( OUString(), OUString(), true );
+ 
+                 // store all the entries with the new password
+                 for ( const auto& rURL : aPersistent )
+@@ -1268,8 +1317,8 @@ sal_Bool SAL_CALL PasswordContainer::isDefaultMasterPasswordUsed()
+     if ( !m_pStorageFile )
+         throw uno::RuntimeException();
+ 
+-    OUString aEncodedMP;
+-    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) && aEncodedMP.isEmpty() );
++    OUString aEncodedMP, aEncodedMPIV;
++    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && aEncodedMP.isEmpty() );
+ }
+ 
+ 
+diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx
+index cf5c717d0c9e..4e3a6629139e 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.hxx
++++ b/svl/source/passwordcontainer/passwordcontainer.hxx
+@@ -33,6 +33,7 @@
+ #include <unotools/configitem.hxx>
+ #include <ucbhelper/interactionrequest.hxx>
+ 
++#include <rtl/random.h>
+ #include <rtl/ref.hxx>
+ #include <osl/mutex.hxx>
+ 
+@@ -51,11 +52,12 @@ class NamePassRecord
+     ::std::vector< OUString >                      m_aMemPass;
+ 
+     // persistent passwords are encrypted in one string
+-    bool                                                  m_bHasPersPass;
++    bool                                           m_bHasPersPass;
+     OUString                                       m_aPersPass;
++    OUString                                       m_aPersistentIV;
+ 
+     void InitArrays( bool bHasMemoryList, const ::std::vector< OUString >& aMemoryList,
+-                     bool bHasPersistentList, const OUString& aPersistentList )
++                     bool bHasPersistentList, const OUString& aPersistentList, const OUString& aPersistentIV )
+     {
+         m_bHasMemPass = bHasMemoryList;
+         if ( bHasMemoryList )
+@@ -63,7 +65,10 @@ class NamePassRecord
+ 
+         m_bHasPersPass = bHasPersistentList;
+         if ( bHasPersistentList )
++        {
+             m_aPersPass = aPersistentList;
++            m_aPersistentIV = aPersistentIV;
++        }
+     }
+ 
+ public:
+@@ -75,11 +80,12 @@ public:
+     {
+     }
+ 
+-    NamePassRecord( const OUString& aName, const OUString& aPersistentList )
++    NamePassRecord( const OUString& aName, const OUString& aPersistentList, const OUString& aPersistentIV )
+         : m_aName( aName )
+         , m_bHasMemPass( false )
+         , m_bHasPersPass( true )
+         , m_aPersPass( aPersistentList )
++        , m_aPersistentIV( aPersistentIV )
+     {
+     }
+ 
+@@ -88,7 +94,8 @@ public:
+         , m_bHasMemPass( false )
+         , m_bHasPersPass( false )
+     {
+-        InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass );
++        InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass,
++                    aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV );
+     }
+ 
+     NamePassRecord& operator=( const NamePassRecord& aRecord )
+@@ -99,7 +106,9 @@ public:
+ 
+             m_aMemPass.clear();
+             m_aPersPass.clear();
+-            InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass );
++            m_aPersistentIV.clear();
++            InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass,
++                        aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV );
+         }
+         return *this;
+     }
+@@ -135,15 +144,24 @@ public:
+         return OUString();
+     }
+ 
++    OUString GetPersistentIV() const
++    {
++        if ( m_bHasPersPass )
++            return m_aPersistentIV;
++
++        return OUString();
++    }
++
+     void SetMemPasswords( const ::std::vector< OUString >& aMemList )
+     {
+         m_aMemPass = aMemList;
+         m_bHasMemPass = true;
+     }
+ 
+-    void SetPersPasswords( const OUString& aPersList )
++    void SetPersPasswords( const OUString& aPersList, const OUString& aPersIV )
+     {
+         m_aPersPass = aPersList;
++        m_aPersistentIV = aPersIV;
+         m_bHasPersPass = true;
+     }
+ 
+@@ -158,6 +176,7 @@ public:
+         {
+             m_bHasPersPass = false;
+             m_aPersPass.clear();
++            m_aPersistentIV.clear();
+         }
+     }
+ 
+@@ -181,6 +200,7 @@ private:
+     PasswordContainer*     mainCont;
+     bool                   hasEncoded;
+     OUString        mEncoded;
++    OUString        mEncodedIV;
+ 
+     virtual void            ImplCommit() override;
+ 
+@@ -201,8 +221,8 @@ public:
+ 
+     sal_Int32 getStorageVersion();
+ 
+-    bool getEncodedMP( OUString& aResult );
+-    void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false );
++    bool getEncodedMP( OUString& aResult, OUString& aResultIV );
++    void setEncodedMP( const OUString& aResult, const OUString& aResultIV, bool bAcceptEmpty = false );
+     void setUseStorage( bool bUse );
+     bool useStorage();
+ 
+@@ -223,6 +243,29 @@ private:
+     css::uno::Reference< css::lang::XComponent > mComponent;
+     SysCredentialsConfig mUrlContainer;
+ 
++    class RandomPool
++    {
++    private:
++        rtlRandomPool m_aRandomPool;
++    public:
++        RandomPool() : m_aRandomPool(rtl_random_createPool())
++        {
++        }
++        rtlRandomPool get()
++        {
++            return m_aRandomPool;
++        }
++        ~RandomPool()
++        {
++            // Clean up random pool memory
++            rtl_random_destroyPool(m_aRandomPool);
++        }
++    };
++
++    RandomPool mRandomPool;
++
++    OUString createIV();
++
+     /// @throws css::uno::RuntimeException
+     css::uno::Sequence< css::task::UserRecord > CopyToUserRecordSequence(
+                                         const ::std::vector< NamePassRecord >& original,
+@@ -273,10 +316,10 @@ css::task::UrlRecord find(
+                               const css::uno::Reference< css::task::XInteractionHandler >& Handler );
+ 
+     /// @throws css::uno::RuntimeException
+-    static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aMasterPassword, css::task::PasswordRequestMode mode );
++    static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPassword, css::task::PasswordRequestMode mode );
+ 
+     /// @throws css::uno::RuntimeException
+-    static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPassword );
++    static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPassword );
+ 
+ public:
+     PasswordContainer( const css::uno::Reference< css::lang::XMultiServiceFactory >& );
+-- 
+2.37.1
+

SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch

@@ -0,0 +1,225 @@
+From ae89e7b8ae1e781c1a9d8ca2c5d4aeca656932f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 17:26:25 +0000
+Subject: [PATCH] default to ignoring libreoffice special-purpose protocols in
+ calc hyperlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: Ib9f62be3acc05f24ca234dec0fec21e24579e9de
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158911
+Tested-by: Jenkins
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit b6062623b4d69c79e90e9365ac7c5e7f11986793)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159045
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159882
+Tested-by: Miklos Vajna <vmiklos@collabora.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159912
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+
+erAck: backported to 6.4.7.2
+
+---
+ dbaccess/source/core/dataaccess/ModelImpl.cxx |  3 +-
+ include/sfx2/docmacromode.hxx                 |  5 ++-
+ include/sfx2/objsh.hxx                        |  3 ++
+ sc/source/core/data/global.cxx                | 33 ++++++++++++++++++-
+ sfx2/source/doc/docmacromode.cxx              |  8 +++--
+ sfx2/source/doc/objmisc.cxx                   |  8 ++++-
+ sfx2/source/doc/objxtor.cxx                   |  1 +
+ sfx2/source/inc/objshimp.hxx                  |  3 +-
+ 8 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/dbaccess/source/core/dataaccess/ModelImpl.cxx b/dbaccess/source/core/dataaccess/ModelImpl.cxx
+index 1f11f36..ce4dbae 100644
+--- a/dbaccess/source/core/dataaccess/ModelImpl.cxx
++++ b/dbaccess/source/core/dataaccess/ModelImpl.cxx
+@@ -1140,7 +1140,8 @@ bool ODatabaseModelImpl::checkMacrosOnLoading()
+ {
+     Reference< XInteractionHandler > xInteraction;
+     xInteraction = m_aMediaDescriptor.getOrDefault( "InteractionHandler", xInteraction );
+-    return m_aMacroMode.checkMacrosOnLoading( xInteraction );
++    const bool bHasMacros = m_aMacroMode.hasMacros();
++    return m_aMacroMode.checkMacrosOnLoading(xInteraction, bHasMacros);
+ }
+ 
+ void ODatabaseModelImpl::resetMacroExecutionMode()
+diff --git a/include/sfx2/docmacromode.hxx b/include/sfx2/docmacromode.hxx
+index a15bbbe..98b7d3a 100644
+--- a/include/sfx2/docmacromode.hxx
++++ b/include/sfx2/docmacromode.hxx
+@@ -260,6 +260,8 @@ namespace sfx2
+         */
+         static bool storageHasMacros( const css::uno::Reference< css::embed::XStorage >& _rxStorage );
+ 
++        bool hasMacros() const;
++
+         static bool containerHasBasicMacros( const css::uno::Reference< css::script::XLibraryContainer >& xContainter );
+         /** checks the macro execution mode while loading the document.
+ 
+@@ -286,7 +288,8 @@ namespace sfx2
+         */
+         bool
+                 checkMacrosOnLoading(
+-                    const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction
++                    const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction,
++                    bool bHasMacros
+                 );
+ 
+     private:
+diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
+index 2a56ebe..43df460 100644
+--- a/include/sfx2/objsh.hxx
++++ b/include/sfx2/objsh.hxx
+@@ -418,6 +418,9 @@ public:
+     void                        SetMacroCallsSeenWhileLoading();
+     bool                        GetMacroCallsSeenWhileLoading() const;
+ 
++    // true if the document had macros (or similar) on load to trigger warning user
++    bool                        GetHadCheckedMacrosOnLoad() const;
++
+     const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const;
+     bool                        SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo );
+ 
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index 050fd82..92d50c4 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -26,7 +26,9 @@
+ #include <sfx2/docfile.hxx>
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/objsh.hxx>
++#include <sfx2/sfxresid.hxx>
+ #include <sfx2/sfxsids.hrc>
++#include <sfx2/strings.hrc>
+ #include <sfx2/viewfrm.hxx>
+ #include <sfx2/viewsh.hxx>
+ #include <svl/intitem.hxx>
+@@ -789,7 +791,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+ 
+     OUString aUrlName( rURL );
+     SfxViewFrame* pFrame = nullptr;
+-    const SfxObjectShell* pObjShell = nullptr;
++    SfxObjectShell* pObjShell = nullptr;
+     OUString aReferName;
+     if ( pScActiveViewShell )
+     {
+@@ -823,6 +825,35 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
++    if (INetURLObject(aUrlName).IsExoticProtocol())
++    {
++        // Default to ignoring exotic protocols
++        bool bAllow = false;
++        if (pObjShell)
++        {
++            // If the document had macros when loaded then follow the allowed macro-mode
++            if (pObjShell->GetHadCheckedMacrosOnLoad())
++                bAllow = pObjShell->AdjustMacroMode();
++            else // otherwise ask the user, defaulting to cancel
++            {
++                assert(pFrame && "if we have pObjShell we have pFrame");
++                //Reuse URITools::onOpenURI warning string
++                std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(),
++                                                               VclMessageType::Warning, VclButtonsType::YesNo,
++                                                               SfxResId(STR_DANGEROUS_TO_OPEN)));
++                xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
++                    INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous)));
++                xQueryBox->set_default_response(RET_NO);
++                bAllow = xQueryBox->run() == RET_YES;
++            }
++        }
++        if (!bAllow)
++        {
++            SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName);
++            return;
++        }
++    }
++
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+     SfxStringItem aTarget( SID_TARGETNAME, rTarget );
+     if ( nScClickMouseModifier & KEY_SHIFT )     // control-click -> into new window
+diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx
+index 492bd0a..7f1fb2b 100644
+--- a/sfx2/source/doc/docmacromode.cxx
++++ b/sfx2/source/doc/docmacromode.cxx
+@@ -391,8 +391,12 @@ namespace sfx2
+         return bHasMacros;
+     }
+ 
++    bool DocumentMacroMode::hasMacros() const
++    {
++        return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading();
++    }
+ 
+-    bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction )
++    bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasMacros )
+     {
+         bool bAllow = false;
+         if ( SvtSecurityOptions().IsMacroDisabled() )
+@@ -402,7 +406,7 @@ namespace sfx2
+         }
+         else
+         {
+-            if (m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading())
++            if (bHasMacros)
+             {
+                 bAllow = adjustMacroMode( rxInteraction );
+             }
+diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
+index 6819404..fac75dd 100644
+--- a/sfx2/source/doc/objmisc.cxx
++++ b/sfx2/source/doc/objmisc.cxx
+@@ -953,9 +953,15 @@ void SfxObjectShell::CheckSecurityOnLoading_Impl()
+     CheckEncryption_Impl( xInteraction );
+ 
+     // check macro security
+-    pImpl->aMacroMode.checkMacrosOnLoading( xInteraction );
++    const bool bHasMacros = pImpl->aMacroMode.hasMacros();
++    pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasMacros );
++    pImpl->m_bHadCheckedMacrosOnLoad = bHasMacros;
+ }
+ 
++bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const
++{
++    return pImpl->m_bHadCheckedMacrosOnLoad;
++}
+ 
+ void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx
+index 510c35d..a707bb7 100644
+--- a/sfx2/source/doc/objxtor.cxx
++++ b/sfx2/source/doc/objxtor.cxx
+@@ -237,6 +237,7 @@ SfxObjectShell_Impl::SfxObjectShell_Impl( SfxObjectShell& _rDocShell )
+     ,m_bAllowShareControlFileClean( true )
+     ,m_bConfigOptionsChecked( false )
+     ,m_bMacroCallsSeenWhileLoading( false )
++    ,m_bHadCheckedMacrosOnLoad( false )
+     ,lErr(ERRCODE_NONE)
+     ,nEventId ( SfxEventHintId::NONE )
+     ,nLoadedFlags ( SfxLoadedFlags::ALL )
+diff --git a/sfx2/source/inc/objshimp.hxx b/sfx2/source/inc/objshimp.hxx
+index 3d7b0b6..4afdd70 100644
+--- a/sfx2/source/inc/objshimp.hxx
++++ b/sfx2/source/inc/objshimp.hxx
+@@ -91,7 +91,8 @@ struct SfxObjectShell_Impl : public ::sfx2::IMacroDocumentAccess
+                         m_bSharedXMLFlag:1, // whether the document should be edited in shared mode
+                         m_bAllowShareControlFileClean:1, // whether the flag should be stored in xml file
+                         m_bConfigOptionsChecked:1, // whether or not the user options are checked after the Options dialog is closed.
+-                        m_bMacroCallsSeenWhileLoading:1; // whether or not the user options are checked after the Options dialog is closed.
++                        m_bMacroCallsSeenWhileLoading:1, // whether or not macro calls were seen when loading document.
++                        m_bHadCheckedMacrosOnLoad:1; // if document contained macros (or calls) when loaded
+ 
+     IndexBitSet         aBitSet;
+     ErrCode             lErr;
+-- 
+2.43.0
+

SOURCES/0003-assume-IFrame-script-macro-support-isn-t-needed.patch

@@ -0,0 +1,54 @@
+From eaa66eec69ec311b73521c6ce410a749c810298f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 20 Apr 2023 20:58:21 +0100
+Subject: [PATCH 3/3] assume IFrame script/macro support isn't needed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+seems undocumented at least
+
+Change-Id: I316e4f4f25ddb7cf6b7bac4d856a721b987207a3
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151020
+Tested-by: Jenkins
+Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152150
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 4b679f8e16bc050bc0cc9fa9294413c8115ed239)
+---
+ sfx2/source/doc/iframe.cxx | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index fce6cb48ea08f..84d724f7c58f3 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -168,20 +168,16 @@ sal_Bool SAL_CALL IFrameObject::load(
+         uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+         xTrans->parseStrict( aTargetURL );
+ 
++        INetURLObject aURLObject(aTargetURL.Complete);
++        if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script"))
++            return false;
++
+         uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+         SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+ 
+-        if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
+-        {
+-            if (pDoc && !pDoc->AdjustMacroMode())
+-                return false;
+-        }
+-
+         bool bUpdateAllowed(true);
+         if (pDoc)
+         {
+-            // perhaps should only check for file targets, but lets default to making it strong
+-            // unless there is a known need to distinguish
+             comphelper::EmbeddedObjectContainer& rEmbeddedObjectContainer = pDoc->getEmbeddedObjectContainer();
+             bUpdateAllowed = rEmbeddedObjectContainer.getUserAllowsLinkUpdate();
+         }
+-- 
+2.41.0
+

SOURCES/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch

@@ -0,0 +1,117 @@
+From 4cfd591942e4cfd3efc416bfac8e46e3580d37ba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 23 Mar 2022 13:03:30 +0000
+Subject: [PATCH] add infobar to prompt to refresh to replace old format
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131976
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit bbd196ff82bda9f66b4ba32a412f10cefe6da60e)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132307
+Reviewed-by: Sophie Gautier <sophi@libreoffice.org>
+Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+(cherry picked from commit c5d01b11db3c83cb4a89d3b388d78e20dd3990b5)
+
+Change-Id: Id99cbf2b50a4ebf289dae6fc67e22e20afcda35b
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133906
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+---
+ include/sfx2/strings.hrc     |  2 ++
+ include/sfx2/viewfrm.hxx     |  1 +
+ sfx2/source/view/viewfrm.cxx | 40 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 43 insertions(+)
+
+diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc
+index 1f21f0a0f186..1db36e733c0c 100644
+--- a/include/sfx2/strings.hrc
++++ b/include/sfx2/strings.hrc
+@@ -297,6 +297,8 @@
+ #define STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK   NC_("STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK", "The certificate could not be validated and the document is only partially signed.")
+ #define STR_SIGNATURE_OK                        NC_("STR_SIGNATURE_OK", "This document is digitally signed and the signature is valid.")
+ #define STR_SIGNATURE_SHOW                      NC_("STR_SIGNATURE_SHOW", "Show Signatures")
++#define STR_REFRESH_MASTER_PASSWORD             NC_("STR_REFRESH_MASTER_PASSWORD", "The master password is stored in an outdated format, you should refresh it")
++#define STR_REFRESH_PASSWORD                    NC_("STR_REFRESH_PASSWORD", "Refresh Password")
+ 
+ #define STR_CLOSE_PANE                          NC_("STR_CLOSE_PANE", "Close Pane")
+ #define STR_SFX_DOCK                            NC_("STR_SFX_DOCK", "Dock")
+diff --git a/include/sfx2/viewfrm.hxx b/include/sfx2/viewfrm.hxx
+index fe336ba5f091..cc6a7dae7047 100644
+--- a/include/sfx2/viewfrm.hxx
++++ b/include/sfx2/viewfrm.hxx
+@@ -61,6 +61,7 @@ protected:
+     DECL_LINK(WhatsNewHandler, Button*, void);
+     DECL_LINK(SwitchReadOnlyHandler, Button*, void);
+     DECL_LINK(SignDocumentHandler, Button*, void);
++    DECL_DLLPRIVATE_LINK(RefreshMasterPasswordHdl, Button*, void);
+     SAL_DLLPRIVATE void KillDispatcher_Impl();
+ 
+     virtual                 ~SfxViewFrame() override;
+diff --git a/sfx2/source/view/viewfrm.cxx b/sfx2/source/view/viewfrm.cxx
+index 5a64599e5894..86e7d51bbfea 100644
+--- a/sfx2/source/view/viewfrm.cxx
++++ b/sfx2/source/view/viewfrm.cxx
+@@ -32,6 +32,7 @@
+ #include <com/sun/star/frame/XLoadable.hpp>
+ #include <com/sun/star/frame/XLayoutManager.hpp>
+ #include <com/sun/star/frame/XComponentLoader.hpp>
++#include <com/sun/star/task/PasswordContainer.hpp>
+ #include <officecfg/Office/Common.hxx>
+ #include <officecfg/Setup.hxx>
+ #include <toolkit/helper/vclunohelper.hxx>
+@@ -1390,6 +1391,24 @@ void SfxViewFrame::Notify( SfxBroadcaster& /*rBC*/, const SfxHint& rHint )
+                     batch->commit();
+                 }
+ 
++                if (officecfg::Office::Common::Passwords::HasMaster::get() &&
++                    officecfg::Office::Common::Passwords::StorageVersion::get() == 0)
++                {
++                    // master password stored in deprecated format
++                    VclPtr<SfxInfoBarWindow> pOldMasterPasswordInfoBar =
++                        AppendInfoBar("oldmasterpassword", "",
++                                      SfxResId(STR_REFRESH_MASTER_PASSWORD), InfobarType::DANGER, false);
++                    if (pOldMasterPasswordInfoBar)
++                    {
++                        VclPtrInstance<PushButton> const xBtn(&GetWindow());
++                        xBtn->SetText(SfxResId(STR_REFRESH_PASSWORD));
++                        xBtn->SetSizePixel(xBtn->GetOptimalSize());
++                        xBtn->SetClickHdl(LINK(this,
++                           SfxViewFrame, RefreshMasterPasswordHdl));
++                        pOldMasterPasswordInfoBar->addButton(xBtn);
++                    }
++                }
++
+                 // read-only infobar if necessary
+                 const SfxViewShell *pVSh;
+                 const SfxShell *pFSh;
+@@ -1565,6 +1584,27 @@ IMPL_LINK_NOARG(SfxViewFrame, SignDocumentHandler, Button*, void)
+     GetDispatcher()->Execute(SID_SIGNATURE);
+ }
+ 
++IMPL_LINK_NOARG(SfxViewFrame, RefreshMasterPasswordHdl, Button*, void)
++{
++    bool bChanged = false;
++    try
++    {
++        Reference< task::XPasswordContainer2 > xMasterPasswd(
++            task::PasswordContainer::create(comphelper::getProcessComponentContext()));
++
++        css::uno::Reference<css::frame::XFrame> xFrame = GetFrame().GetFrameInterface();
++        css::uno::Reference<css::awt::XWindow> xContainerWindow = xFrame->getContainerWindow();
++
++        uno::Reference<task::XInteractionHandler> xTmpHandler(task::InteractionHandler::createWithParent(comphelper::getProcessComponentContext(),
++                                                              xContainerWindow));
++        bChanged = xMasterPasswd->changeMasterPassword(xTmpHandler);
++    }
++    catch (const Exception&)
++    {}
++    if (bChanged)
++        RemoveInfoBar(u"oldmasterpassword");
++}
++
+ void SfxViewFrame::Construct_Impl( SfxObjectShell *pObjSh )
+ {
+     m_pImpl->bResizeInToOut = true;
+-- 
+2.37.1
+

SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch

@@ -0,0 +1,281 @@
+From 6a69b533227ae22d97824317f14dfa6991959101 Mon Sep 17 00:00:00 2001
+Message-ID: <6a69b533227ae22d97824317f14dfa6991959101.1703086328.git.erack@redhat.com>
+In-Reply-To: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com>
+References: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Wed, 15 Nov 2023 11:39:24 +0000
+Subject: [PATCH 3/4] reuse AllowedLinkProtocolFromDocument in writer
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+reorg calc hyperlink check to reuse elsewhere
+
+Change-Id: I20ae3c5df15502c3a0a366fb4a2924c06ffac3d0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159487
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit e6a7537762e19fde446441edd10d301f9b37ce75)
+
+reuse AllowedLinkProtocolFromDocument in writer
+
+Change-Id: Iacf5e313fc6ca5f7d69ca6986a036f0e1ab1f2a0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159488
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 32535dfa82200b54296838b52285c054fbe5e51d)
+
+combine these hyperlink dispatchers into one call
+
+Change-Id: Icb7822e811013de648ccf2fbb23a5f0be9e29bb0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159489
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 0df175ccc6ea542bc5801f631ff72bed187042eb)
+
+we can have just one LoadURL for writer
+
+Change-Id: Ia0162ee1c275292fcf200bad4662e4c2c6b7b972
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159557
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 521ca9cf6acbae96cf95d9740859c9682212013d)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159858
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit e32b8601dbd63cf01497889601d6c9c1241106d6)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159883
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159913
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Eike Rathke <erack@redhat.com>
+---
+ include/sfx2/objsh.hxx               |  7 +++--
+ sc/source/core/data/global.cxx       | 32 ++---------------------
+ sfx2/source/doc/objmisc.cxx          | 27 ++++++++++++++++++++
+ sw/source/uibase/shells/drwtxtex.cxx |  8 ++----
+ sw/source/uibase/wrtsh/wrtsh2.cxx    | 38 ++++++++++++++++++----------
+ 5 files changed, 60 insertions(+), 52 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch"
+
+diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
+index fde0dba3d7c9..79f22c978dcb 100644
+--- a/include/sfx2/objsh.hxx
++++ b/include/sfx2/objsh.hxx
+@@ -200,6 +200,9 @@ private:
+ 
+     SAL_DLLPRIVATE bool SaveTo_Impl(SfxMedium &rMedium, const SfxItemSet* pSet );
+ 
++    // true if the document had macros (or similar) on load to trigger warning user
++    SAL_DLLPRIVATE bool  GetHadCheckedMacrosOnLoad() const;
++
+ protected:
+                                 SfxObjectShell(SfxObjectCreateMode);
+                                 SfxObjectShell(SfxModelFlags);    // see sfxmodelfactory.hxx
+@@ -427,8 +430,8 @@ public:
+     void                        SetMacroCallsSeenWhileLoading();
+     bool                        GetMacroCallsSeenWhileLoading() const;
+ 
+-    // true if the document had macros (or similar) on load to trigger warning user
+-    bool                        GetHadCheckedMacrosOnLoad() const;
++    // true if this type of link, from a document, is allowed by the user to be passed to uno:OpenDoc
++    static bool                 AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent);
+ 
+     const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const;
+     bool                        SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo );
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index 92caea1ea459..27c5a51a46c1 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -29,9 +29,7 @@
+ #include <sfx2/docfile.hxx>
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/objsh.hxx>
+-#include <sfx2/sfxresid.hxx>
+ #include <sfx2/sfxsids.hrc>
+-#include <sfx2/strings.hrc>
+ #include <sfx2/viewfrm.hxx>
+ #include <sfx2/viewsh.hxx>
+ #include <svl/intitem.hxx>
+@@ -856,34 +854,8 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
+-    if (INetURLObject(aUrlName).IsExoticProtocol())
+-    {
+-        // Default to ignoring exotic protocols
+-        bool bAllow = false;
+-        if (pObjShell)
+-        {
+-            // If the document had macros when loaded then follow the allowed macro-mode
+-            if (pObjShell->GetHadCheckedMacrosOnLoad())
+-                bAllow = pObjShell->AdjustMacroMode();
+-            else // otherwise ask the user, defaulting to cancel
+-            {
+-                assert(pFrame && "if we have pObjShell we have pFrame");
+-                //Reuse URITools::onOpenURI warning string
+-                std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(),
+-                                                               VclMessageType::Warning, VclButtonsType::YesNo,
+-                                                               SfxResId(STR_DANGEROUS_TO_OPEN)));
+-                xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
+-                    INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous)));
+-                xQueryBox->set_default_response(RET_NO);
+-                bAllow = xQueryBox->run() == RET_YES;
+-            }
+-        }
+-        if (!bAllow)
+-        {
+-            SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName);
+-            return;
+-        }
+-    }
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr))
++        return;
+ 
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+     SfxStringItem aTarget( SID_TARGETNAME, rTarget );
+diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
+index ddf95eeafe5e..8c76c3f0f4d6 100644
+--- a/sfx2/source/doc/objmisc.cxx
++++ b/sfx2/source/doc/objmisc.cxx
+@@ -962,6 +962,33 @@ bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const
+     return pImpl->m_bHadCheckedMacrosOnLoad;
+ }
+ 
++bool SfxObjectShell::AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent)
++{
++    if (!INetURLObject(rUrl).IsExoticProtocol())
++        return true;
++    // Default to ignoring exotic protocols
++    bool bAllow = false;
++    if (pObjShell)
++    {
++        // If the document had macros when loaded then follow the allowed macro-mode
++        if (pObjShell->GetHadCheckedMacrosOnLoad())
++            bAllow = pObjShell->AdjustMacroMode();
++        else // otherwise ask the user, defaulting to cancel
++        {
++            //Reuse URITools::onOpenURI warning string
++            std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pDialogParent,
++                                                           VclMessageType::Warning, VclButtonsType::YesNo,
++                                                           SfxResId(STR_DANGEROUS_TO_OPEN)));
++            xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
++                INetURLObject::decode(rUrl, INetURLObject::DecodeMechanism::Unambiguous)));
++            xQueryBox->set_default_response(RET_NO);
++            bAllow = xQueryBox->run() == RET_YES;
++        }
++    }
++    SAL_WARN_IF(!bAllow, "sfx.appl", "SfxObjectShell::AllowedLinkProtocolFromDocument ignoring: " << rUrl);
++    return bAllow;
++}
++
+ void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+     OUString aVersion;
+diff --git a/sw/source/uibase/shells/drwtxtex.cxx b/sw/source/uibase/shells/drwtxtex.cxx
+index c84ee7bd9af4..c51f501841ad 100644
+--- a/sw/source/uibase/shells/drwtxtex.cxx
++++ b/sw/source/uibase/shells/drwtxtex.cxx
+@@ -533,12 +533,8 @@ void SwDrawTextShell::Execute( SfxRequest &rReq )
+             const SvxFieldData* pField = pOLV->GetFieldAtCursor();
+             if (const SvxURLField* pURLField = dynamic_cast<const SvxURLField*>(pField))
+             {
+-                SfxStringItem aUrl(SID_FILE_NAME, pURLField->GetURL());
+-                SfxStringItem aTarget(SID_TARGETNAME, pURLField->GetTargetFrame());
+-                SfxBoolItem aNewView(SID_OPEN_NEW_VIEW, false);
+-                SfxBoolItem aBrowsing(SID_BROWSE, true);
+-                GetView().GetViewFrame()->GetDispatcher()->ExecuteList(
+-                    SID_OPENDOC, SfxCallMode::SYNCHRON, { &aUrl, &aTarget, &aNewView, &aBrowsing });
++                ::LoadURL(GetShell(), pURLField->GetURL(), LoadUrlFlags::NONE,
++                          pURLField->GetTargetFrame());
+             }
+         }
+         break;
+diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx
+index 1995e7133c4a..d781823e82ec 100644
+--- a/sw/source/uibase/wrtsh/wrtsh2.cxx
++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx
+@@ -501,30 +501,24 @@ bool SwWrtShell::ClickToINetGrf( const Point& rDocPt, LoadUrlFlags nFilter )
+     return bRet;
+ }
+ 
+-void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+-              const OUString& rTargetFrameName )
++static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter,
++                    const OUString& rTargetFrameName)
+ {
+-    OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" );
+-    if( rURL.isEmpty() )
+-        return ;
++    SwDocShell* pDShell = rView.GetDocShell();
++    OSL_ENSURE( pDShell, "No DocShell?!");
++    SfxViewFrame* pViewFrame = rView.GetViewFrame();
+ 
+-    // The shell could be 0 also!!!!!
+-    if ( dynamic_cast<const SwCursorShell*>( &rVSh) ==  nullptr )
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld()))
+         return;
+ 
+     // We are doing tiledRendering, let the client handles the URL loading,
+     // unless we are jumping to a TOC mark.
+     if (comphelper::LibreOfficeKit::isActive() && !rURL.startsWith("#"))
+     {
+-        rVSh.GetSfxViewShell()->libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr());
++        rView.libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr());
+         return;
+     }
+ 
+-    //A CursorShell is always a WrtShell
+-    SwWrtShell &rSh = static_cast<SwWrtShell&>(rVSh);
+-
+-    SwDocShell* pDShell = rSh.GetView().GetDocShell();
+-    OSL_ENSURE( pDShell, "No DocShell?!");
+     OUString sTargetFrame(rTargetFrameName);
+     if (sTargetFrame.isEmpty() && pDShell)
+     {
+@@ -539,7 +533,6 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+     OUString sReferer;
+     if( pDShell && pDShell->GetMedium() )
+         sReferer = pDShell->GetMedium()->GetName();
+-    SfxViewFrame* pViewFrame = rSh.GetView().GetViewFrame();
+     SfxFrameItem aView( SID_DOCFRAME, pViewFrame );
+     SfxStringItem aName( SID_FILE_NAME, rURL );
+     SfxStringItem aTargetFrameName( SID_TARGETNAME, sTargetFrame );
+@@ -565,6 +558,23 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+             SfxCallMode::ASYNCHRON|SfxCallMode::RECORD );
+ }
+ 
++void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
++              const OUString& rTargetFrameName )
++{
++    OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" );
++    if( rURL.isEmpty() )
++        return ;
++
++    // The shell could be 0 also!!!!!
++    if ( dynamic_cast<const SwCursorShell*>( &rVSh) ==  nullptr )
++        return;
++
++    //A CursorShell is always a WrtShell
++    SwWrtShell &rSh = static_cast<SwWrtShell&>(rVSh);
++
++    ::LoadURL(rSh.GetView(), rURL, nFilter, rTargetFrameName);
++}
++
+ void SwWrtShell::NavigatorPaste( const NaviContentBookmark& rBkmk,
+                                     const sal_uInt16 nAction )
+ {
+
+--------------erAck-patch-parts--
+
+

SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch

@@ -0,0 +1,87 @@
+From 62ba88176c10469588e4bbb73cbf33889df08dbc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Wed, 22 Nov 2023 21:14:41 +0000
+Subject: [PATCH] reuse AllowedLinkProtocolFromDocument in impress/draw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I73ca4f087946a45dbf92d69a0dc1e769de9b5690
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159843
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit f0942eed2eb328b04856f20613f5226d66b66a20)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159759
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159884
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159914
+Reviewed-by: Eike Rathke <erack@redhat.com>
+
+erAck: backported to 6.4.7.2
+
+---
+ sd/source/ui/app/sdmod1.cxx | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/sd/source/ui/app/sdmod1.cxx b/sd/source/ui/app/sdmod1.cxx
+index 3d84ddb..8d42653 100644
+--- a/sd/source/ui/app/sdmod1.cxx
++++ b/sd/source/ui/app/sdmod1.cxx
+@@ -32,6 +32,7 @@
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/request.hxx>
+ #include <sfx2/templatedlg.hxx>
++#include <svl/stritem.hxx>
+ #include <editeng/eeitem.hxx>
+ 
+ #include <svx/svxids.hrc>
+@@ -193,26 +194,32 @@ void SdModule::Execute(SfxRequest& rReq)
+         {
+             bool bIntercept = false;
+             ::sd::DrawDocShell* pDocShell = dynamic_cast< ::sd::DrawDocShell *>( SfxObjectShell::Current() );
+-            if (pDocShell)
++            ::sd::ViewShell* pViewShell = pDocShell ? pDocShell->GetViewShell() : nullptr;
++            if (pViewShell)
+             {
+-                ::sd::ViewShell* pViewShell = pDocShell->GetViewShell();
+-                if (pViewShell)
++                if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) )
+                 {
+-                    if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) )
++                    // Prevent documents from opening while the slide
++                    // show is running, except when this request comes
++                    // from a shape interaction.
++                    if (rReq.GetArgs() == nullptr)
+                     {
+-                        // Prevent documents from opening while the slide
+-                        // show is running, except when this request comes
+-                        // from a shape interaction.
+-                        if (rReq.GetArgs() == nullptr)
+-                        {
+-                            bIntercept = true;
+-                        }
++                        bIntercept = true;
+                     }
+                 }
+             }
+ 
+             if (!bIntercept)
+             {
++                if (const SfxStringItem* pURLItem = rReq.GetArg<SfxStringItem>(SID_FILE_NAME))
++                {
++                    if (!pViewShell || !SfxObjectShell::AllowedLinkProtocolFromDocument(pURLItem->GetValue(),
++                                                                                        pViewShell->GetObjectShell(),
++                                                                                        pViewShell->GetFrameWeld()))
++                    {
++                        return;
++                    }
++                }
+                 SfxGetpApp()->ExecuteSlot(rReq, SfxGetpApp()->GetInterface());
+             }
+             else
+-- 
+2.43.0
+

SOURCES/0006-CVE-2023-6186-backporting.patch

@@ -0,0 +1,65 @@
+From a255a9c69d35df27e92349ea5bb9cb8d6c46d97f Mon Sep 17 00:00:00 2001
+From: rpmbuild <rpmbuild@fedoraproject.org>
+Date: Fri, 8 Mar 2024 17:51:24 +0100
+Subject: [PATCH] CVE-2023-6186 backporting
+
+Add dialog text string STR_DANGEROUS_TO_OPEN
+as per upstream commit 70009098fd70df021048c540d1796c928554b494
+
+SfxViewFrame doesn't have GetFrameWeld() yet, get from Window.
+---
+ include/sfx2/strings.hrc          | 1 +
+ sc/source/core/data/global.cxx    | 4 +++-
+ sw/source/uibase/wrtsh/wrtsh2.cxx | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc
+index 1db36e7..29950ba 100644
+--- a/include/sfx2/strings.hrc
++++ b/include/sfx2/strings.hrc
+@@ -103,6 +103,7 @@
+ #define STR_GB                                  NC_("STR_GB", "GB")
+ #define STR_QUERY_LASTVERSION                   NC_("STR_QUERY_LASTVERSION", "Cancel all changes?")
+ #define STR_NO_WEBBROWSER_FOUND                 NC_("STR_NO_WEBBROWSER_FOUND", "Opening \"$(ARG1)\" failed with error code $(ARG2) and message: \"$(ARG3)\"\nMaybe no web browser could be found on your system. In that case, please check your Desktop Preferences or install a web browser (for example, Firefox) in the default location requested during the browser installation.")
++#define STR_DANGEROUS_TO_OPEN                   NC_("STR_DANGEROUS_TO_OPEN", "It might be dangerous to open \"$(ARG1)\".\nDo you really want to open it?")
+ #define STR_NO_ABS_URI_REF                      NC_("STR_NO_ABS_URI_REF", "\"$(ARG1)\" is not an absolute URL that can be passed to an external application to open it.")
+ #define STR_GID_INTERN                          NC_("STR_GID_INTERN", "Internal")
+ #define STR_GID_APPLICATION                     NC_("STR_GID_APPLICATION", "Application")
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index b16be6b..3295a38 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -37,6 +37,8 @@
+ #include <vcl/virdev.hxx>
+ #include <vcl/settings.hxx>
+ #include <vcl/svapp.hxx>
++#include <vcl/weld.hxx>
++#include <vcl/window.hxx>
+ #include <unotools/charclass.hxx>
+ #include <unotools/securityoptions.hxx>
+ #include <osl/diagnose.h>
+@@ -823,7 +825,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
+-    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr))
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetWindow().GetFrameWeld() : nullptr))
+         return;
+ 
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx
+index 41f427a..543644d 100644
+--- a/sw/source/uibase/wrtsh/wrtsh2.cxx
++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx
+@@ -495,7 +495,7 @@ static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter,
+     OSL_ENSURE( pDShell, "No DocShell?!");
+     SfxViewFrame* pViewFrame = rView.GetViewFrame();
+ 
+-    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld()))
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetWindow().GetFrameWeld()))
+         return;
+ 
+     // We are doing tiledRendering, let the client handles the URL loading,
+-- 
+2.43.0
+

SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc

@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBEyzEr0BEADT441wUITsTwDA2nM3kmUhGrzTdxZB5xv/E1ZJCw63qWdmdTdW
+NZDfNDuLs4r2VjlEoA3xGK6jgnQvyAoNj0yiEbW/JedHHgOiVdXDlkgkY58myafT
+FXqDLzTXVrsNnay0GS8XrNjptZJPhEPBvNUdkqpA9B7RTkfaXj779Pf/AeFMZVLl
+UAci5RA0NNF910GHwoXT6SEv2PGoawsphnfmMVdKh9wz7asbtKXEmotCwX3k045x
+LsIVK5ANOi+BI9C3LkrrFJWw2XHqDW2ulwCJ0L5QNSjOuY/v8REODwIXamvvdZOz
+XBKSIzDOalJqFCHls3YlGyFw1knr6BAOmVOm32YtNTCLbVA/iK55fZWnUCjD3a4G
+xz4qpQYWfpxhOmlHpk5JkraSNHzCc7SB43DwcHF5ecXHttMhO8MoN/bAZBgCuLGF
+EwNvwFbDwIWo07mlv7wD8i1rtUCvLywJc5YL2PbjCLfB1Q4YzDX1EWnjKdnAsxxK
+ftrx1DFlxzUF+TaHbLTPttUcsWQaL8wITznoWIwdIWlo2woPgWIpUXMOYwYV31Oo
+fgmroHa3V4NOvkke09uhaZawg5yZCoRFohhfKPqT1ZrJ9SnRbW/WR3VTVY76ht5k
+RuV3eb2VWBmPU9zn56Tbe6dvFkBuzHH1JdECAqy1BzFcmQQFBebFzf1XAQARAQAB
+tEhMaWJyZU9mZmljZSBCdWlsZCBUZWFtIChDT0RFIFNJR05JTkcgS0VZKSA8YnVp
+bGRAZG9jdW1lbnRmb3VuZGF0aW9uLm9yZz6JAjcEEwEKACEFAkyzEr0CGwMFCwkI
+BwMFFQoJCAsFFgIDAQACHgECF4AACgkQ9DSh76/urqOc4w//X+74QlyRalcuLNw3
+oJKB1+1z6xxhhpwg1kw5cMMrGu0w0YoPvLDKaiS02DdkIaXDECcQTOoEh7/bYbZq
+6OtE1WyxqHYYOPK5yul5FRwZ5k5HZ7pDFcKCQ72UgWhz+QznRhgZ0jwEWl5Ln3rw
+JpSynIvTXHmQogId0xmcrNQPyckzzugGx4qZFinSOmDGwTgG14NU3vat2iek37Ph
+BLh5V8ohlEoccwwPejtKEWQudg0Q8K7uBuqLUhnJoZodEytqpOvtysuPtGxGXnmD
+7oXtBVEF3X6eFRXDIp81cx2isHK4Krf4z4T9KUimNLHjWRa+ZQtp2pZLHQlblfsn
+CUf6TYZ0Yi909EhcM/hxAgBZXellOCQ/8U2cJsTUyN5Dp1wbf6X0uK4uaed1/037
+EGLAO6PP6WQz6jWd1/hhsQ5oAmdjkzlMFEfKNeIIDuKMOjXcTvM8/KRXhufwICvS
+FBlSIveHfDFWCvOVgq0VjAY7NFMFKRUnRHB58qBamtyhOyscRIvT5QH8HYfUA/YN
+l9FguczYUIQi3t+H1hoHIywdtmRuhYx5WlIUe8FO9QD5RMPbBjVbkCYgdHdxgnJD
+KCoRGsoKlLB7UZc4Ak9j6plZbYtFRonm2MjU4zxblCFNuEqVQ0V/y6/OIGpBYF9Y
+aEAtTgEJd9OmmDCM3d8O0zZHYma5Ag0ETLMSvQEQAMDp0HxSDWd+2Od/aJutCMFe
+8tfw7+nP9gfHOCUqesb88QvRMJgVY6z1aNdMllxTKlsxUiuA6uNcrUAkzDp/qRWR
+58rWIO642PLifng3urJ1cDbSKC+K4RHpQC+hXllMKLqq8dwNy1LO4fPo9SdtUF4B
+ev6enKmo4yCiOGv2tvztPh9gMGYoDncaOsS0t2UPr2MMQIVUmmIzfJBkdOxbZiWO
+doeNbWsYJHQaO+Ahal6SjPHKzhdjeXhZzHl1vqeDkV4MXHprrOwXNXwPiEpkZe2O
+dc7yaMkQc0k8WRrfKHApbnwDx6Mi8HYaf+LvRq7P0eMO9osD1q44wQQvVzk199zp
+MMHS5/kAv7RBNmDOSJQIZ4zT4lzRDODjMf01Ljn02zon12GfJo0WbbpmLulta7uj
+HgMrUU54by8WPFGW0fljXiDX0EpkHhxUsUsfaNfBsFnE+sRxQjNF/ljvofkyApI2
+1OjtEa9krwvgDqaXsL+a2076OsoFpORlTZ30REb0eRS6rEt8M+7s4xTaA7GFxlY/
+N+bnaM8m+ItygfFHHW4H0wLbbgajDeooSTgaheVNF5V9HS0EkN4MNVvtJH7J6drd
+iR1QVhX87n7+JtQzTtCOyfeKjaB+kcbAm/2VOFOeHdig5+BygpXt3IixVq72xmGz
+h0jhY565MjXrqg5O3pvLABEBAAGJAh8EGAEKAAkFAkyzEr0CGwwACgkQ9DSh76/u
+rqPaeg//avI2/a94XlSYtSZb2hVdW3qa9AEypQurqtVrKJfEKFV+ZQBPXbPRy8Mz
+5LMEH1sfD6B4SVGIGJ8opSyieJkcKIke+GMekTWvSqDpFOgY2rw7eHNn/33ZJs3O
+zQOyWz8smE/AIM/5lyiVGuSlU7RjYncf1V9bIBc91q9Edqk4IYUo/7W+yafC0VW/
+8oHUFYjHNaujiOsEoLiXsh9Y0R/6Jxs6fvE4XbCANV/ecN5UX+9BBrNZNN/9GbNr
+6CYGZ57M2f1Pgywy/XvOnEPnJ8aWXUyGLqq34KvMPFPSOeAmFbkFEsB4mdDMFaDw
+rzziiZE/zS8/nKiH4X2JgmLgFsadEihdfYxeDcGbhREK/qA1f3bGnr1j05V07yko
+2FFZdiOr4OgiT5ymgwVUXQ2Aiz+J/C8URjfpcPxetmuDQT9AYfgmMKPNVXPFWuNQ
+dzN5GZbI+E1/cb5+uLNknvjngw2G4PR/4uPHX1HCSftlNawBqWzyun1k+B7/u3Oe
+FebWXcdqSmZuLQ7l0Pkuz/Nlp6M6cKpceL+9zCgaiR5+v9h94VvtXKd/mw9ZLACc
+VcOANiwCtsJP3lt7jRSHtkuUe6vUm5tLS582RfXxoI1BlPjNtG9xAQ3JKBHIXbal
+T18pAFO3t74cxg3h0iI1G51F3oL0DwILP2MBBmardVEp5CMnB/M=
+=1iQB
+-----END PGP PUBLIC KEY BLOCK-----

SPECS/libreoffice.spec

@@ -54,7 +54,7 @@ Summary:        Free Software Productivity Suite
 Name:           libreoffice
 Epoch:          1
 Version:        %{libo_version}.2
-Release:        10%{?libo_prerelease}%{?dist}
+Release:        18%{?libo_prerelease}%{?dist}
 License:        (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
 URL:            http://www.libreoffice.org/
 
@@ -279,6 +279,29 @@ Patch35: 0001-Correctly-read-PNG-into-bitmaps-N32BitTcA.-formats-w.patch
 Patch36: 0001-Read-MOSDocumentLockFile-UTF-16-string-data-with-sam.patch
 Patch37: 0001-Convert-attribute-value-to-UTF-8-when-passing-it-to-.patch
 Patch38: 0001-Fix-endianness-issues-in-OOX-crypto-routines.patch
+Patch39: 0001-CVE-2021-25636.patch
+Patch40: 0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch
+Patch41: 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch
+Patch42: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch
+Patch43: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch
+Patch44: 0001-CVE-2022-3140.patch
+Patch45: 0001-CVE-2022-38745.patch
+Patch46: 0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch
+Patch47: 0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch
+Patch48: 0003-Always-push-a-result-even-if-it-s-only-an-error.patch
+Patch49: 0001-set-Referer-on-loading-IFrames.patch
+Patch50: 0002-put-floating-frames-under-managed-links-control.patch
+Patch51: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch
+Patch52: 0001-disable-script-dump.patch
+Patch53: 0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch
+Patch54: 0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch
+Patch55: 0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch
+Patch56: 0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch
+Patch57: 0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch
+Patch58: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch
+Patch59: 0006-CVE-2023-6186-backporting.patch
+Patch60: 0001-CVE-2024-3044-add-notify-for-script-use.patch
+Patch61: 0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch
 
 %if 0%{?rhel}
 # not upstreamed
@@ -1037,7 +1060,11 @@ sed -i -e /CppunitTest_sal_osl/d sal/Module_sal.mk
 sed -i -e /CppunitTest_dbaccess_hsqlbinary_import/d dbaccess/Module_dbaccess.mk
 sed -i -e /CppunitTest_vcl_svm_test/d vcl/Module_vcl.mk
 sed -i -e /CustomTarget_uno_test/d testtools/Module_testtools.mk
+sed -i -e /CppunitTest_sw_htmlexport/d sw/Module_sw.mk
 %endif
+# Broken with system nss. See also upstream commit ac519af951541b7313a4c98e1bee463bf47356be
+sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_ODT);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx
+sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_DOCX);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx
 
 git commit -q -a -m 'temporarily disable failing tests'
 
@@ -1129,7 +1156,13 @@ touch autogen.lastrun
 
 ulimit -c unlimited || true
 
-make verbose=true build-nocheck
+if ! make verbose=true build-nocheck; then
+    echo "build attempt 1 failed"
+    if ! make verbose=true build-nocheck; then
+        echo "build attempt 2 failed"
+        make verbose=true GMAKE_OPTIONS=-rj1 build-nocheck
+    fi
+fi
 
 #generate the icons and mime type stuff
 export DESTDIR=../output
@@ -2275,6 +2308,39 @@ done
 %{_includedir}/LibreOfficeKit
 
 %changelog
+* Thu Aug 15 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-18
+- Fix CVE-2024-6472 remove ability to trust not validated macro signatures in
+  high security
+
+* Fri Jun 07 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-17
+- Fix CVE-2024-3044 add notify for script use
+
+* Mon Mar 11 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-16
+- Fix CVE-2023-6185 escape url passed to gstreamer
+- Fix CVE-2023-6186 check link target protocols
+
+* Mon Jun 19 2023 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-15
+- Resolves: rhbz#2210191 CVE-2023-0950 Array Index UnderFlow in Calc Formula
+  Parsing
+- Resolves: rhbz#2210195 CVE-2023-2255 libreoffice: Remote documents loaded
+  without prompt via IFrame
+- Resolves: rhbz#2208509 CVE-2023-1183 libreoffice: Arbitrary File Write
+
+* Wed Apr 12 2023 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-14
+- Resolves: rhbz#2182390 CVE-2022-38745 Empty entry in Java class path
+
+* Mon Nov 21 2022 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-13
+- Resolves: rhbz#2031681 Failure saving to smb share
+
+* Fri Oct 14 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-12
+- Resolves: rhbz#2118928 CVE-2022-26305 Untrusted Macros
+- Resolves: rhbz#2118924 CVE-2022-26307 Weak Master Keys
+- Resolves: rhbz#2118920 CVE-2022-26306 Static Initialization Vector
+- Resolves: rhbz#2134702 CVE-2022-3140 Macro URL arbitrary script execution
+
+* Mon Mar 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-11
+- Resolves: rhbz#2060559 CVE-2021-25636
+
 * Mon Feb 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-10
 - Related: rhbz#2029810  bump n-v-r