SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch

@@ -0,0 +1,69 @@
+From 6167f5815aefa78a70517c8e2acbdd7b9c9be27d Mon Sep 17 00:00:00 2001
+Message-ID: <6167f5815aefa78a70517c8e2acbdd7b9c9be27d.1703003067.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 14:20:07 +0000
+Subject: [PATCH] escape url passed to gstreamer
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158894
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit f41dcadf6492a6ffd32696d50f818e44355b9ad9)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159583
+
+erAck: backported to 7.1.8.1
+
+---
+ avmedia/source/gstreamer/gstframegrabber.cxx | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-escape-url-passed-to-gstreamer.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-escape-url-passed-to-gstreamer.patch"
+
+diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx b/avmedia/source/gstreamer/gstframegrabber.cxx
+index ece799d87530..25170a296e66 100644
+--- a/avmedia/source/gstreamer/gstframegrabber.cxx
++++ b/avmedia/source/gstreamer/gstframegrabber.cxx
+@@ -51,11 +51,9 @@ void FrameGrabber::disposePipeline()
+ FrameGrabber::FrameGrabber( const OUString &rURL ) :
+     FrameGrabber_BASE()
+ {
+-    gchar *pPipelineStr;
+-    pPipelineStr = g_strdup_printf(
+-        "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink "
+-        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"",
+-        OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() );
++    const char pPipelineStr[] =
++        "uridecodebin name=source ! videoconvert ! videoscale ! appsink "
++        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"";
+ 
+     GError *pError = nullptr;
+     mpPipeline = gst_parse_launch( pPipelineStr, &pError );
+@@ -66,6 +64,12 @@ FrameGrabber::FrameGrabber( const OUString &rURL ) :
+     }
+ 
+     if( mpPipeline ) {
++
++        if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline), "source"))
++            g_object_set(pUriDecode, "uri", OUStringToOString(rURL, RTL_TEXTENCODING_UTF8).getStr(), nullptr);
++        else
++            g_warning("Missing 'source' element in gstreamer pipeline");
++
+         // pre-roll
+         switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) {
+         case GST_STATE_CHANGE_FAILURE:
+
+--------------erAck-patch-parts--
+
+

SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch

@@ -0,0 +1,93 @@
+From 37d73a1ab94b43e03866d5a910cb58331543b8c3 Mon Sep 17 00:00:00 2001
+Message-ID: <37d73a1ab94b43e03866d5a910cb58331543b8c3.1703086247.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 17:14:26 +0000
+Subject: [PATCH] add some protocols that don't make sense as floating frame
+ targets
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Change-Id: Id900a5eef248731d1184c1df501a2cf7a2de7eb9
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158910
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 11ebdfef16501c6d35c3e3d0d62507f706557c71)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158900
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit bab433911bdecb344f7ea94dbd00690241a08c54)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159582
+
+erAck: backported to 7.1.8.1
+
+---
+ include/tools/urlobj.hxx     | 5 +++++
+ sfx2/source/doc/iframe.cxx   | 5 ++++-
+ tools/source/fsys/urlobj.cxx | 8 ++++++++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch"
+
+diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx
+index 9d6820ddf241..dfd658722826 100644
+--- a/include/tools/urlobj.hxx
++++ b/include/tools/urlobj.hxx
+@@ -915,6 +915,11 @@ public:
+ 
+     void changeScheme(INetProtocol eTargetScheme);
+ 
++    // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot,
++    // vnd.sun.star.script, etc. All the types of URLs which shouldn't
++    // be accepted from an outside controlled source
++    bool IsExoticProtocol() const;
++
+ private:
+     // General Structure:
+ 
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index 150218b436e9..b81ce82fd32e 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -168,8 +168,11 @@ sal_Bool SAL_CALL IFrameObject::load(
+         xTrans->parseStrict( aTargetURL );
+ 
+         INetURLObject aURLObject(aTargetURL.Complete);
+-        if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script"))
++        if (aURLObject.IsExoticProtocol())
++        {
++            //SAL_WARN("sfx", "IFrameObject::load ignoring: " << aTargetURL.Complete);
+             return false;
++        }
+ 
+         uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+         SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index 764bb28ef623..2a9f7bc3d7dc 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4829,4 +4829,12 @@ OUString INetURLObject::CutExtension()
+         ? aTheExtension : OUString();
+ }
+ 
++bool INetURLObject::IsExoticProtocol() const
++{
++    return m_eScheme == INetProtocol::Slot ||
++           m_eScheme == INetProtocol::Macro ||
++           m_eScheme == INetProtocol::Uno ||
++           isSchemeEqualTo(u"vnd.sun.star.script");
++}
++
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+
+--------------erAck-patch-parts--
+
+

SOURCES/0001-CVE-2024-3044-add-notify-for-script-use.patch

@@ -0,0 +1,29 @@
+From 3c25a1e4885a91b1a2fbfd873633f055caa50745 Mon Sep 17 00:00:00 2001
+From: Caolán McNamara <caolan.mcnamara@collabora.com>
+Date: Wed, 27 Mar 2024 17:07:20 +0000
+Subject: [PATCH] add notify for script use
+
+Change-Id: I84af197cec7755f6803a578e1e21c03966ad5f3e
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165410
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit a4a5c6b63599bca1f084bb90875f6fd8e15184ac)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/167421
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+---
+
+diff --git a/xmloff/source/draw/eventimp.cxx b/xmloff/source/draw/eventimp.cxx
+index f9e10c1..fcc36f9 100644
+--- a/xmloff/source/draw/eventimp.cxx
++++ b/xmloff/source/draw/eventimp.cxx
+@@ -231,6 +231,9 @@
+ 
+     if( maData.mbValid )
+         maData.mbValid = !sEventName.isEmpty();
++
++    if (!maData.msMacroName.isEmpty())
++        rImp.NotifyMacroEventRead();
+ }
+ 
+ SvXMLImportContextRef SdXMLEventContext::CreateChildContext( sal_uInt16 nPrefix, const OUString& rLocalName, const Reference< XAttributeList>& xAttrList )

SOURCES/0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch

@@ -0,0 +1,81 @@
+From 4e997c62fd6edf6c3fe9e553cc92c77fd48f039c Mon Sep 17 00:00:00 2001
+Message-ID: <4e997c62fd6edf6c3fe9e553cc92c77fd48f039c.1723718921.git.erack@redhat.com>
+From: Sarper Akdemir <sarper.akdemir@allotropia.de>
+Date: Tue, 11 Jun 2024 12:39:36 +0200
+Subject: [PATCH] remove ability to trust not validated macro signatures in
+ high security
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+Giving the user the option to determine if they should trust an
+invalid signature in HIGH macro security doesn't make sense.
+CommonName of the signature is the most prominent feature presented
+and the CommonName of a certificate can be easily forged for an
+invalid signature, tricking the user into accepting an invalid
+signature.
+
+in the HIGH macro security setting only show the pop-up to
+enable/disable signed macro if the certificate signature can be
+validated.
+
+cherry-picked without UI/String altering bits for 24-2
+
+Change-Id: Ia766fb701660160ee5dc9f6e077f4012a44ce721
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168667
+Tested-by: Jenkins
+Reviewed-by: Sarper Akdemir <sarper.akdemir@allotropia.de>
+(cherry picked from commit 2beaa3be3829303e948d401f492dbfd239d60aad)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169525
+Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171306
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171314
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171315
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171317
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171323
+---
+ sfx2/source/doc/docmacromode.cxx | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-remove-ability-to-trust-not-validated-macro-signatur.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-remove-ability-to-trust-not-validated-macro-signatur.patch"
+
+diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx
+index 8a617b1785c6..997a8f739395 100644
+--- a/sfx2/source/doc/docmacromode.cxx
++++ b/sfx2/source/doc/docmacromode.cxx
+@@ -229,14 +229,18 @@ namespace sfx2
+             // check whether the document is signed with trusted certificate
+             if ( nMacroExecutionMode != MacroExecMode::FROM_LIST )
+             {
++                SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState();
++
+                 // the trusted macro check will also retrieve the signature state ( small optimization )
+                 const SvtSecurityOptions aSecOption;
+                 const bool bAllowUIToAddAuthor = nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_NO_WARN
+                                                  && (nMacroExecutionMode == MacroExecMode::ALWAYS_EXECUTE
+-                                                     || !aSecOption.IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors));
++                                                     || !aSecOption.IsReadOnly(SvtSecurityOptions::EOption::MacroTrustedAuthors))
++                                                 && (nMacroExecutionMode != MacroExecMode::FROM_LIST_AND_SIGNED_WARN
++                                                     || nSignatureState == SignatureState::OK);
++
+                 const bool bHasTrustedMacroSignature = m_xData->m_rDocumentAccess.hasTrustedScriptingSignature(bAllowUIToAddAuthor);
+ 
+-                SignatureState nSignatureState = m_xData->m_rDocumentAccess.getScriptingSignatureState();
+                 if ( nSignatureState == SignatureState::BROKEN )
+                 {
+                     if (!bAllowUIToAddAuthor)
+
+--------------erAck-patch-parts--
+
+

SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch

@@ -0,0 +1,87 @@
+From 99b453dfac5ed44a02c6e1a51b871ee50709a405 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Sat, 4 Nov 2023 19:57:51 +0000
+Subject: [PATCH] warn about exotic protocols as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I50dcf4f36cd20d75f5ad3876353143268740a50f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151834
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 1305f70cff8a81a58a5a6d9c96c5bb032005389e)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159034
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159881
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159911
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+
+erAck: backported to 6.4.7.2
+
+---
+ sw/source/filter/html/htmlplug.cxx | 2 +-
+ sw/source/filter/xml/xmltexti.cxx  | 2 +-
+ tools/source/fsys/urlobj.cxx       | 3 ++-
+ xmloff/source/draw/ximpshap.cxx    | 2 +-
+ 4 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
+index eb70704..112975f 100644
+--- a/sw/source/filter/html/htmlplug.cxx
++++ b/sw/source/filter/html/htmlplug.cxx
+@@ -1089,7 +1089,7 @@ void SwHTMLParser::InsertFloatingFrame()
+ 
+                 OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+ 
+-                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(sHRef).IsExoticProtocol())
+                     NotifyMacroEventRead();
+ 
+                 xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
+diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
+index 72a14b9..e015575 100644
+--- a/sw/source/filter/xml/xmltexti.cxx
++++ b/sw/source/filter/xml/xmltexti.cxx
+@@ -856,7 +856,7 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
+                 OUString sHRef = URIHelper::SmartRel2Abs(
+                             INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
+ 
+-                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(sHRef).IsExoticProtocol())
+                     GetXMLImport().NotifyMacroEventRead();
+ 
+                 xSet->setPropertyValue("FrameURL",
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index ab6e885..1ef2b7e 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4776,7 +4776,8 @@ bool INetURLObject::IsExoticProtocol() const
+     return m_eScheme == INetProtocol::Slot ||
+            m_eScheme == INetProtocol::Macro ||
+            m_eScheme == INetProtocol::Uno ||
+-           isSchemeEqualTo(u"vnd.sun.star.script");
++           isSchemeEqualTo(u"vnd.sun.star.script") ||
++           isSchemeEqualTo(u"service");
+ }
+ 
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
+index bd5f30a..b58da79 100644
+--- a/xmloff/source/draw/ximpshap.cxx
++++ b/xmloff/source/draw/ximpshap.cxx
+@@ -3269,7 +3269,7 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
+ 
+             if( !maHref.isEmpty() )
+             {
+-                if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
++                if (INetURLObject(maHref).IsExoticProtocol())
+                     GetImport().NotifyMacroEventRead();
+ 
+                 xProps->setPropertyValue("FrameURL", Any(maHref) );
+-- 
+2.43.0
+

SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch

@@ -0,0 +1,225 @@
+From ae89e7b8ae1e781c1a9d8ca2c5d4aeca656932f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Fri, 3 Nov 2023 17:26:25 +0000
+Subject: [PATCH] default to ignoring libreoffice special-purpose protocols in
+ calc hyperlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: Ib9f62be3acc05f24ca234dec0fec21e24579e9de
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158911
+Tested-by: Jenkins
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit b6062623b4d69c79e90e9365ac7c5e7f11986793)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159045
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159882
+Tested-by: Miklos Vajna <vmiklos@collabora.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159912
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+
+erAck: backported to 6.4.7.2
+
+---
+ dbaccess/source/core/dataaccess/ModelImpl.cxx |  3 +-
+ include/sfx2/docmacromode.hxx                 |  5 ++-
+ include/sfx2/objsh.hxx                        |  3 ++
+ sc/source/core/data/global.cxx                | 33 ++++++++++++++++++-
+ sfx2/source/doc/docmacromode.cxx              |  8 +++--
+ sfx2/source/doc/objmisc.cxx                   |  8 ++++-
+ sfx2/source/doc/objxtor.cxx                   |  1 +
+ sfx2/source/inc/objshimp.hxx                  |  3 +-
+ 8 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/dbaccess/source/core/dataaccess/ModelImpl.cxx b/dbaccess/source/core/dataaccess/ModelImpl.cxx
+index 1f11f36..ce4dbae 100644
+--- a/dbaccess/source/core/dataaccess/ModelImpl.cxx
++++ b/dbaccess/source/core/dataaccess/ModelImpl.cxx
+@@ -1140,7 +1140,8 @@ bool ODatabaseModelImpl::checkMacrosOnLoading()
+ {
+     Reference< XInteractionHandler > xInteraction;
+     xInteraction = m_aMediaDescriptor.getOrDefault( "InteractionHandler", xInteraction );
+-    return m_aMacroMode.checkMacrosOnLoading( xInteraction );
++    const bool bHasMacros = m_aMacroMode.hasMacros();
++    return m_aMacroMode.checkMacrosOnLoading(xInteraction, bHasMacros);
+ }
+ 
+ void ODatabaseModelImpl::resetMacroExecutionMode()
+diff --git a/include/sfx2/docmacromode.hxx b/include/sfx2/docmacromode.hxx
+index a15bbbe..98b7d3a 100644
+--- a/include/sfx2/docmacromode.hxx
++++ b/include/sfx2/docmacromode.hxx
+@@ -260,6 +260,8 @@ namespace sfx2
+         */
+         static bool storageHasMacros( const css::uno::Reference< css::embed::XStorage >& _rxStorage );
+ 
++        bool hasMacros() const;
++
+         static bool containerHasBasicMacros( const css::uno::Reference< css::script::XLibraryContainer >& xContainter );
+         /** checks the macro execution mode while loading the document.
+ 
+@@ -286,7 +288,8 @@ namespace sfx2
+         */
+         bool
+                 checkMacrosOnLoading(
+-                    const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction
++                    const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction,
++                    bool bHasMacros
+                 );
+ 
+     private:
+diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
+index 2a56ebe..43df460 100644
+--- a/include/sfx2/objsh.hxx
++++ b/include/sfx2/objsh.hxx
+@@ -418,6 +418,9 @@ public:
+     void                        SetMacroCallsSeenWhileLoading();
+     bool                        GetMacroCallsSeenWhileLoading() const;
+ 
++    // true if the document had macros (or similar) on load to trigger warning user
++    bool                        GetHadCheckedMacrosOnLoad() const;
++
+     const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const;
+     bool                        SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo );
+ 
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index 050fd82..92d50c4 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -26,7 +26,9 @@
+ #include <sfx2/docfile.hxx>
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/objsh.hxx>
++#include <sfx2/sfxresid.hxx>
+ #include <sfx2/sfxsids.hrc>
++#include <sfx2/strings.hrc>
+ #include <sfx2/viewfrm.hxx>
+ #include <sfx2/viewsh.hxx>
+ #include <svl/intitem.hxx>
+@@ -789,7 +791,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+ 
+     OUString aUrlName( rURL );
+     SfxViewFrame* pFrame = nullptr;
+-    const SfxObjectShell* pObjShell = nullptr;
++    SfxObjectShell* pObjShell = nullptr;
+     OUString aReferName;
+     if ( pScActiveViewShell )
+     {
+@@ -823,6 +825,35 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
++    if (INetURLObject(aUrlName).IsExoticProtocol())
++    {
++        // Default to ignoring exotic protocols
++        bool bAllow = false;
++        if (pObjShell)
++        {
++            // If the document had macros when loaded then follow the allowed macro-mode
++            if (pObjShell->GetHadCheckedMacrosOnLoad())
++                bAllow = pObjShell->AdjustMacroMode();
++            else // otherwise ask the user, defaulting to cancel
++            {
++                assert(pFrame && "if we have pObjShell we have pFrame");
++                //Reuse URITools::onOpenURI warning string
++                std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(),
++                                                               VclMessageType::Warning, VclButtonsType::YesNo,
++                                                               SfxResId(STR_DANGEROUS_TO_OPEN)));
++                xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
++                    INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous)));
++                xQueryBox->set_default_response(RET_NO);
++                bAllow = xQueryBox->run() == RET_YES;
++            }
++        }
++        if (!bAllow)
++        {
++            SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName);
++            return;
++        }
++    }
++
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+     SfxStringItem aTarget( SID_TARGETNAME, rTarget );
+     if ( nScClickMouseModifier & KEY_SHIFT )     // control-click -> into new window
+diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx
+index 492bd0a..7f1fb2b 100644
+--- a/sfx2/source/doc/docmacromode.cxx
++++ b/sfx2/source/doc/docmacromode.cxx
+@@ -391,8 +391,12 @@ namespace sfx2
+         return bHasMacros;
+     }
+ 
++    bool DocumentMacroMode::hasMacros() const
++    {
++        return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading();
++    }
+ 
+-    bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction )
++    bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasMacros )
+     {
+         bool bAllow = false;
+         if ( SvtSecurityOptions().IsMacroDisabled() )
+@@ -402,7 +406,7 @@ namespace sfx2
+         }
+         else
+         {
+-            if (m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading())
++            if (bHasMacros)
+             {
+                 bAllow = adjustMacroMode( rxInteraction );
+             }
+diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
+index 6819404..fac75dd 100644
+--- a/sfx2/source/doc/objmisc.cxx
++++ b/sfx2/source/doc/objmisc.cxx
+@@ -953,9 +953,15 @@ void SfxObjectShell::CheckSecurityOnLoading_Impl()
+     CheckEncryption_Impl( xInteraction );
+ 
+     // check macro security
+-    pImpl->aMacroMode.checkMacrosOnLoading( xInteraction );
++    const bool bHasMacros = pImpl->aMacroMode.hasMacros();
++    pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasMacros );
++    pImpl->m_bHadCheckedMacrosOnLoad = bHasMacros;
+ }
+ 
++bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const
++{
++    return pImpl->m_bHadCheckedMacrosOnLoad;
++}
+ 
+ void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx
+index 510c35d..a707bb7 100644
+--- a/sfx2/source/doc/objxtor.cxx
++++ b/sfx2/source/doc/objxtor.cxx
+@@ -237,6 +237,7 @@ SfxObjectShell_Impl::SfxObjectShell_Impl( SfxObjectShell& _rDocShell )
+     ,m_bAllowShareControlFileClean( true )
+     ,m_bConfigOptionsChecked( false )
+     ,m_bMacroCallsSeenWhileLoading( false )
++    ,m_bHadCheckedMacrosOnLoad( false )
+     ,lErr(ERRCODE_NONE)
+     ,nEventId ( SfxEventHintId::NONE )
+     ,nLoadedFlags ( SfxLoadedFlags::ALL )
+diff --git a/sfx2/source/inc/objshimp.hxx b/sfx2/source/inc/objshimp.hxx
+index 3d7b0b6..4afdd70 100644
+--- a/sfx2/source/inc/objshimp.hxx
++++ b/sfx2/source/inc/objshimp.hxx
+@@ -91,7 +91,8 @@ struct SfxObjectShell_Impl : public ::sfx2::IMacroDocumentAccess
+                         m_bSharedXMLFlag:1, // whether the document should be edited in shared mode
+                         m_bAllowShareControlFileClean:1, // whether the flag should be stored in xml file
+                         m_bConfigOptionsChecked:1, // whether or not the user options are checked after the Options dialog is closed.
+-                        m_bMacroCallsSeenWhileLoading:1; // whether or not the user options are checked after the Options dialog is closed.
++                        m_bMacroCallsSeenWhileLoading:1, // whether or not macro calls were seen when loading document.
++                        m_bHadCheckedMacrosOnLoad:1; // if document contained macros (or calls) when loaded
+ 
+     IndexBitSet         aBitSet;
+     ErrCode             lErr;
+-- 
+2.43.0
+

SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch

@@ -0,0 +1,281 @@
+From 6a69b533227ae22d97824317f14dfa6991959101 Mon Sep 17 00:00:00 2001
+Message-ID: <6a69b533227ae22d97824317f14dfa6991959101.1703086328.git.erack@redhat.com>
+In-Reply-To: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com>
+References: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com>
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Wed, 15 Nov 2023 11:39:24 +0000
+Subject: [PATCH 3/4] reuse AllowedLinkProtocolFromDocument in writer
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+reorg calc hyperlink check to reuse elsewhere
+
+Change-Id: I20ae3c5df15502c3a0a366fb4a2924c06ffac3d0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159487
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit e6a7537762e19fde446441edd10d301f9b37ce75)
+
+reuse AllowedLinkProtocolFromDocument in writer
+
+Change-Id: Iacf5e313fc6ca5f7d69ca6986a036f0e1ab1f2a0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159488
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 32535dfa82200b54296838b52285c054fbe5e51d)
+
+combine these hyperlink dispatchers into one call
+
+Change-Id: Icb7822e811013de648ccf2fbb23a5f0be9e29bb0
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159489
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 0df175ccc6ea542bc5801f631ff72bed187042eb)
+
+we can have just one LoadURL for writer
+
+Change-Id: Ia0162ee1c275292fcf200bad4662e4c2c6b7b972
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159557
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit 521ca9cf6acbae96cf95d9740859c9682212013d)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159858
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit e32b8601dbd63cf01497889601d6c9c1241106d6)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159883
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159913
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Eike Rathke <erack@redhat.com>
+---
+ include/sfx2/objsh.hxx               |  7 +++--
+ sc/source/core/data/global.cxx       | 32 ++---------------------
+ sfx2/source/doc/objmisc.cxx          | 27 ++++++++++++++++++++
+ sw/source/uibase/shells/drwtxtex.cxx |  8 ++----
+ sw/source/uibase/wrtsh/wrtsh2.cxx    | 38 ++++++++++++++++++----------
+ 5 files changed, 60 insertions(+), 52 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch"
+
+diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
+index fde0dba3d7c9..79f22c978dcb 100644
+--- a/include/sfx2/objsh.hxx
++++ b/include/sfx2/objsh.hxx
+@@ -200,6 +200,9 @@ private:
+ 
+     SAL_DLLPRIVATE bool SaveTo_Impl(SfxMedium &rMedium, const SfxItemSet* pSet );
+ 
++    // true if the document had macros (or similar) on load to trigger warning user
++    SAL_DLLPRIVATE bool  GetHadCheckedMacrosOnLoad() const;
++
+ protected:
+                                 SfxObjectShell(SfxObjectCreateMode);
+                                 SfxObjectShell(SfxModelFlags);    // see sfxmodelfactory.hxx
+@@ -427,8 +430,8 @@ public:
+     void                        SetMacroCallsSeenWhileLoading();
+     bool                        GetMacroCallsSeenWhileLoading() const;
+ 
+-    // true if the document had macros (or similar) on load to trigger warning user
+-    bool                        GetHadCheckedMacrosOnLoad() const;
++    // true if this type of link, from a document, is allowed by the user to be passed to uno:OpenDoc
++    static bool                 AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent);
+ 
+     const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const;
+     bool                        SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo );
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index 92caea1ea459..27c5a51a46c1 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -29,9 +29,7 @@
+ #include <sfx2/docfile.hxx>
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/objsh.hxx>
+-#include <sfx2/sfxresid.hxx>
+ #include <sfx2/sfxsids.hrc>
+-#include <sfx2/strings.hrc>
+ #include <sfx2/viewfrm.hxx>
+ #include <sfx2/viewsh.hxx>
+ #include <svl/intitem.hxx>
+@@ -856,34 +854,8 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
+-    if (INetURLObject(aUrlName).IsExoticProtocol())
+-    {
+-        // Default to ignoring exotic protocols
+-        bool bAllow = false;
+-        if (pObjShell)
+-        {
+-            // If the document had macros when loaded then follow the allowed macro-mode
+-            if (pObjShell->GetHadCheckedMacrosOnLoad())
+-                bAllow = pObjShell->AdjustMacroMode();
+-            else // otherwise ask the user, defaulting to cancel
+-            {
+-                assert(pFrame && "if we have pObjShell we have pFrame");
+-                //Reuse URITools::onOpenURI warning string
+-                std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(),
+-                                                               VclMessageType::Warning, VclButtonsType::YesNo,
+-                                                               SfxResId(STR_DANGEROUS_TO_OPEN)));
+-                xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
+-                    INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous)));
+-                xQueryBox->set_default_response(RET_NO);
+-                bAllow = xQueryBox->run() == RET_YES;
+-            }
+-        }
+-        if (!bAllow)
+-        {
+-            SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName);
+-            return;
+-        }
+-    }
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr))
++        return;
+ 
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+     SfxStringItem aTarget( SID_TARGETNAME, rTarget );
+diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
+index ddf95eeafe5e..8c76c3f0f4d6 100644
+--- a/sfx2/source/doc/objmisc.cxx
++++ b/sfx2/source/doc/objmisc.cxx
+@@ -962,6 +962,33 @@ bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const
+     return pImpl->m_bHadCheckedMacrosOnLoad;
+ }
+ 
++bool SfxObjectShell::AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent)
++{
++    if (!INetURLObject(rUrl).IsExoticProtocol())
++        return true;
++    // Default to ignoring exotic protocols
++    bool bAllow = false;
++    if (pObjShell)
++    {
++        // If the document had macros when loaded then follow the allowed macro-mode
++        if (pObjShell->GetHadCheckedMacrosOnLoad())
++            bAllow = pObjShell->AdjustMacroMode();
++        else // otherwise ask the user, defaulting to cancel
++        {
++            //Reuse URITools::onOpenURI warning string
++            std::unique_ptr<weld::MessageDialog> xQueryBox(Application::CreateMessageDialog(pDialogParent,
++                                                           VclMessageType::Warning, VclButtonsType::YesNo,
++                                                           SfxResId(STR_DANGEROUS_TO_OPEN)));
++            xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)",
++                INetURLObject::decode(rUrl, INetURLObject::DecodeMechanism::Unambiguous)));
++            xQueryBox->set_default_response(RET_NO);
++            bAllow = xQueryBox->run() == RET_YES;
++        }
++    }
++    SAL_WARN_IF(!bAllow, "sfx.appl", "SfxObjectShell::AllowedLinkProtocolFromDocument ignoring: " << rUrl);
++    return bAllow;
++}
++
+ void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+     OUString aVersion;
+diff --git a/sw/source/uibase/shells/drwtxtex.cxx b/sw/source/uibase/shells/drwtxtex.cxx
+index c84ee7bd9af4..c51f501841ad 100644
+--- a/sw/source/uibase/shells/drwtxtex.cxx
++++ b/sw/source/uibase/shells/drwtxtex.cxx
+@@ -533,12 +533,8 @@ void SwDrawTextShell::Execute( SfxRequest &rReq )
+             const SvxFieldData* pField = pOLV->GetFieldAtCursor();
+             if (const SvxURLField* pURLField = dynamic_cast<const SvxURLField*>(pField))
+             {
+-                SfxStringItem aUrl(SID_FILE_NAME, pURLField->GetURL());
+-                SfxStringItem aTarget(SID_TARGETNAME, pURLField->GetTargetFrame());
+-                SfxBoolItem aNewView(SID_OPEN_NEW_VIEW, false);
+-                SfxBoolItem aBrowsing(SID_BROWSE, true);
+-                GetView().GetViewFrame()->GetDispatcher()->ExecuteList(
+-                    SID_OPENDOC, SfxCallMode::SYNCHRON, { &aUrl, &aTarget, &aNewView, &aBrowsing });
++                ::LoadURL(GetShell(), pURLField->GetURL(), LoadUrlFlags::NONE,
++                          pURLField->GetTargetFrame());
+             }
+         }
+         break;
+diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx
+index 1995e7133c4a..d781823e82ec 100644
+--- a/sw/source/uibase/wrtsh/wrtsh2.cxx
++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx
+@@ -501,30 +501,24 @@ bool SwWrtShell::ClickToINetGrf( const Point& rDocPt, LoadUrlFlags nFilter )
+     return bRet;
+ }
+ 
+-void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+-              const OUString& rTargetFrameName )
++static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter,
++                    const OUString& rTargetFrameName)
+ {
+-    OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" );
+-    if( rURL.isEmpty() )
+-        return ;
++    SwDocShell* pDShell = rView.GetDocShell();
++    OSL_ENSURE( pDShell, "No DocShell?!");
++    SfxViewFrame* pViewFrame = rView.GetViewFrame();
+ 
+-    // The shell could be 0 also!!!!!
+-    if ( dynamic_cast<const SwCursorShell*>( &rVSh) ==  nullptr )
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld()))
+         return;
+ 
+     // We are doing tiledRendering, let the client handles the URL loading,
+     // unless we are jumping to a TOC mark.
+     if (comphelper::LibreOfficeKit::isActive() && !rURL.startsWith("#"))
+     {
+-        rVSh.GetSfxViewShell()->libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr());
++        rView.libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr());
+         return;
+     }
+ 
+-    //A CursorShell is always a WrtShell
+-    SwWrtShell &rSh = static_cast<SwWrtShell&>(rVSh);
+-
+-    SwDocShell* pDShell = rSh.GetView().GetDocShell();
+-    OSL_ENSURE( pDShell, "No DocShell?!");
+     OUString sTargetFrame(rTargetFrameName);
+     if (sTargetFrame.isEmpty() && pDShell)
+     {
+@@ -539,7 +533,6 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+     OUString sReferer;
+     if( pDShell && pDShell->GetMedium() )
+         sReferer = pDShell->GetMedium()->GetName();
+-    SfxViewFrame* pViewFrame = rSh.GetView().GetViewFrame();
+     SfxFrameItem aView( SID_DOCFRAME, pViewFrame );
+     SfxStringItem aName( SID_FILE_NAME, rURL );
+     SfxStringItem aTargetFrameName( SID_TARGETNAME, sTargetFrame );
+@@ -565,6 +558,23 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
+             SfxCallMode::ASYNCHRON|SfxCallMode::RECORD );
+ }
+ 
++void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter,
++              const OUString& rTargetFrameName )
++{
++    OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" );
++    if( rURL.isEmpty() )
++        return ;
++
++    // The shell could be 0 also!!!!!
++    if ( dynamic_cast<const SwCursorShell*>( &rVSh) ==  nullptr )
++        return;
++
++    //A CursorShell is always a WrtShell
++    SwWrtShell &rSh = static_cast<SwWrtShell&>(rVSh);
++
++    ::LoadURL(rSh.GetView(), rURL, nFilter, rTargetFrameName);
++}
++
+ void SwWrtShell::NavigatorPaste( const NaviContentBookmark& rBkmk,
+                                     const sal_uInt16 nAction )
+ {
+
+--------------erAck-patch-parts--
+
+

SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch

@@ -0,0 +1,87 @@
+From 62ba88176c10469588e4bbb73cbf33889df08dbc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
+Date: Wed, 22 Nov 2023 21:14:41 +0000
+Subject: [PATCH] reuse AllowedLinkProtocolFromDocument in impress/draw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I73ca4f087946a45dbf92d69a0dc1e769de9b5690
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159843
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+(cherry picked from commit f0942eed2eb328b04856f20613f5226d66b66a20)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159759
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159884
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Signed-off-by: Xisco Fauli <xiscofauli@libreoffice.org>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159914
+Reviewed-by: Eike Rathke <erack@redhat.com>
+
+erAck: backported to 6.4.7.2
+
+---
+ sd/source/ui/app/sdmod1.cxx | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/sd/source/ui/app/sdmod1.cxx b/sd/source/ui/app/sdmod1.cxx
+index 3d84ddb..8d42653 100644
+--- a/sd/source/ui/app/sdmod1.cxx
++++ b/sd/source/ui/app/sdmod1.cxx
+@@ -32,6 +32,7 @@
+ #include <sfx2/dispatch.hxx>
+ #include <sfx2/request.hxx>
+ #include <sfx2/templatedlg.hxx>
++#include <svl/stritem.hxx>
+ #include <editeng/eeitem.hxx>
+ 
+ #include <svx/svxids.hrc>
+@@ -193,26 +194,32 @@ void SdModule::Execute(SfxRequest& rReq)
+         {
+             bool bIntercept = false;
+             ::sd::DrawDocShell* pDocShell = dynamic_cast< ::sd::DrawDocShell *>( SfxObjectShell::Current() );
+-            if (pDocShell)
++            ::sd::ViewShell* pViewShell = pDocShell ? pDocShell->GetViewShell() : nullptr;
++            if (pViewShell)
+             {
+-                ::sd::ViewShell* pViewShell = pDocShell->GetViewShell();
+-                if (pViewShell)
++                if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) )
+                 {
+-                    if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) )
++                    // Prevent documents from opening while the slide
++                    // show is running, except when this request comes
++                    // from a shape interaction.
++                    if (rReq.GetArgs() == nullptr)
+                     {
+-                        // Prevent documents from opening while the slide
+-                        // show is running, except when this request comes
+-                        // from a shape interaction.
+-                        if (rReq.GetArgs() == nullptr)
+-                        {
+-                            bIntercept = true;
+-                        }
++                        bIntercept = true;
+                     }
+                 }
+             }
+ 
+             if (!bIntercept)
+             {
++                if (const SfxStringItem* pURLItem = rReq.GetArg<SfxStringItem>(SID_FILE_NAME))
++                {
++                    if (!pViewShell || !SfxObjectShell::AllowedLinkProtocolFromDocument(pURLItem->GetValue(),
++                                                                                        pViewShell->GetObjectShell(),
++                                                                                        pViewShell->GetFrameWeld()))
++                    {
++                        return;
++                    }
++                }
+                 SfxGetpApp()->ExecuteSlot(rReq, SfxGetpApp()->GetInterface());
+             }
+             else
+-- 
+2.43.0
+

SOURCES/0006-CVE-2023-6186-backporting.patch

@@ -0,0 +1,65 @@
+From a255a9c69d35df27e92349ea5bb9cb8d6c46d97f Mon Sep 17 00:00:00 2001
+From: rpmbuild <rpmbuild@fedoraproject.org>
+Date: Fri, 8 Mar 2024 17:51:24 +0100
+Subject: [PATCH] CVE-2023-6186 backporting
+
+Add dialog text string STR_DANGEROUS_TO_OPEN
+as per upstream commit 70009098fd70df021048c540d1796c928554b494
+
+SfxViewFrame doesn't have GetFrameWeld() yet, get from Window.
+---
+ include/sfx2/strings.hrc          | 1 +
+ sc/source/core/data/global.cxx    | 4 +++-
+ sw/source/uibase/wrtsh/wrtsh2.cxx | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc
+index 1db36e7..29950ba 100644
+--- a/include/sfx2/strings.hrc
++++ b/include/sfx2/strings.hrc
+@@ -103,6 +103,7 @@
+ #define STR_GB                                  NC_("STR_GB", "GB")
+ #define STR_QUERY_LASTVERSION                   NC_("STR_QUERY_LASTVERSION", "Cancel all changes?")
+ #define STR_NO_WEBBROWSER_FOUND                 NC_("STR_NO_WEBBROWSER_FOUND", "Opening \"$(ARG1)\" failed with error code $(ARG2) and message: \"$(ARG3)\"\nMaybe no web browser could be found on your system. In that case, please check your Desktop Preferences or install a web browser (for example, Firefox) in the default location requested during the browser installation.")
++#define STR_DANGEROUS_TO_OPEN                   NC_("STR_DANGEROUS_TO_OPEN", "It might be dangerous to open \"$(ARG1)\".\nDo you really want to open it?")
+ #define STR_NO_ABS_URI_REF                      NC_("STR_NO_ABS_URI_REF", "\"$(ARG1)\" is not an absolute URL that can be passed to an external application to open it.")
+ #define STR_GID_INTERN                          NC_("STR_GID_INTERN", "Internal")
+ #define STR_GID_APPLICATION                     NC_("STR_GID_APPLICATION", "Application")
+diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx
+index b16be6b..3295a38 100644
+--- a/sc/source/core/data/global.cxx
++++ b/sc/source/core/data/global.cxx
+@@ -37,6 +37,8 @@
+ #include <vcl/virdev.hxx>
+ #include <vcl/settings.hxx>
+ #include <vcl/svapp.hxx>
++#include <vcl/weld.hxx>
++#include <vcl/window.hxx>
+ #include <unotools/charclass.hxx>
+ #include <unotools/securityoptions.hxx>
+ #include <osl/diagnose.h>
+@@ -823,7 +825,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno
+             aUrlName = aNewUrlName;
+     }
+ 
+-    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr))
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetWindow().GetFrameWeld() : nullptr))
+         return;
+ 
+     SfxStringItem aUrl( SID_FILE_NAME, aUrlName );
+diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx
+index 41f427a..543644d 100644
+--- a/sw/source/uibase/wrtsh/wrtsh2.cxx
++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx
+@@ -495,7 +495,7 @@ static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter,
+     OSL_ENSURE( pDShell, "No DocShell?!");
+     SfxViewFrame* pViewFrame = rView.GetViewFrame();
+ 
+-    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld()))
++    if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetWindow().GetFrameWeld()))
+         return;
+ 
+     // We are doing tiledRendering, let the client handles the URL loading,
+-- 
+2.43.0
+

SPECS/libreoffice.spec

@@ -54,7 +54,7 @@ Summary:        Free Software Productivity Suite
 Name:           libreoffice
 Epoch:          1
 Version:        %{libo_version}.2
-Release:        15%{?libo_prerelease}%{?dist}
+Release:        18%{?libo_prerelease}%{?dist}
 License:        (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
 URL:            http://www.libreoffice.org/
 
@@ -293,6 +293,15 @@ Patch49: 0001-set-Referer-on-loading-IFrames.patch
 Patch50: 0002-put-floating-frames-under-managed-links-control.patch
 Patch51: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch
 Patch52: 0001-disable-script-dump.patch
+Patch53: 0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch
+Patch54: 0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch
+Patch55: 0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch
+Patch56: 0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch
+Patch57: 0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch
+Patch58: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch
+Patch59: 0006-CVE-2023-6186-backporting.patch
+Patch60: 0001-CVE-2024-3044-add-notify-for-script-use.patch
+Patch61: 0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch
 
 %if 0%{?rhel}
 # not upstreamed
@@ -1051,7 +1060,11 @@ sed -i -e /CppunitTest_sal_osl/d sal/Module_sal.mk
 sed -i -e /CppunitTest_dbaccess_hsqlbinary_import/d dbaccess/Module_dbaccess.mk
 sed -i -e /CppunitTest_vcl_svm_test/d vcl/Module_vcl.mk
 sed -i -e /CustomTarget_uno_test/d testtools/Module_testtools.mk
+sed -i -e /CppunitTest_sw_htmlexport/d sw/Module_sw.mk
 %endif
+# Broken with system nss. See also upstream commit ac519af951541b7313a4c98e1bee463bf47356be
+sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_ODT);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx
+sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_DOCX);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx
 
 git commit -q -a -m 'temporarily disable failing tests'
 
@@ -2295,6 +2308,17 @@ done
 %{_includedir}/LibreOfficeKit
 
 %changelog
+* Thu Aug 15 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-18
+- Fix CVE-2024-6472 remove ability to trust not validated macro signatures in
+  high security
+
+* Fri Jun 07 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-17
+- Fix CVE-2024-3044 add notify for script use
+
+* Mon Mar 11 2024 Eike Rathke <erack@redhat.com> - 1:6.4.7.2-16
+- Fix CVE-2023-6185 escape url passed to gstreamer
+- Fix CVE-2023-6186 check link target protocols
+
 * Mon Jun 19 2023 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-15
 - Resolves: rhbz#2210191 CVE-2023-0950 Array Index UnderFlow in Calc Formula
   Parsing