.gitignore

@@ -4,5 +4,12 @@ SOURCES/884ed41809687c3e168fc7c19b16585149ff058eca79acbf3ee784f6630704cc-opens__
 SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip
 SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc
 SOURCES/libreoffice-6.4.7.2.tar.xz
+SOURCES/libreoffice-base-symbolic.svg
+SOURCES/libreoffice-calc-symbolic.svg
+SOURCES/libreoffice-draw-symbolic.svg
 SOURCES/libreoffice-help-6.4.7.2.tar.xz
+SOURCES/libreoffice-impress-symbolic.svg
+SOURCES/libreoffice-main-symbolic.svg
+SOURCES/libreoffice-math-symbolic.svg
 SOURCES/libreoffice-translations-6.4.7.2.tar.xz
+SOURCES/libreoffice-writer-symbolic.svg

.libreoffice.metadata

@@ -4,5 +4,12 @@ d336802a36ed2c87dd243e7c2f1d0542dace5cca SOURCES/884ed41809687c3e168fc7c19b16585
 2d49e11b0b711970f494294dc3698f05eb294853 SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip
 7b5fd93d787fbc6d9c2d4025d543730ee8dc4559 SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc
 b29d8cdb3db8d6b317e1cb9117b020d7e676e601 SOURCES/libreoffice-6.4.7.2.tar.xz
+54fc749ba924f9ca4e0391caaf579ab344302038 SOURCES/libreoffice-base-symbolic.svg
+9de544172d736d59589767000c1f657034a5d53d SOURCES/libreoffice-calc-symbolic.svg
+0f6dc4726da0920869354fbe4b2924f9ac569b4a SOURCES/libreoffice-draw-symbolic.svg
 ca7e087ef62f30c033db84ceb0f6a4021f53653e SOURCES/libreoffice-help-6.4.7.2.tar.xz
+8c74dd667c660cc643c4d715dd50491ba92146d5 SOURCES/libreoffice-impress-symbolic.svg
+c77acd04a7647b09745f9424ab0f65d52dfcd397 SOURCES/libreoffice-main-symbolic.svg
+3857a55644148eb25ed1a594bd00d1262761fb39 SOURCES/libreoffice-math-symbolic.svg
 0f74fd6286e71ff2b7c7bc01f41c8972e354d81c SOURCES/libreoffice-translations-6.4.7.2.tar.xz
+d4f0674ad46a832120db956cc01a27fdc2060458 SOURCES/libreoffice-writer-symbolic.svg

SOURCES/0001-CVE-2021-25636.patch

@@ -0,0 +1,69 @@
+From ae1bd20a2d4d7b7d64edc3b06d7f901c05175b7d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 20 Dec 2021 17:05:44 +0000
+Subject: [PATCH] only use X509Data
+
+Change-Id: I52e6588f5fac04bb26d77c1f3af470db73e41f72
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127193
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit be446d81e07b5499152efeca6ca23034e51ea5ff)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127178
+Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
+(cherry picked from commit b0404f80577de9ff69e58390c6f6ef949fdb0139)
+---
+ .../source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx      | 6 ++++++
+ xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx      | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+index db400e6..39f9d7f 100644
+--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
++++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+@@ -21,6 +21,8 @@
+ #include <sal/log.hxx>
+ #include <rtl/uuid.h>
+ 
++#include <xmlsec/mscng/x509.h>
++
+ #include <com/sun/star/xml/crypto/SecurityOperationStatus.hpp>
+ #include <com/sun/star/xml/crypto/XXMLSignature.hpp>
+ 
+@@ -229,6 +231,10 @@ SAL_CALL XMLSignature_MSCryptImpl::validate(
+     // We do certificate verification ourselves.
+     pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+ 
++    // limit possible key data to valid X509 certificates only, no KeyValues
++    if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecMSCngKeyDataX509GetKlass()) < 0)
++        throw RuntimeException("failed to limit allowed key data");
++
+     //Verify signature
+     //The documentation says that the signature is only valid if the return value is 0 (that is, not < 0)
+     //AND pDsigCtx->status == xmlSecDSigStatusSucceeded. That is, we must not make any assumptions, if
+diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+index 827580b..8f4d6f8 100644
+--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
++++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+@@ -19,6 +19,8 @@
+ 
+ #include <sal/config.h>
+ 
++#include <xmlsec/nss/x509.h>
++
+ #include <xmlelementwrapper_xmlsecimpl.hxx>
+ #include <xmlsec/xmlstreamio.hxx>
+ #include <xmlsec/errorcallback.hxx>
+@@ -243,6 +245,10 @@ SAL_CALL XMLSignature_NssImpl::validate(
+         // We do certificate verification ourselves.
+         pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+ 
++        // limit possible key data to valid X509 certificates only, no KeyValues
++        if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecNssKeyDataX509GetKlass()) < 0)
++            throw RuntimeException("failed to limit allowed key data");
++
+         //Verify signature
+         int rs = xmlSecDSigCtxVerify( pDsigCtx.get() , pNode );
+ 
+-- 
+2.33.1
+

SOURCES/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch

@@ -0,0 +1,63 @@
+From 77f30ada1156ca1e1357776fea8e9dc113f6898d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 3 Mar 2022 14:22:37 +0000
+Subject: [PATCH 1/4] CVE-2022-26305 compare authors using Thumbprint
+
+Change-Id: I338f58eb07cbf0a3d13a7dafdaddac09252a8546
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130929
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit 65442205b5b274ad309308162f150f8d41648f72)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130866
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit a7aaa78acea4c1d51283c2fce54ff9f5339026f8)
+---
+ .../component/documentdigitalsignatures.cxx   | 23 +++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx
+index b9066ea92cac..5a21c8421bec 100644
+--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
++++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
+@@ -19,9 +19,10 @@
+ 
+ #include <resourcemanager.hxx>
+ 
+-#include <digitalsignaturesdialog.hxx>
++#include <certificate.hxx>
+ #include <certificatechooser.hxx>
+ #include <certificateviewer.hxx>
++#include <digitalsignaturesdialog.hxx>
+ #include <macrosecurity.hxx>
+ #include <biginteger.hxx>
+ #include <strings.hrc>
+@@ -666,9 +667,23 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
+     Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors();
+ 
+     return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(),
+-        [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) {
+-            return xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName())
+-                && ( rAuthor[1] == sSerialNum );
++        [this, &xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) {
++            if (!xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName()))
++                return false;
++            if (rAuthor[1] != sSerialNum)
++                return false;
++
++            DocumentSignatureManager aSignatureManager(mxCtx, {});
++            if (!aSignatureManager.init())
++                return false;
++            uno::Reference<css::security::XCertificate> xCert = aSignatureManager.getSecurityEnvironment()->createCertificateFromAscii(rAuthor[2]);
++
++            auto pAuthor = dynamic_cast<xmlsecurity::Certificate*>(xAuthor.get());
++            auto pCert = dynamic_cast<xmlsecurity::Certificate*>(xCert.get());
++            if (pAuthor && pCert)
++                return pCert->getSHA256Thumbprint() == pAuthor->getSHA256Thumbprint();
++
++            return xCert->getSHA1Thumbprint() == xAuthor->getSHA1Thumbprint();
+         });
+ }
+ 
+-- 
+2.37.1
+

SOURCES/0001-CVE-2022-3140.patch

@@ -0,0 +1,279 @@
+From 3831e68bffc233f581e3eb1cb3c7ed925daab86f Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Tue, 30 Aug 2022 14:04:52 +0200
+Subject: [PATCH] Filter out unwanted command URIs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139225
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit 27d29f7df428885865a8e2313283839b20f2a34b)
+Conflicts:
+	desktop/source/app/cmdlineargs.cxx
+
+Change-Id: I0b7e5329af8cc053d14d5c60ec14fe7f364ef993
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139182
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit da291e2960b75153f41d440a1b41961567432e8c)
+
+These commands are always URLs already
+
+Change-Id: I5083765c879689d7f933bbe00ad70bb68e635a21
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139042
+Tested-by: Jean-Pierre Ledure <jp@ledure.be>
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit e61701e1ee6763de72b397e6ade1124eca9400f3)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138980
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit 5b4025bb56999f5c895c6f7e0b52f521800d65b0)
+
+check IFrame "FrameURL" target
+
+similiar to
+
+commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627
+Date:   Wed Aug 7 17:37:11 2019 +0100
+
+    warn on load when a document binds an event to a macro
+
+Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit c7450d0b9d02c64ae3da467d329040787039767e)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139117
+Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+(cherry picked from commit f5e3b0a7966d7d28817292adbb58fb43f28b7c6d)
+
+check impress/calc IFrame "FrameURL" target
+
+similar to
+
+commit c7450d0b9d02c64ae3da467d329040787039767e
+Date:   Tue Aug 30 17:01:08 2022 +0100
+
+    check IFrame "FrameURL" target
+
+Change-Id: Ibf28c29acb4476830431d02772f3ecd4b23a6a27
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139495
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit d0312786571221c2dd4f63fa69f6f0489d7d39ec)
+---
+ desktop/source/app/cmdlineargs.cxx   | 10 +++++++++-
+ sfx2/source/appl/macroloader.cxx     |  9 +++++++--
+ sfx2/source/doc/iframe.cxx           | 21 ++++++++++++++++-----
+ sfx2/source/inc/macroloader.hxx      |  2 ++
+ sw/source/filter/html/htmlplug.cxx   |  7 ++++++-
+ sw/source/filter/xml/xmltexti.cxx    |  9 +++++++--
+ wizards/source/access2base/DoCmd.xba |  2 +-
+ xmloff/source/draw/ximpshap.cxx      |  4 ++++
+ 8 files changed, 52 insertions(+), 12 deletions(-)
+
+diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx
+index 381147c..5babfbe 100644
+--- a/desktop/source/app/cmdlineargs.cxx
++++ b/desktop/source/app/cmdlineargs.cxx
+@@ -27,6 +27,7 @@
+ 
+ #include "cmdlineargs.hxx"
+ #include <tools/stream.hxx>
++#include <tools/urlobj.hxx>
+ #include <vcl/svapp.hxx>
+ #include <rtl/uri.hxx>
+ #include <rtl/ustring.hxx>
+@@ -169,7 +170,14 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur
+     }
+     if (nURIlen < 0)
+         nURIlen = rest2.getLength();
+-    arg = rest2.copy(0, nURIlen);
++    auto const uri = rest2.copy(0, nURIlen);
++    if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) {
++        // Let the "Open" machinery process the full command URI (leading to failure, by intention,
++        // as the "Open" machinery does not know about those command URI schemes):
++        curEvt = CommandLineEvent::Open;
++    } else {
++        arg = uri;
++    }
+     return curEvt;
+ }
+ 
+diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx
+index 98e036e..b50d1e6 100644
+--- a/sfx2/source/appl/macroloader.cxx
++++ b/sfx2/source/appl/macroloader.cxx
+@@ -76,10 +76,10 @@ css::uno::Sequence<OUString> SAL_CALL SfxMacroLoader::getSupportedServiceNames()
+     return aSeq;
+ }
+ 
+-SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
++SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference <XFrame>& xFrame)
+ {
+     SfxObjectShell* pDocShell = nullptr;
+-    Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
++
+     if ( xFrame.is() )
+     {
+         SfxFrame* pFrame=nullptr;
+@@ -96,6 +96,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
+     return pDocShell;
+ }
+ 
++SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
++{
++    Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
++    return SfxMacroLoader::GetObjectShell(xFrame);
++}
+ 
+ uno::Reference<frame::XDispatch> SAL_CALL SfxMacroLoader::queryDispatch(
+     const util::URL&   aURL            ,
+diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
+index 8b12715..b5291b2 100644
+--- a/sfx2/source/doc/iframe.cxx
++++ b/sfx2/source/doc/iframe.cxx
+@@ -39,11 +39,13 @@
+ #include <svl/ownlist.hxx>
+ #include <svl/itemprop.hxx>
+ #include <sfx2/frmdescr.hxx>
++#include <sfx2/objsh.hxx>
+ #include <sfx2/sfxdlg.hxx>
+ #include <sfx2/sfxsids.hrc>
+ #include <toolkit/helper/vclunohelper.hxx>
+ #include <vcl/window.hxx>
+ #include <tools/debug.hxx>
++#include <macroloader.hxx>
+ 
+ using namespace ::com::sun::star;
+ 
+@@ -159,6 +161,19 @@ sal_Bool SAL_CALL IFrameObject::load(
+ {
+     if ( SvtMiscOptions().IsPluginsEnabled() )
+     {
++        util::URL aTargetURL;
++        aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
++        uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
++        xTrans->parseStrict( aTargetURL );
++
++        if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
++        {
++            uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
++            SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
++            if (pDoc && !pDoc->AdjustMacroMode())
++                return false;
++        }
++
+         DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
+         VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
+         VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
+@@ -181,16 +196,12 @@ sal_Bool SAL_CALL IFrameObject::load(
+         if ( xFramesSupplier.is() )
+             mxFrame->setCreator( xFramesSupplier );
+ 
+-        util::URL aTargetURL;
+-        aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+-        uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+-        xTrans->parseStrict( aTargetURL );
+-
+         uno::Sequence < beans::PropertyValue > aProps(2);
+         aProps[0].Name = "PluginMode";
+         aProps[0].Value <<= sal_Int16(2);
+         aProps[1].Name = "ReadOnly";
+         aProps[1].Value <<= true;
++
+         uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
+         if ( xDisp.is() )
+             xDisp->dispatch( aTargetURL, aProps );
+diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx
+index 9e1dfba..b3e7a5e 100644
+--- a/sfx2/source/inc/macroloader.hxx
++++ b/sfx2/source/inc/macroloader.hxx
+@@ -82,6 +82,8 @@ public:
+     virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
+ 
+     virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
++
++    static SfxObjectShell* GetObjectShell(const css::uno::Reference<css::frame::XFrame>& xFrame);
+ };
+ 
+ #endif
+diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
+index a0da671..eb70704 100644
+--- a/sw/source/filter/html/htmlplug.cxx
++++ b/sw/source/filter/html/htmlplug.cxx
+@@ -1087,7 +1087,12 @@ void SwHTMLParser::InsertFloatingFrame()
+                 bool bHasBorder = aFrameDesc.HasFrameBorder();
+                 Size aMargin = aFrameDesc.GetMargin();
+ 
+-                xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) );
++                OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
++
++                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                    NotifyMacroEventRead();
++
++                xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
+                 xSet->setPropertyValue("FrameName", uno::makeAny( aName ) );
+ 
+                 if ( eScroll == ScrollingMode::Auto )
+diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
+index 788bec5..72a14b9 100644
+--- a/sw/source/filter/xml/xmltexti.cxx
++++ b/sw/source/filter/xml/xmltexti.cxx
+@@ -853,9 +853,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
+             uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY );
+             if ( xSet.is() )
+             {
++                OUString sHRef = URIHelper::SmartRel2Abs(
++                            INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
++
++                if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
++                    GetXMLImport().NotifyMacroEventRead();
++
+                 xSet->setPropertyValue("FrameURL",
+-                    makeAny( URIHelper::SmartRel2Abs(
+-                            INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) );
++                    makeAny( rHRef ) );
+ 
+                 xSet->setPropertyValue("FrameName",
+                     makeAny( rName ) );
+diff --git a/wizards/source/access2base/DoCmd.xba b/wizards/source/access2base/DoCmd.xba
+index 27b0d74..26755a8 100644
+--- a/wizards/source/access2base/DoCmd.xba
++++ b/wizards/source/access2base/DoCmd.xba
+@@ -2655,7 +2655,7 @@ Private Sub _ShellExecute(sCommand As String)
+ 
+ Dim oShell As Object
+ 	Set oShell = createUnoService(&quot;com.sun.star.system.SystemShellExecute&quot;)
+-	oShell.execute(sCommand, &quot;&quot; , com.sun.star.system.SystemShellExecuteFlags.DEFAULTS)
++	oShell.execute(sCommand, &quot;&quot; , com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY)
+ 
+ End Sub				&apos;	_ShellExecute			V0.8.5
+ 
+diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
+index 2e509f8..ae35f1e 100644
+--- a/xmloff/source/draw/ximpshap.cxx
++++ b/xmloff/source/draw/ximpshap.cxx
+@@ -87,6 +87,7 @@
+ #include <basegfx/polygon/b2dpolypolygon.hxx>
+ #include <basegfx/polygon/b2dpolypolygontools.hxx>
+ #include <basegfx/vector/b2dvector.hxx>
++#include <tools/urlobj.hxx>
+ #include <o3tl/safeint.hxx>
+ 
+ using namespace ::com::sun::star;
+@@ -3243,6 +3244,9 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
+ 
+             if( !maHref.isEmpty() )
+             {
++                if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
++                    GetImport().NotifyMacroEventRead();
++
+                 xProps->setPropertyValue("FrameURL", Any(maHref) );
+             }
+         }
+-- 
+2.37.3
+

SOURCES/0001-Convert-attribute-value-to-UTF-8-when-passing-it-to-.patch

@@ -0,0 +1,50 @@
+From 78fd31b17931e1217d3b11fcbd13a41d79d99055 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Wed, 23 Sep 2020 11:41:05 +0200
+Subject: [PATCH] Convert attribute value to UTF-8 when passing it to libxml2
+
+Using toUtf8, requiring the OUString to actually contain well-formed data, but
+which is likely OK for this test-code--only function, and is also what similar
+dumpAsXml functions e.g. in editeng/source/items/textitem.cxx already use.
+
+This appears to have been broken ever since the code's introduction in
+553f10c71a2cc92f5f5890e24948f5277e3d2758 "add dumpAsXml() to more pool items",
+and it would typically only have written the leading zero or one
+(depending on the architecture's endianness) characters.  (I ran across it on
+big-endian s390x, where CppunitTest_sd_tiledrendering
+SdTiledRenderingTest::testTdf104405 failed because of
+
+> Entity: line 2: parser error : Input is not proper UTF-8, indicate encoding !
+> Bytes: 0xCF 0x22 0x2F 0x3E
+> ation=""/><SfxPoolItem whichId="4017" typeName="13SvxBulletItem" presentation="%
+>                                                                                ^
+
+apparently reported from within libxml2.)
+
+Change-Id: I4b116d3be84098bd8b8a13b6937da70a1ee02c7f
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103236
+Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+Tested-by: Jenkins
+(cherry picked from commit fd9422febc384208558487bfe4a69ec89ab0ddca)
+---
+ svl/source/items/poolitem.cxx | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/svl/source/items/poolitem.cxx b/svl/source/items/poolitem.cxx
+index ec37b68d3417..ad07a0b60b4b 100644
+--- a/svl/source/items/poolitem.cxx
++++ b/svl/source/items/poolitem.cxx
+@@ -548,7 +548,8 @@ void SfxPoolItem::dumpAsXml(xmlTextWriterPtr pWriter) const
+     OUString rText;
+     IntlWrapper aIntlWrapper(SvtSysLocale().GetUILanguageTag());
+     if (GetPresentation( SfxItemPresentation::Complete, MapUnit::Map100thMM, MapUnit::Map100thMM, rText, aIntlWrapper))
+-        xmlTextWriterWriteAttribute(pWriter, BAD_CAST("presentation"), BAD_CAST(rText.getStr()));
++        xmlTextWriterWriteAttribute(
++            pWriter, BAD_CAST("presentation"), BAD_CAST(rText.toUtf8().getStr()));
+     xmlTextWriterEndElement(pWriter);
+ }
+ 
+-- 
+2.33.1
+

SOURCES/0001-Correctly-read-PNG-into-bitmaps-N32BitTcA.-formats-w.patch

@@ -0,0 +1,65 @@
+From 41594786266265c1b7d5116ab85b38af0cd1fd59 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Wed, 23 Sep 2020 12:01:35 +0200
+Subject: [PATCH] Correctly read PNG into bitmaps N32BitTcA... formats (where
+ alpha comes first)
+
+This appears to be a regression introduced with
+86ea64f216819696cd86d1926aff0a138ace2baf "Support for native 32bit Bitmap in VCL
+and SVP (cairo) backend".  It caused CppunitTest_vcl_png_test to fail on
+(big-endian) Linux s390x with
+
+> vcl/qa/cppunit/png/PngFilterTest.cxx:176:PngFilterTest::testPng
+> equality assertion failed
+> - Expected: c[ff000040]
+> - Actual  : c[0000ff40]
+
+where eFormat happens to be ScanlineFormat::N32BitTcArgb, vs.
+ScanlineFormat::N32BitTcBgra on e.g. Linux x86-64 (and which thus didn't notice
+the lack of support for N32BitTcA... formats where alpha goes first instead of
+last).
+
+Change-Id: Id6030468718f6ef831b42f2b5ad7ba2c4c46a805
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103240
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit 0387077e6647d7a30fd36d4ec41dfc559afe45c3)
+---
+ vcl/source/filter/png/PngImageReader.cxx | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/vcl/source/filter/png/PngImageReader.cxx b/vcl/source/filter/png/PngImageReader.cxx
+index 958cae34eb46..6e9f3825face 100644
+--- a/vcl/source/filter/png/PngImageReader.cxx
++++ b/vcl/source/filter/png/PngImageReader.cxx
+@@ -188,6 +188,8 @@ bool reader(SvStream& rStream, BitmapEx& rBitmapEx, bool bUseBitmap32)
+                     for (auto& rRow : aRows)
+                         rRow.resize(aRowSizeBytes, 0);
+ 
++                    auto const alphaFirst = (eFormat == ScanlineFormat::N32BitTcAbgr
++                                             || eFormat == ScanlineFormat::N32BitTcArgb);
+                     for (int pass = 0; pass < nNumberOfPasses; pass++)
+                     {
+                         for (png_uint_32 y = 0; y < height; y++)
+@@ -199,10 +201,17 @@ bool reader(SvStream& rStream, BitmapEx& rBitmapEx, bool bUseBitmap32)
+                             for (size_t i = 0; i < aRowSizeBytes; i += 4)
+                             {
+                                 sal_Int8 alpha = pRow[i + 3];
++                                if (alphaFirst)
++                                {
++                                    pScanline[iColor++] = alpha;
++                                }
+                                 pScanline[iColor++] = vcl::bitmap::premultiply(pRow[i + 0], alpha);
+                                 pScanline[iColor++] = vcl::bitmap::premultiply(pRow[i + 1], alpha);
+                                 pScanline[iColor++] = vcl::bitmap::premultiply(pRow[i + 2], alpha);
+-                                pScanline[iColor++] = alpha;
++                                if (!alphaFirst)
++                                {
++                                    pScanline[iColor++] = alpha;
++                                }
+                             }
+                         }
+                     }
+-- 
+2.33.1
+

SOURCES/0001-Fix-endianness-issues-in-OOX-crypto-routines.patch

@@ -0,0 +1,116 @@
+From 96b088a62174a70441ebe959495756e9d86203a2 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Thu, 24 Sep 2020 14:51:16 +0200
+Subject: [PATCH] Fix endianness issues in OOX crypto routines
+
+...without which CppunitTest_sw_ooxmlencryption failed on (big-endian) s390x:
+
+* The 32-bit segment counter in AgileEngine::de-/encrypt apparently needs to be
+  stored in LSB format (at least, if it is, CppunitTest_sw_ooxmlencryption
+  ultimately succeeded, whereas otherwise it failed).
+
+* The UTF-16 string in Standard2007Engine::calculateEncryptionKey apparently
+  needs to be in LSB format (at least, if it is, CppunitTest_sw_ooxmlencryption
+  ultimately succeeded, whereas otherwise it failed).
+
+* The various 32-bit values in the EncryptionStandardHeader and
+  EncryptionVerifierAES data structures apparently need to be written out in LSB
+  format in Standard2007Engine::writeEncryptionInfo, given that they are always
+  read in LSB format in Standard2007Engine::readEncryptionInfo.
+
+Change-Id: I3a1efbfe324b1bbd539b88dc5d40bb44f9676ffa
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103315
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit 646a69757b928aeaf6e0d0d41c4b30c02803a3a3)
+---
+ oox/source/crypto/AgileEngine.cxx        | 16 +++++++++-----
+ oox/source/crypto/Standard2007Engine.cxx | 28 +++++++++++++++++-------
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/oox/source/crypto/AgileEngine.cxx b/oox/source/crypto/AgileEngine.cxx
+index 7c2a0e9c93d2..0fc972bf2ca5 100644
+--- a/oox/source/crypto/AgileEngine.cxx
++++ b/oox/source/crypto/AgileEngine.cxx
+@@ -457,9 +457,11 @@ bool AgileEngine::decrypt(BinaryXInputStream& aInputStream,
+ 
+     while ((inputLength = aInputStream.readMemory(inputBuffer.data(), inputBuffer.size())) > 0)
+     {
+-        sal_uInt8* segmentBegin = reinterpret_cast<sal_uInt8*>(&segment);
+-        sal_uInt8* segmentEnd   = segmentBegin + sizeof(segment);
+-        std::copy(segmentBegin, segmentEnd, saltWithBlockKey.begin() + saltSize);
++        auto p = saltWithBlockKey.begin() + saltSize;
++        p[0] = segment & 0xFF;
++        p[1] = (segment >> 8) & 0xFF;
++        p[2] = (segment >> 16) & 0xFF;
++        p[3] = segment >> 24;
+ 
+         hashCalc(hash, saltWithBlockKey, mInfo.hashAlgorithm);
+ 
+@@ -800,9 +802,11 @@ void AgileEngine::encrypt(css::uno::Reference<css::io::XInputStream> &  rxInputS
+                         inputLength : oox::core::roundUp(inputLength, sal_uInt32(mInfo.blockSize));
+ 
+         // Update Key
+-        sal_uInt8* segmentBegin = reinterpret_cast<sal_uInt8*>(&nSegment);
+-        sal_uInt8* segmentEnd   = segmentBegin + nSegmentByteSize;
+-        std::copy(segmentBegin, segmentEnd, saltWithBlockKey.begin() + saltSize);
++        auto p = saltWithBlockKey.begin() + saltSize;
++        p[0] = nSegment & 0xFF;
++        p[1] = (nSegment >> 8) & 0xFF;
++        p[2] = (nSegment >> 16) & 0xFF;
++        p[3] = nSegment >> 24;
+ 
+         hashCalc(hash, saltWithBlockKey, mInfo.hashAlgorithm);
+ 
+diff --git a/oox/source/crypto/Standard2007Engine.cxx b/oox/source/crypto/Standard2007Engine.cxx
+index 38c4e03baf15..e96fc8f841f2 100644
+--- a/oox/source/crypto/Standard2007Engine.cxx
++++ b/oox/source/crypto/Standard2007Engine.cxx
+@@ -79,12 +79,12 @@ bool Standard2007Engine::calculateEncryptionKey(const OUString& rPassword)
+     std::vector<sal_uInt8> initialData(saltSize + passwordByteLength);
+     std::copy(saltArray, saltArray + saltSize, initialData.begin());
+ 
+-    const sal_uInt8* passwordByteArray = reinterpret_cast<const sal_uInt8*>(rPassword.getStr());
+-
+-    std::copy(
+-        passwordByteArray,
+-        passwordByteArray + passwordByteLength,
+-        initialData.begin() + saltSize);
++    auto p = initialData.begin() + saltSize;
++    for (sal_Int32 i = 0; i != rPassword.getLength(); ++i) {
++        auto c = rPassword[i];
++        *p++ = c & 0xFF;
++        *p++ = c >> 8;
++    }
+ 
+     // use "hash" vector for result of sha1 hashing
+     // calculate SHA1 hash of initialData
+@@ -223,11 +223,23 @@ void Standard2007Engine::writeEncryptionInfo(BinaryXOutputStream& rStream)
+     sal_uInt32 headerSize = encryptionHeaderSize + cspNameSize;
+     rStream.WriteUInt32(headerSize);
+ 
+-    rStream.writeMemory(&mInfo.header, encryptionHeaderSize);
++    rStream.WriteUInt32(mInfo.header.flags);
++    rStream.WriteUInt32(mInfo.header.sizeExtra);
++    rStream.WriteUInt32(mInfo.header.algId);
++    rStream.WriteUInt32(mInfo.header.algIdHash);
++    rStream.WriteUInt32(mInfo.header.keyBits);
++    rStream.WriteUInt32(mInfo.header.providedType);
++    rStream.WriteUInt32(mInfo.header.reserved1);
++    rStream.WriteUInt32(mInfo.header.reserved2);
+     rStream.writeUnicodeArray(lclCspName);
+     rStream.WriteUInt16(0);
+ 
+-    rStream.writeMemory(&mInfo.verifier, sizeof(msfilter::EncryptionVerifierAES));
++    rStream.WriteUInt32(mInfo.verifier.saltSize);
++    rStream.writeMemory(&mInfo.verifier.salt, sizeof mInfo.verifier.salt);
++    rStream.writeMemory(&mInfo.verifier.encryptedVerifier, sizeof mInfo.verifier.encryptedVerifier);
++    rStream.WriteUInt32(mInfo.verifier.encryptedVerifierHashSize);
++    rStream.writeMemory(
++        &mInfo.verifier.encryptedVerifierHash, sizeof mInfo.verifier.encryptedVerifierHash);
+ }
+ 
+ void Standard2007Engine::encrypt(css::uno::Reference<css::io::XInputStream> &  rxInputStream,
+-- 
+2.33.1
+

SOURCES/0001-Read-MOSDocumentLockFile-UTF-16-string-data-with-sam.patch

@@ -0,0 +1,59 @@
+From 9f393ee10ae198063bbe3b71c2c87262e7880a34 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Wed, 23 Sep 2020 11:53:11 +0200
+Subject: [PATCH] Read MOSDocumentLockFile UTF-16 string data with same
+ endianness
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+...as MSODocumentLockFile::WriteEntryToStream has written it to (i.e.,
+always as UTF-16LE, assuming that is actually the right format to use).  The
+discrepancy between writing and reading the string data appears to be present
+ever since the code's introduction in 5db1e20b8b0942dac2d50f3cd34532bb61147020
+"Introduce new lockfile handler for MSO like lockfiles".
+
+This caused CppunitTest_svl_lockfiles to fail on (big-endian) s390x Linux with
+
+> svl/qa/unit/lockfiles/test_lockfiles.cxx:578:(anonymous namespace)::LockfileTest::testWordLockFileRT
+> equality assertion failed
+> - Expected: LockFile Test
+> - Actual  : 䰀漀挀欀䘀椀氀攀 吀攀猀琀
+
+etc.
+
+Change-Id: I97267aa14a3a926e7fd7bb1d2ce7d2de05d52a64
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103238
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit 1b9fa11a0869246fe0433b79aab30dd216cf92b6)
+---
+ svl/source/misc/msodocumentlockfile.cxx | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/svl/source/misc/msodocumentlockfile.cxx b/svl/source/misc/msodocumentlockfile.cxx
+index 9650db03999f..0c857ffb53ec 100644
+--- a/svl/source/misc/msodocumentlockfile.cxx
++++ b/svl/source/misc/msodocumentlockfile.cxx
+@@ -228,8 +228,16 @@ LockFileEntry MSODocumentLockFile::GetLockData()
+                 nUTF16Len = *++pBuf; // use Excel/PowerPoint position
+ 
+             if (nUTF16Len > 0 && nUTF16Len <= 52) // skip wrong format
+-                aResult[LockFileComponent::OOOUSERNAME]
+-                    = OUString(reinterpret_cast<const sal_Unicode*>(pBuf + 2), nUTF16Len);
++            {
++                OUStringBuffer str(nUTF16Len);
++                sal_uInt8 const* p = reinterpret_cast<sal_uInt8 const*>(pBuf + 2);
++                for (int i = 0; i != nUTF16Len; ++i)
++                {
++                    str.append(sal_Unicode(p[0] | (sal_uInt32(p[1]) << 8)));
++                    p += 2;
++                }
++                aResult[LockFileComponent::OOOUSERNAME] = str.makeStringAndClear();
++            }
+         }
+     }
+     return aResult;
+-- 
+2.33.1
+

SOURCES/0001-backports-to-ease-CVE-backporting.patch

@@ -0,0 +1,259 @@
+From c2cf13da3bbf756ef3f78251c40d45fc23c27f36 Mon Sep 17 00:00:00 2001
+From: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>
+Date: Wed, 29 Apr 2020 07:42:24 +0200
+Subject: [PATCH 1/6] backports to ease CVE backporting
+
+Remove unnecessary if block
+
+And format code inside
+
+Change-Id: Ied0d98935134bf6f7bc8c929645ad5faac9affa3
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/93116
+Tested-by: Jenkins
+Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>
+(cherry picked from commit cf36fe5eb41910c26d58fb25e54ccf2e0ee01365)
+
+space out the namespace constant values
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/88938
+(cherry picked from commit 5352d45dd4a04f8f02cf7f6ad4169126d3b3586a)
+
+Change-Id: I30f54bfc1389e91b18e4fee8b83e1b297419899b
+---
+ include/xmloff/xmlnmspe.hxx                   |  16 +--
+ .../component/documentdigitalsignatures.cxx   | 130 +++++++++---------
+ .../source/helper/xmlsignaturehelper.cxx      |   1 +
+ 3 files changed, 75 insertions(+), 72 deletions(-)
+
+diff --git a/include/xmloff/xmlnmspe.hxx b/include/xmloff/xmlnmspe.hxx
+index a00628b6b999..b079053c38d3 100644
+--- a/include/xmloff/xmlnmspe.hxx
++++ b/include/xmloff/xmlnmspe.hxx
+@@ -69,7 +69,7 @@ XML_NAMESPACE( XML_NAMESPACE_VERSIONS_LIST,   37U )
+ 
+ // namespaces for odf extended formats
+ 
+-#define XML_NAMESPACE_EXT_BASE 38U
++#define XML_NAMESPACE_EXT_BASE 50U
+ #define XML_NAMESPACE_EXT( prefix, index ) \
+ const sal_uInt16 prefix = (XML_NAMESPACE_EXT_BASE+index);
+ 
+@@ -82,7 +82,7 @@ XML_NAMESPACE_EXT( XML_NAMESPACE_LO_EXT,           5U )
+ 
+ // namespaces for OOo formats
+ 
+-#define XML_NAMESPACE_OOO_BASE 44U
++#define XML_NAMESPACE_OOO_BASE 60U
+ #define XML_NAMESPACE_OOO( prefix, index ) \
+ const sal_uInt16 prefix = (XML_NAMESPACE_OOO_BASE+index);
+ 
+@@ -100,7 +100,7 @@ XML_NAMESPACE_OOO( XML_NAMESPACE_CONFIG_OOO,        10U )
+ XML_NAMESPACE_OOO( XML_NAMESPACE_FORM_OOO,          11U )
+ XML_NAMESPACE_OOO( XML_NAMESPACE_SCRIPT_OOO,        12U )
+ 
+-#define XML_NAMESPACE_COMPAT_BASE 57U
++#define XML_NAMESPACE_COMPAT_BASE 80U
+ #define XML_NAMESPACE_COMPAT( prefix, index ) \
+ const sal_uInt16 prefix = (XML_NAMESPACE_COMPAT_BASE+index);
+ 
+@@ -108,14 +108,14 @@ XML_NAMESPACE_COMPAT( XML_NAMESPACE_SVG_COMPAT,      0U )
+ XML_NAMESPACE_COMPAT( XML_NAMESPACE_FO_COMPAT,       1U )
+ XML_NAMESPACE_COMPAT( XML_NAMESPACE_SMIL_COMPAT,     2U )
+ 
+-#define XML_NAMESPACE_OASIS_BASE 60U
++#define XML_NAMESPACE_OASIS_BASE 90U
+ #define XML_NAMESPACE_OASIS( prefix, index ) \
+ const sal_uInt16 prefix = (XML_NAMESPACE_OASIS_BASE+index);
+ 
+ XML_NAMESPACE_OASIS( XML_NAMESPACE_DB_OASIS,         0U )
+ XML_NAMESPACE_OASIS( XML_NAMESPACE_REPORT_OASIS,     1U )
+ 
+-#define XML_OLD_NAMESPACE_BASE 62U
++#define XML_OLD_NAMESPACE_BASE 100U
+ #define XML_OLD_NAMESPACE( prefix, index ) \
+ const sal_uInt16 prefix = (XML_OLD_NAMESPACE_BASE+index);
+ 
+@@ -134,9 +134,9 @@ XML_OLD_NAMESPACE( XML_OLD_NAMESPACE_CHART,         10U )
+ XML_OLD_NAMESPACE( XML_OLD_NAMESPACE_SMIL,          11U )
+ 
+ // experimental namespaces
+-XML_NAMESPACE( XML_NAMESPACE_FIELD,           100U )
+-XML_NAMESPACE( XML_NAMESPACE_CSS3TEXT,        103U )  // CSS Text Level 3
+-XML_NAMESPACE( XML_NAMESPACE_FORMX,           101U )  // form interop extensions
++XML_NAMESPACE( XML_NAMESPACE_FIELD,           120U )
++XML_NAMESPACE( XML_NAMESPACE_CSS3TEXT,        123U )  // CSS Text Level 3
++XML_NAMESPACE( XML_NAMESPACE_FORMX,           121U )  // form interop extensions
+ 
+ 
+ #endif // INCLUDED_XMLOFF_XMLNMSPE_HXX
+diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx
+index dcfaad0af773..52cb938a8e0a 100644
+--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
++++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
+@@ -500,85 +500,87 @@ DocumentDigitalSignatures::ImplVerifySignatures(
+     Sequence< css::security::DocumentSignatureInformation > aInfos(nInfos);
+     css::security::DocumentSignatureInformation* arInfos = aInfos.getArray();
+ 
+-    if ( nInfos )
++    for (int n = 0; n < nInfos; ++n)
+     {
+-        for( int n = 0; n < nInfos; ++n )
+-        {
+-            DocumentSignatureAlgorithm mode = DocumentSignatureHelper::getDocumentAlgorithm(
+-                m_sODFVersion, aSignInfos[n]);
+-            const std::vector< OUString > aElementsToBeVerified =
+-                DocumentSignatureHelper::CreateElementList(
+-                rxStorage, eMode, mode);
++        DocumentSignatureAlgorithm mode
++            = DocumentSignatureHelper::getDocumentAlgorithm(m_sODFVersion, aSignInfos[n]);
++        const std::vector<OUString> aElementsToBeVerified
++            = DocumentSignatureHelper::CreateElementList(rxStorage, eMode, mode);
+ 
+-            const SignatureInformation& rInfo = aSignInfos[n];
+-            css::security::DocumentSignatureInformation& rSigInfo = arInfos[n];
++        const SignatureInformation& rInfo = aSignInfos[n];
++        css::security::DocumentSignatureInformation& rSigInfo = arInfos[n];
+ 
+-            if (rInfo.ouGpgCertificate.isEmpty()) // X.509
++        if (rInfo.ouGpgCertificate.isEmpty()) // X.509
++        {
++            if (!rInfo.ouX509Certificate.isEmpty())
++                rSigInfo.Signer = xSecEnv->createCertificateFromAscii(rInfo.ouX509Certificate);
++            if (!rSigInfo.Signer.is())
++                rSigInfo.Signer = xSecEnv->getCertificate(
++                    rInfo.ouX509IssuerName,
++                    xmlsecurity::numericStringToBigInteger(rInfo.ouX509SerialNumber));
++
++            // On Windows checking the certificate path is buggy. It does name matching (issuer, subject name)
++            // to find the parent certificate. It does not take into account that there can be several certificates
++            // with the same subject name.
++            try
+             {
+-                if (!rInfo.ouX509Certificate.isEmpty())
+-                    rSigInfo.Signer = xSecEnv->createCertificateFromAscii( rInfo.ouX509Certificate ) ;
+-                if (!rSigInfo.Signer.is())
+-                    rSigInfo.Signer = xSecEnv->getCertificate( rInfo.ouX509IssuerName,
+-                                                               xmlsecurity::numericStringToBigInteger( rInfo.ouX509SerialNumber ) );
+-
+-                // On Windows checking the certificate path is buggy. It does name matching (issuer, subject name)
+-                // to find the parent certificate. It does not take into account that there can be several certificates
+-                // with the same subject name.
+-
+-                try {
+-                    rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(rSigInfo.Signer,
+-                                                                            Sequence<Reference<css::security::XCertificate> >());
+-                } catch (SecurityException& ) {
+-                    OSL_FAIL("Verification of certificate failed");
+-                    rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+-                }
++                rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(
++                    rSigInfo.Signer, Sequence<Reference<css::security::XCertificate>>());
+             }
+-            else if (xGpgSecEnv.is()) // GPG
++            catch (SecurityException&)
+             {
+-                // TODO not ideal to retrieve cert by keyID, might
+-                // collide, or PGPKeyID format might change - can't we
+-                // keep the xCert itself in rInfo?
+-                rSigInfo.Signer = xGpgSecEnv->getCertificate( rInfo.ouGpgKeyID, xmlsecurity::numericStringToBigInteger("") );
+-                rSigInfo.CertificateStatus = xGpgSecEnv->verifyCertificate(rSigInfo.Signer,
+-                                                                           Sequence<Reference<css::security::XCertificate> >());
++                OSL_FAIL("Verification of certificate failed");
++                rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID;
+             }
++        }
++        else if (xGpgSecEnv.is()) // GPG
++        {
++            // TODO not ideal to retrieve cert by keyID, might
++            // collide, or PGPKeyID format might change - can't we
++            // keep the xCert itself in rInfo?
++            rSigInfo.Signer = xGpgSecEnv->getCertificate(
++                rInfo.ouGpgKeyID, xmlsecurity::numericStringToBigInteger(""));
++            rSigInfo.CertificateStatus = xGpgSecEnv->verifyCertificate(
++                rSigInfo.Signer, Sequence<Reference<css::security::XCertificate>>());
++        }
+ 
+-            // Time support again (#i38744#)
+-            Date aDate( rInfo.stDateTime.Day, rInfo.stDateTime.Month, rInfo.stDateTime.Year );
+-            tools::Time aTime( rInfo.stDateTime.Hours, rInfo.stDateTime.Minutes,
+-                        rInfo.stDateTime.Seconds, rInfo.stDateTime.NanoSeconds );
+-            rSigInfo.SignatureDate = aDate.GetDate();
+-            rSigInfo.SignatureTime = aTime.GetTime() / tools::Time::nanoPerCenti;
++        // Time support again (#i38744#)
++        Date aDate(rInfo.stDateTime.Day, rInfo.stDateTime.Month, rInfo.stDateTime.Year);
++        tools::Time aTime(rInfo.stDateTime.Hours, rInfo.stDateTime.Minutes,
++                          rInfo.stDateTime.Seconds, rInfo.stDateTime.NanoSeconds);
++        rSigInfo.SignatureDate = aDate.GetDate();
++        rSigInfo.SignatureTime = aTime.GetTime() / tools::Time::nanoPerCenti;
+ 
+-            rSigInfo.SignatureIsValid = ( rInfo.nStatus == css::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED );
++        rSigInfo.SignatureIsValid
++            = (rInfo.nStatus == css::xml::crypto::SecurityOperationStatus_OPERATION_SUCCEEDED);
+ 
+-            // Signature line info (ID + Images)
+-            if (!rInfo.ouSignatureLineId.isEmpty())
+-                rSigInfo.SignatureLineId = rInfo.ouSignatureLineId;
++        // Signature line info (ID + Images)
++        if (!rInfo.ouSignatureLineId.isEmpty())
++            rSigInfo.SignatureLineId = rInfo.ouSignatureLineId;
+ 
+-            if (rInfo.aValidSignatureImage.is())
+-                rSigInfo.ValidSignatureLineImage = rInfo.aValidSignatureImage;
++        if (rInfo.aValidSignatureImage.is())
++            rSigInfo.ValidSignatureLineImage = rInfo.aValidSignatureImage;
+ 
+-            if (rInfo.aInvalidSignatureImage.is())
+-                rSigInfo.InvalidSignatureLineImage = rInfo.aInvalidSignatureImage;
+-
+-            // OOXML intentionally doesn't sign metadata.
+-            if ( rSigInfo.SignatureIsValid && aStreamHelper.nStorageFormat != embed::StorageFormats::OFOPXML)
+-            {
+-                 rSigInfo.SignatureIsValid =
+-                      DocumentSignatureHelper::checkIfAllFilesAreSigned(
+-                      aElementsToBeVerified, rInfo, mode);
+-            }
+-            if (eMode == DocumentSignatureMode::Content)
+-            {
+-                if (aStreamHelper.nStorageFormat == embed::StorageFormats::OFOPXML)
+-                    rSigInfo.PartialDocumentSignature = true;
+-                else
+-                    rSigInfo.PartialDocumentSignature = !DocumentSignatureHelper::isOOo3_2_Signature(aSignInfos[n]);
+-            }
++        if (rInfo.aInvalidSignatureImage.is())
++            rSigInfo.InvalidSignatureLineImage = rInfo.aInvalidSignatureImage;
+ 
++        // OOXML intentionally doesn't sign metadata.
++        if (rSigInfo.SignatureIsValid
++            && aStreamHelper.nStorageFormat != embed::StorageFormats::OFOPXML)
++        {
++            rSigInfo.SignatureIsValid = DocumentSignatureHelper::checkIfAllFilesAreSigned(
++                aElementsToBeVerified, rInfo, mode);
++        }
++        if (eMode == DocumentSignatureMode::Content)
++        {
++            if (aStreamHelper.nStorageFormat == embed::StorageFormats::OFOPXML)
++                rSigInfo.PartialDocumentSignature = true;
++            else
++                rSigInfo.PartialDocumentSignature
++                    = !DocumentSignatureHelper::isOOo3_2_Signature(aSignInfos[n]);
+         }
+     }
++
+     return aInfos;
+ 
+ }
+diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+index 6ec834053a17..22c056e70da1 100644
+--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
++++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+@@ -402,6 +402,7 @@ bool XMLSignatureHelper::ReadAndVerifySignatureStorageStream(const css::uno::Ref
+     catch(const uno::Exception&)
+     {
+         DBG_UNHANDLED_EXCEPTION("xmlsecurity.helper");
++        mbError = true;
+     }
+ 
+     mpXSecController->releaseSignatureReader();
+-- 
+2.32.0
+

SOURCES/0001-rhbz-1980800-allow-convert-to-csv-to-write-each-shee.patch

@@ -1,4 +1,4 @@
-From c5a9fb7f00fe4d701d98c4058ad0f506c8dd146f Mon Sep 17 00:00:00 2001
+From b49380bd288e642352cb7ddc1c050e2fb34b5b43 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
 Date: Tue, 13 Jul 2021 12:38:07 +0100
 Subject: [PATCH] rhbz#1980800 allow --convert-to csv to write each sheet to a
@@ -45,15 +45,24 @@ Tested-by: Jenkins
 Change-Id: Ib99a120f1a2c8d1008a7a3c59a6b39f572fb346e
 b9248c9561e4e340c88458ac5dfd159e443a4cfd
 9431221aadf97739bb197871f25fa151ef4c391c
+
+Plus follow-up fix
+<https://git.libreoffice.org/core/+/d768757872ad25219fa291acd623ab98924acaaa%5E%21>
+"tdf#129829 sfx2: fix handling of password to open vs modify" (which happens to
+also fix saving to smb shares, in addition to the Windows-specific issue it was
+originally meant to fix), plus the relevant parts of its preceding
+<https://git.libreoffice.org/core/+/037cd13af81f8a1169d01e95036ed942f261f9a6%5E%21>
+"sw reqif-xhtml export: add a new RTFOLEMimeType parameter" introducing
+SfxMedium::SetArgs.
 ---
  desktop/source/app/dispatchwatcher.cxx |  50 +++++++--
- include/sfx2/docfile.hxx               |   1 +
+ include/sfx2/docfile.hxx               |   2 +
  sc/source/ui/dbgui/imoptdlg.cxx        |  16 ++-
  sc/source/ui/docshell/docsh.cxx        | 141 +++++++++++++++++++++----
  sc/source/ui/inc/docsh.hxx             |   2 +-
  sc/source/ui/inc/imoptdlg.hxx          |   6 +-
- sfx2/source/doc/docfile.cxx            |   4 +
- 7 files changed, 184 insertions(+), 36 deletions(-)
+ sfx2/source/doc/docfile.cxx            |  13 +++
+ 7 files changed, 194 insertions(+), 36 deletions(-)
 
 diff --git a/desktop/source/app/dispatchwatcher.cxx b/desktop/source/app/dispatchwatcher.cxx
 index 04140173c6d1..a5365da618e8 100644
@@ -154,13 +163,14 @@ index 04140173c6d1..a5365da618e8 100644
                                  }
                                  try
 diff --git a/include/sfx2/docfile.hxx b/include/sfx2/docfile.hxx
-index 2019b5738c01..09aae02b1976 100644
+index 2019b5738c01..2886348 100644
 --- a/include/sfx2/docfile.hxx
 +++ b/include/sfx2/docfile.hxx
-@@ -108,6 +108,7 @@ public:
+@@ -108,6 +108,8 @@ public:
      const OUString&     GetOrigURL() const;
  
      SfxItemSet  *       GetItemSet() const;
++    void SetArgs(const css::uno::Sequence<css::beans::PropertyValue>& rArgs);
 +    css::uno::Sequence<css::beans::PropertyValue> GetArgs() const;
      void                Close(bool bInDestruction = false);
      void                CloseAndRelease();
@@ -439,7 +449,7 @@ index bac941c2a377..382067d67813 100644
  
  #endif // INCLUDED_SC_SOURCE_UI_INC_IMOPTDLG_HXX
 diff --git a/sfx2/source/doc/docfile.cxx b/sfx2/source/doc/docfile.cxx
-index 5d00d39bd837..ccdd3632e6e5 100644
+index 5d00d39bd837..4e4e74a 100644
 --- a/sfx2/source/doc/docfile.cxx
 +++ b/sfx2/source/doc/docfile.cxx
 @@ -328,6 +328,8 @@ public:
@@ -455,14 +465,23 @@ index 5d00d39bd837..ccdd3632e6e5 100644
      SfxAllItemSet *pParams = new SfxAllItemSet( SfxGetpApp()->GetPool() );
      pImpl->m_pSet.reset( pParams );
      TransformParameters( SID_OPENDOC, aArgs, *pParams );
-+    pImpl->m_aArgs = aArgs;
++    SetArgs(aArgs);
  
      OUString aFilterProvider, aFilterName;
      {
-@@ -3301,6 +3304,7 @@ SfxMedium::SfxMedium( const uno::Sequence<beans::PropertyValue>& aArgs ) :
+@@ -3301,6 +3304,16 @@ SfxMedium::SfxMedium( const uno::Sequence<beans::PropertyValue>& aArgs ) :
      Init_Impl();
  }
  
++void SfxMedium::SetArgs(const uno::Sequence<beans::PropertyValue>& rArgs)
++{
++    pImpl->m_aArgs = rArgs;
++    comphelper::SequenceAsHashMap aArgsMap(rArgs);
++    aArgsMap.erase("Stream");
++    aArgsMap.erase("InputStream");
++    pImpl->m_aArgs = aArgsMap.getAsConstPropertyValueList();
++}
++
 +uno::Sequence<beans::PropertyValue> SfxMedium::GetArgs() const { return pImpl->m_aArgs; }
  
  SfxMedium::SfxMedium( const uno::Reference < embed::XStorage >& rStor, const OUString& rBaseURL, const std::shared_ptr<SfxItemSet>& p ) :

SOURCES/0002-CVE-2021-25635.patch

@@ -0,0 +1,56 @@
+From a9102a384893fd084011e8451867071452031ece Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 8 Feb 2021 17:05:28 +0000
+Subject: [PATCH 2/6] CVE-2021-25635
+
+default to CertificateValidity::INVALID
+
+so if CertGetCertificateChain fails we don't want validity to be
+css::security::CertificateValidity::VALID which is what the old default
+of 0 equates to
+
+notably
+
+commit 1e0bc66d16aee28ce8bd9582ea32178c63841902
+Date:   Thu Nov 5 16:55:26 2009 +0100
+
+    jl137:  #103420# better logging
+
+turned the nss equivalent of SecurityEnvironment_NssImpl::verifyCertificate
+from 0 to CertificateValidity::INVALID like this change does
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/110561
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit edeb164c1d8ab64116afee4e2140403a362a1358)
+
+Change-Id: I5350dbc22d1b9b378da2976d3b0abd728f1f4c27
+---
+ .../source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
+index d9b657891b96..4031df289f44 100644
+--- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
++++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
+@@ -755,7 +755,7 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate(
+     const uno::Reference< css::security::XCertificate >& aCert,
+     const uno::Sequence< uno::Reference< css::security::XCertificate > >& seqCerts)
+ {
+-    sal_Int32 validity = 0;
++    sal_Int32 validity = css::security::CertificateValidity::INVALID;
+     PCCERT_CHAIN_CONTEXT pChainContext = nullptr;
+     PCCERT_CONTEXT pCertContext = nullptr;
+ 
+@@ -899,7 +899,7 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate(
+         }
+         else
+         {
+-            SAL_INFO("xmlsecurity.xmlsec", "CertGetCertificateChaine failed.");
++            SAL_INFO("xmlsecurity.xmlsec", "CertGetCertificateChain failed.");
+         }
+     }
+ 
+-- 
+2.32.0
+

SOURCES/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch

@@ -0,0 +1,198 @@
+From 61f8673fb44150bd629d88f6626aff8d5b026449 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 21 Mar 2022 20:58:34 +0000
+Subject: [PATCH] make hash encoding match decoding
+
+Seeing as old versions of the hash may be in the users config, add a
+StorageVersion field to the office config Passwords section which
+defaults to 0 to indicate the old hash is in use.
+
+Try the old varient when StorageVersion is 0. When a new encoded master
+password it set write StorageVersion of 1 to indicate a new hash is in
+use and use the new style when StorageVersion is 1.
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132080
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+(cherry picked from commit e890f54dbac57f3ab5acf4fbd31222095d3e8ab6)
+
+svl: fix crash if user cancels/closes master password dialog
+
+(regression from d7ba5614d90381d68f880ca7e7c5ef8bbb1b1c43)
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133932
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit bbb8617ece6d946957c2eb96287081029bce530f)
+
+Change-Id: I3174c37a5891bfc849984e0ec5c2c392b9c6e7b1
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133905
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+---
+ .../schema/org/openoffice/Office/Common.xcs   |  6 +++
+ .../passwordcontainer/passwordcontainer.cxx   | 47 ++++++++++++++++++-
+ .../passwordcontainer/passwordcontainer.hxx   |  6 +++
+ uui/source/iahndl-authentication.cxx          |  5 +-
+ 4 files changed, 60 insertions(+), 4 deletions(-)
+
+diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+index b317f616deeb..b033b29b60d7 100644
+--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+@@ -911,6 +911,12 @@
+         </info>
+         <value>false</value>
+       </prop>
++      <prop oor:name="StorageVersion" oor:type="xs:int" oor:nillable="false">
++        <info>
++          <desc>Specifies what version of encoding scheme the password container uses.</desc>
++        </info>
++        <value>0</value>
++      </prop>
+       <prop oor:name="HasMaster" oor:type="xs:boolean" oor:nillable="false">
+         <info>
+           <desc>Specifies if there is a valid master password.</desc>
+diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx
+index 02947cd3892c..ff0b40df4016 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.cxx
++++ b/svl/source/passwordcontainer/passwordcontainer.cxx
+@@ -17,6 +17,8 @@
+  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+  */
+ 
++#include <sal/config.h>
++#include <sal/log.hxx>
+ 
+ #include "passwordcontainer.hxx"
+ 
+@@ -259,6 +261,23 @@ bool StorageItem::useStorage()
+     return aResult;
+ }
+ 
++sal_Int32 StorageItem::getStorageVersion()
++{
++    Sequence<OUString> aNodeNames { "StorageVersion" };
++
++    Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames );
++
++    if( aPropertyValues.getLength() != aNodeNames.getLength() )
++    {
++        OSL_FAIL( "Problems during reading" );
++        return 0;
++    }
++
++    sal_Int32 nResult = 0;
++    aPropertyValues[0] >>= nResult;
++
++    return nResult;
++}
+ 
+ bool StorageItem::getEncodedMP( OUString& aResult )
+ {
+@@ -291,15 +310,17 @@ bool StorageItem::getEncodedMP( OUString& aResult )
+ 
+ void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty )
+ {
+-    Sequence< OUString > sendNames(2);
+-    Sequence< uno::Any > sendVals(2);
++    Sequence< OUString > sendNames(3);
++    Sequence< uno::Any > sendVals(3);
+ 
+     sendNames[0] = "HasMaster";
+     sendNames[1] = "Master";
++    sendNames[2] = "StorageVersion";
+ 
+     bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty );
+     sendVals[0] <<= bHasMaster;
+     sendVals[1] <<= aEncoded;
++    sendVals[2] <<= nCurrentStorageVersion;
+ 
+     ConfigItem::SetModified();
+     ConfigItem::PutProperties( sendNames, sendVals );
+@@ -800,6 +821,18 @@ OUString PasswordContainer::RequestPasswordFromUser( PasswordRequestMode aRMode,
+     return aResult;
+ }
+ 
++// Mangle the key to match an old bug
++static OUString ReencodeAsOldHash(const OUString& rPass)
++{
++    OUStringBuffer aBuffer;
++    for (int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ++ind)
++    {
++        unsigned char i = static_cast<char>(rPass.copy(ind * 2, 2).toUInt32(16));
++        aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4)));
++        aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15)));
++    }
++    return aBuffer.makeStringAndClear();
++}
+ 
+ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInteractionHandler >& aHandler )
+ {
+@@ -838,6 +871,9 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
+                     }
+                     else
+                     {
++                        if (m_pStorageFile->getStorageVersion() == 0)
++                            aPass = ReencodeAsOldHash(aPass);
++
+                         std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) );
+                         if( aRM.empty() || aPass != aRM[0] )
+                         {
+@@ -1042,6 +1078,13 @@ sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::R
+ 
+                 do {
+                     aPass = RequestPasswordFromUser( aRMode, xTmpHandler );
++
++
++                    if (!aPass.isEmpty() && m_pStorageFile->getStorageVersion() == 0)
++                    {
++                        aPass = ReencodeAsOldHash(aPass);
++                    }
++
+                     bResult = ( !aPass.isEmpty() && aPass == m_aMasterPasswd );
+                     aRMode = PasswordRequestMode_PASSWORD_REENTER; // further questions with error notification
+                 } while( !bResult && !aPass.isEmpty() );
+diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx
+index 09fb7e03629d..cf5c717d0c9e 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.hxx
++++ b/svl/source/passwordcontainer/passwordcontainer.hxx
+@@ -167,6 +167,10 @@ public:
+ typedef ::std::pair< const OUString, ::std::vector< NamePassRecord > > PairUrlRecord;
+ typedef ::std::map< OUString, ::std::vector< NamePassRecord > > PassMap;
+ 
++// org.openoffice.Office.Common/Passwords/StorageVersion bump if details of
++// how password details are saved changes. Enables migration from previous
++// schemes.
++constexpr sal_Int32 nCurrentStorageVersion = 1;
+ 
+ class PasswordContainer;
+ 
+@@ -195,6 +199,8 @@ public:
+     void remove( const OUString& url, const OUString& rec );
+     void clear();
+ 
++    sal_Int32 getStorageVersion();
++
+     bool getEncodedMP( OUString& aResult );
+     void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false );
+     void setUseStorage( bool bUse );
+diff --git a/uui/source/iahndl-authentication.cxx b/uui/source/iahndl-authentication.cxx
+index 4835a485dd2a..5764e62cb1c6 100644
+--- a/uui/source/iahndl-authentication.cxx
++++ b/uui/source/iahndl-authentication.cxx
+@@ -436,8 +436,9 @@ executeMasterPasswordDialog(
+     OUStringBuffer aBuffer;
+     for (sal_uInt8 i : aKey)
+     {
+-        aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4)));
+-        aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15)));
++        // match PasswordContainer::DecodePasswords aMasterPasswd.copy(index * 2, 2).toUInt32(16));
++        aBuffer.append(OUString::number(i >> 4, 16));
++        aBuffer.append(OUString::number(i & 15, 16));
+     }
+     rInfo.SetPassword(aBuffer.makeStringAndClear());
+ }
+-- 
+2.37.1
+

SOURCES/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch

@@ -0,0 +1,586 @@
+From a3046cfa58bdfa2a1b9ea6287a021230830f056f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 22 Mar 2022 17:22:22 +0000
+Subject: [PATCH] add Initialization Vectors to password storage
+
+old ones default to the current all zero case and continue to work
+as before
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131974
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit 192fa1e3bfc6269f2ebb91716471485a56074aea)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132306
+Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
+(cherry picked from commit ab77587ec300f5c30084471000663c46ddf25dad)
+
+Change-Id: I6fe3b02fafcce1b5e7133e77e76a5118177d77af
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133907
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+---
+ .../schema/org/openoffice/Office/Common.xcs   |  10 ++
+ .../passwordcontainer/passwordcontainer.cxx   | 127 ++++++++++++------
+ .../passwordcontainer/passwordcontainer.hxx   |  63 +++++++--
+ 3 files changed, 151 insertions(+), 49 deletions(-)
+
+diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+index b033b29b60d7..e57d26ab3366 100644
+--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+@@ -27,6 +27,11 @@
+       <info>
+         <desc>Contains a container for passwords.</desc>
+       </info>
++      <prop oor:name="InitializationVector" oor:type="xs:string">
++        <info>
++          <desc>Contains an initialization vector for the password encryption.</desc>
++        </info>
++      </prop>
+       <prop oor:name="Password" oor:type="xs:string" oor:localized="false">
+         <info>
+           <desc>Contains a password encoded with the master password.</desc>
+@@ -923,6 +928,11 @@
+         </info>
+         <value>false</value>
+       </prop>
++      <prop oor:name="MasterInitializationVector" oor:type="xs:string">
++        <info>
++          <desc>Contains an initialization vector for the master password encryption.</desc>
++        </info>
++      </prop>
+       <prop oor:name="Master" oor:type="xs:string" oor:nillable="false">
+         <info>
+           <desc>Contains the master password encrypted by itself.</desc>
+diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx
+index ff0b40df4016..380188ef495c 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.cxx
++++ b/svl/source/passwordcontainer/passwordcontainer.cxx
+@@ -184,15 +184,18 @@ PassMap StorageItem::getInfo()
+ 
+     Sequence< OUString > aNodeNames     = ConfigItem::GetNodeNames( "Store" );
+     sal_Int32 aNodeCount = aNodeNames.getLength();
+-    Sequence< OUString > aPropNames( aNodeCount );
++    Sequence< OUString > aPropNames( aNodeCount * 2);
+ 
+     std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.begin(),
+         [](const OUString& rName) -> OUString {
+             return "Store/Passwordstorage['" + rName + "']/Password"; });
++    std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.getArray() + aNodeCount,
++        [](const OUString& rName) -> OUString {
++            return "Store/Passwordstorage['" + rName + "']/InitializationVector"; });
+ 
+     Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aPropNames );
+ 
+-    if( aPropertyValues.getLength() != aNodeCount )
++    if( aPropertyValues.getLength() != aNodeCount * 2)
+     {
+         OSL_FAIL( "Problems during reading" );
+         return aResult;
+@@ -208,14 +211,16 @@ PassMap StorageItem::getInfo()
+             OUString aName = aUrlUsr[1];
+ 
+             OUString aEPasswd;
++            OUString aIV;
+             aPropertyValues[aNodeInd] >>= aEPasswd;
++            aPropertyValues[aNodeInd + aNodeCount] >>= aIV;
+ 
+             PassMap::iterator aIter = aResult.find( aUrl );
+             if( aIter != aResult.end() )
+-                aIter->second.emplace_back( aName, aEPasswd );
++                aIter->second.emplace_back( aName, aEPasswd, aIV );
+             else
+             {
+-                NamePassRecord aNewRecord( aName, aEPasswd );
++                NamePassRecord aNewRecord( aName, aEPasswd, aIV );
+                 std::vector< NamePassRecord > listToAdd( 1, aNewRecord );
+ 
+                 aResult.insert( PairUrlRecord( aUrl, listToAdd ) );
+@@ -279,17 +284,19 @@ sal_Int32 StorageItem::getStorageVersion()
+     return nResult;
+ }
+ 
+-bool StorageItem::getEncodedMP( OUString& aResult )
++bool StorageItem::getEncodedMP( OUString& aResult, OUString& aResultIV )
+ {
+     if( hasEncoded )
+     {
+         aResult = mEncoded;
++        aResultIV = mEncodedIV;
+         return true;
+     }
+ 
+-    Sequence< OUString > aNodeNames( 2 );
++    Sequence< OUString > aNodeNames( 3 );
+     aNodeNames[0] = "HasMaster";
+     aNodeNames[1] = "Master";
++    aNodeNames[2] = "MasterInitializationVector";
+ 
+     Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames );
+ 
+@@ -301,32 +308,37 @@ bool StorageItem::getEncodedMP( OUString& aResult )
+ 
+     aPropertyValues[0] >>= hasEncoded;
+     aPropertyValues[1] >>= mEncoded;
++    aPropertyValues[2] >>= mEncodedIV;
+ 
+     aResult = mEncoded;
++    aResultIV = mEncodedIV;
+ 
+     return hasEncoded;
+ }
+ 
+ 
+-void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty )
++void StorageItem::setEncodedMP( const OUString& aEncoded, const OUString& aEncodedIV, bool bAcceptEmpty )
+ {
+-    Sequence< OUString > sendNames(3);
+-    Sequence< uno::Any > sendVals(3);
++    Sequence< OUString > sendNames(4);
++    Sequence< uno::Any > sendVals(4);
+ 
+     sendNames[0] = "HasMaster";
+     sendNames[1] = "Master";
+-    sendNames[2] = "StorageVersion";
++    sendNames[2] = "MasterInitializationVector";
++    sendNames[3] = "StorageVersion";
+ 
+     bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty );
+     sendVals[0] <<= bHasMaster;
+     sendVals[1] <<= aEncoded;
+-    sendVals[2] <<= nCurrentStorageVersion;
++    sendVals[2] <<= aEncodedIV;
++    sendVals[3] <<= nCurrentStorageVersion;
+ 
+     ConfigItem::SetModified();
+     ConfigItem::PutProperties( sendNames, sendVals );
+ 
+     hasEncoded = bHasMaster;
+     mEncoded = aEncoded;
++    mEncodedIV = aEncodedIV;
+ }
+ 
+ 
+@@ -362,11 +374,13 @@ void StorageItem::update( const OUString& aURL, const NamePassRecord& aRecord )
+     forIndex.push_back( aURL );
+     forIndex.push_back( aRecord.GetUserName() );
+ 
+-    Sequence< beans::PropertyValue > sendSeq(1);
++    Sequence< beans::PropertyValue > sendSeq(2);
+ 
+-    sendSeq[0].Name  = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password";
++    sendSeq[0].Name  = "Store/Passwordstorage['" + createIndex( { aURL, aRecord.GetUserName() } ) + "']/InitializationVector";
++    sendSeq[0].Value <<= aRecord.GetPersistentIV();
+ 
+-    sendSeq[0].Value <<= aRecord.GetPersPasswords();
++    sendSeq[1].Name  = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password";
++    sendSeq[1].Value <<= aRecord.GetPersPasswords();
+ 
+     ConfigItem::SetModified();
+     ConfigItem::SetSetProperties( "Store", sendSeq );
+@@ -427,7 +441,7 @@ void SAL_CALL PasswordContainer::disposing( const EventObject& )
+     }
+ }
+ 
+-std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode )
++std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode )
+ {
+     if( !aMasterPasswd.isEmpty() )
+     {
+@@ -442,9 +456,16 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin
+             for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
+                 code[ ind ] = static_cast<char>(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16));
+ 
++            unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0};
++            if (!aIV.isEmpty())
++            {
++                for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
++                    iv[ ind ] = static_cast<char>(aIV.copy( ind*2, 2 ).toUInt32(16));
++            }
++
+             rtlCipherError result = rtl_cipher_init (
+                     aDecoder, rtl_Cipher_DirectionDecode,
+-                    code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 );
++                    code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 );
+ 
+             if( result == rtl_Cipher_E_None )
+             {
+@@ -477,7 +498,7 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin
+         "Can't decode!", css::uno::Reference<css::uno::XInterface>(), mode);
+ }
+ 
+-OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPasswd )
++OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPasswd)
+ {
+     if( !aMasterPasswd.isEmpty() )
+     {
+@@ -494,9 +515,16 @@ OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines
+             for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
+                 code[ ind ] = static_cast<char>(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16));
+ 
++            unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0};
++            if (!aIV.isEmpty())
++            {
++                for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
++                    iv[ ind ] = static_cast<char>(aIV.copy( ind*2, 2 ).toUInt32(16));
++            }
++
+             rtlCipherError result = rtl_cipher_init (
+                     aEncoder, rtl_Cipher_DirectionEncode,
+-                    code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 );
++                    code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 );
+ 
+             if( result == rtl_Cipher_E_None )
+             {
+@@ -564,7 +592,7 @@ void PasswordContainer::UpdateVector( const OUString& aURL, std::vector< NamePas
+ 
+             if( aRecord.HasPasswords( PERSISTENT_RECORD ) )
+             {
+-                aNPIter.SetPersPasswords( aRecord.GetPersPasswords() );
++                aNPIter.SetPersPasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV() );
+ 
+                 if( writeFile )
+                 {
+@@ -597,7 +625,8 @@ UserRecord PasswordContainer::CopyToUserRecord( const NamePassRecord& aRecord, b
+     {
+         try
+         {
+-            ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER );
++            ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV(),
++                                                                           GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER );
+             aPasswords.insert( aPasswords.end(), aDecodedPasswords.begin(), aDecodedPasswords.end() );
+         }
+         catch( NoMasterException& )
+@@ -642,6 +671,19 @@ void SAL_CALL PasswordContainer::addPersistent( const OUString& Url, const OUStr
+     PrivateAdd( Url, UserName, Passwords, PERSISTENT_RECORD, aHandler );
+ }
+ 
++OUString PasswordContainer::createIV()
++{
++    rtlRandomPool randomPool = mRandomPool.get();
++    unsigned char iv[RTL_DIGEST_LENGTH_MD5];
++    rtl_random_getBytes(randomPool, iv, RTL_DIGEST_LENGTH_MD5);
++    OUStringBuffer aBuffer;
++    for (sal_uInt8 i : iv)
++    {
++        aBuffer.append(OUString::number(i >> 4, 16));
++        aBuffer.append(OUString::number(i & 15, 16));
++    }
++    return aBuffer.makeStringAndClear();
++}
+ 
+ void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserName, const Sequence< OUString >& Passwords, char Mode, const Reference< XInteractionHandler >& aHandler )
+ {
+@@ -649,7 +691,11 @@ void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserNam
+     ::std::vector< OUString > aStorePass = comphelper::sequenceToContainer< std::vector<OUString> >( Passwords );
+ 
+     if( Mode == PERSISTENT_RECORD )
+-        aRecord.SetPersPasswords( EncodePasswords( aStorePass, GetMasterPassword( aHandler ) ) );
++    {
++        OUString sIV = createIV();
++        OUString sEncodedPasswords = EncodePasswords( aStorePass, sIV, GetMasterPassword( aHandler ) );
++        aRecord.SetPersPasswords( sEncodedPasswords, sIV );
++    }
+     else if( Mode == MEMORY_RECORD )
+         aRecord.SetMemPasswords( aStorePass );
+     else
+@@ -842,10 +888,10 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
+ 
+     if( m_aMasterPasswd.isEmpty() && aHandler.is() )
+     {
+-        OUString aEncodedMP;
++        OUString aEncodedMP, aEncodedMPIV;
+         bool bDefaultPassword = false;
+ 
+-        if( !m_pStorageFile->getEncodedMP( aEncodedMP ) )
++        if( !m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
+             aRMode = PasswordRequestMode_PASSWORD_CREATE;
+         else if ( aEncodedMP.isEmpty() )
+         {
+@@ -867,14 +913,15 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
+                         m_aMasterPasswd = aPass;
+                         std::vector< OUString > aMaster( 1, m_aMasterPasswd );
+ 
+-                        m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) );
++                        OUString sIV = createIV();
++                        m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, sIV, m_aMasterPasswd ), sIV );
+                     }
+                     else
+                     {
+                         if (m_pStorageFile->getStorageVersion() == 0)
+                             aPass = ReencodeAsOldHash(aPass);
+ 
+-                        std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) );
++                        std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aEncodedMPIV, aPass, aRMode ) );
+                         if( aRM.empty() || aPass != aRM[0] )
+                         {
+                             bAskAgain = true;
+@@ -1031,7 +1078,8 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere
+             {
+                 sal_Int32 oldLen = aUsers.getLength();
+                 aUsers.realloc( oldLen + 1 );
+-                aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) );
++                aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), aNP.GetPersistentIV(),
++                                                                                                                    GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) );
+             }
+ 
+         if( aUsers.hasElements() )
+@@ -1048,12 +1096,12 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere
+ sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::Reference< task::XInteractionHandler >& xHandler )
+ {
+     bool bResult = false;
+-    OUString aEncodedMP;
++    OUString aEncodedMP, aEncodedMPIV;
+     uno::Reference< task::XInteractionHandler > xTmpHandler = xHandler;
+     ::osl::MutexGuard aGuard( mMutex );
+ 
+     // the method should fail if there is no master password
+-    if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) )
++    if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
+     {
+         if ( aEncodedMP.isEmpty() )
+         {
+@@ -1122,8 +1170,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference<
+ 
+         bool bCanChangePassword = true;
+         // if there is already a stored master password it should be entered by the user before the change happen
+-        OUString aEncodedMP;
+-        if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP ) )
++        OUString aEncodedMP, aEncodedMPIV;
++        if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
+             bCanChangePassword = authorizateWithMasterPassword( xTmpHandler );
+ 
+         if ( bCanChangePassword )
+@@ -1142,7 +1190,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference<
+                 // store the new master password
+                 m_aMasterPasswd = aPass;
+                 std::vector< OUString > aMaster( 1, m_aMasterPasswd );
+-                m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) );
++                OUString aIV = createIV();
++                m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, aIV, m_aMasterPasswd ), aIV );
+ 
+                 // store all the entries with the new password
+                 for ( const auto& rURL : aPersistent )
+@@ -1167,7 +1216,7 @@ void SAL_CALL PasswordContainer::removeMasterPassword()
+     if ( m_pStorageFile )
+     {
+         m_aMasterPasswd.clear();
+-        m_pStorageFile->setEncodedMP( OUString() ); // let the master password be removed from configuration
++        m_pStorageFile->setEncodedMP( OUString(), OUString() ); // let the master password be removed from configuration
+     }
+ }
+ 
+@@ -1178,8 +1227,8 @@ sal_Bool SAL_CALL PasswordContainer::hasMasterPassword(  )
+     if ( !m_pStorageFile )
+         throw uno::RuntimeException();
+ 
+-    OUString aEncodedMP;
+-    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) );
++    OUString aEncodedMP, aEncodedMPIV;
++    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) );
+ }
+ 
+ sal_Bool SAL_CALL PasswordContainer::allowPersistentStoring( sal_Bool bAllow )
+@@ -1226,8 +1275,8 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere
+ 
+         bool bCanChangePassword = true;
+         // if there is already a stored nondefault master password it should be entered by the user before the change happen
+-        OUString aEncodedMP;
+-        if( m_pStorageFile->getEncodedMP( aEncodedMP ) && !aEncodedMP.isEmpty() )
++        OUString aEncodedMP, aEncodedMPIV;
++        if( m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && !aEncodedMP.isEmpty() )
+             bCanChangePassword = authorizateWithMasterPassword( xTmpHandler );
+ 
+         if ( bCanChangePassword )
+@@ -1244,7 +1293,7 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere
+ 
+                 // store the empty string to flag the default master password
+                 m_aMasterPasswd = aPass;
+-                m_pStorageFile->setEncodedMP( OUString(), true );
++                m_pStorageFile->setEncodedMP( OUString(), OUString(), true );
+ 
+                 // store all the entries with the new password
+                 for ( const auto& rURL : aPersistent )
+@@ -1268,8 +1317,8 @@ sal_Bool SAL_CALL PasswordContainer::isDefaultMasterPasswordUsed()
+     if ( !m_pStorageFile )
+         throw uno::RuntimeException();
+ 
+-    OUString aEncodedMP;
+-    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) && aEncodedMP.isEmpty() );
++    OUString aEncodedMP, aEncodedMPIV;
++    return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && aEncodedMP.isEmpty() );
+ }
+ 
+ 
+diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx
+index cf5c717d0c9e..4e3a6629139e 100644
+--- a/svl/source/passwordcontainer/passwordcontainer.hxx
++++ b/svl/source/passwordcontainer/passwordcontainer.hxx
+@@ -33,6 +33,7 @@
+ #include <unotools/configitem.hxx>
+ #include <ucbhelper/interactionrequest.hxx>
+ 
++#include <rtl/random.h>
+ #include <rtl/ref.hxx>
+ #include <osl/mutex.hxx>
+ 
+@@ -51,11 +52,12 @@ class NamePassRecord
+     ::std::vector< OUString >                      m_aMemPass;
+ 
+     // persistent passwords are encrypted in one string
+-    bool                                                  m_bHasPersPass;
++    bool                                           m_bHasPersPass;
+     OUString                                       m_aPersPass;
++    OUString                                       m_aPersistentIV;
+ 
+     void InitArrays( bool bHasMemoryList, const ::std::vector< OUString >& aMemoryList,
+-                     bool bHasPersistentList, const OUString& aPersistentList )
++                     bool bHasPersistentList, const OUString& aPersistentList, const OUString& aPersistentIV )
+     {
+         m_bHasMemPass = bHasMemoryList;
+         if ( bHasMemoryList )
+@@ -63,7 +65,10 @@ class NamePassRecord
+ 
+         m_bHasPersPass = bHasPersistentList;
+         if ( bHasPersistentList )
++        {
+             m_aPersPass = aPersistentList;
++            m_aPersistentIV = aPersistentIV;
++        }
+     }
+ 
+ public:
+@@ -75,11 +80,12 @@ public:
+     {
+     }
+ 
+-    NamePassRecord( const OUString& aName, const OUString& aPersistentList )
++    NamePassRecord( const OUString& aName, const OUString& aPersistentList, const OUString& aPersistentIV )
+         : m_aName( aName )
+         , m_bHasMemPass( false )
+         , m_bHasPersPass( true )
+         , m_aPersPass( aPersistentList )
++        , m_aPersistentIV( aPersistentIV )
+     {
+     }
+ 
+@@ -88,7 +94,8 @@ public:
+         , m_bHasMemPass( false )
+         , m_bHasPersPass( false )
+     {
+-        InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass );
++        InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass,
++                    aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV );
+     }
+ 
+     NamePassRecord& operator=( const NamePassRecord& aRecord )
+@@ -99,7 +106,9 @@ public:
+ 
+             m_aMemPass.clear();
+             m_aPersPass.clear();
+-            InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass );
++            m_aPersistentIV.clear();
++            InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass,
++                        aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV );
+         }
+         return *this;
+     }
+@@ -135,15 +144,24 @@ public:
+         return OUString();
+     }
+ 
++    OUString GetPersistentIV() const
++    {
++        if ( m_bHasPersPass )
++            return m_aPersistentIV;
++
++        return OUString();
++    }
++
+     void SetMemPasswords( const ::std::vector< OUString >& aMemList )
+     {
+         m_aMemPass = aMemList;
+         m_bHasMemPass = true;
+     }
+ 
+-    void SetPersPasswords( const OUString& aPersList )
++    void SetPersPasswords( const OUString& aPersList, const OUString& aPersIV )
+     {
+         m_aPersPass = aPersList;
++        m_aPersistentIV = aPersIV;
+         m_bHasPersPass = true;
+     }
+ 
+@@ -158,6 +176,7 @@ public:
+         {
+             m_bHasPersPass = false;
+             m_aPersPass.clear();
++            m_aPersistentIV.clear();
+         }
+     }
+ 
+@@ -181,6 +200,7 @@ private:
+     PasswordContainer*     mainCont;
+     bool                   hasEncoded;
+     OUString        mEncoded;
++    OUString        mEncodedIV;
+ 
+     virtual void            ImplCommit() override;
+ 
+@@ -201,8 +221,8 @@ public:
+ 
+     sal_Int32 getStorageVersion();
+ 
+-    bool getEncodedMP( OUString& aResult );
+-    void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false );
++    bool getEncodedMP( OUString& aResult, OUString& aResultIV );
++    void setEncodedMP( const OUString& aResult, const OUString& aResultIV, bool bAcceptEmpty = false );
+     void setUseStorage( bool bUse );
+     bool useStorage();
+ 
+@@ -223,6 +243,29 @@ private:
+     css::uno::Reference< css::lang::XComponent > mComponent;
+     SysCredentialsConfig mUrlContainer;
+ 
++    class RandomPool
++    {
++    private:
++        rtlRandomPool m_aRandomPool;
++    public:
++        RandomPool() : m_aRandomPool(rtl_random_createPool())
++        {
++        }
++        rtlRandomPool get()
++        {
++            return m_aRandomPool;
++        }
++        ~RandomPool()
++        {
++            // Clean up random pool memory
++            rtl_random_destroyPool(m_aRandomPool);
++        }
++    };
++
++    RandomPool mRandomPool;
++
++    OUString createIV();
++
+     /// @throws css::uno::RuntimeException
+     css::uno::Sequence< css::task::UserRecord > CopyToUserRecordSequence(
+                                         const ::std::vector< NamePassRecord >& original,
+@@ -273,10 +316,10 @@ css::task::UrlRecord find(
+                               const css::uno::Reference< css::task::XInteractionHandler >& Handler );
+ 
+     /// @throws css::uno::RuntimeException
+-    static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aMasterPassword, css::task::PasswordRequestMode mode );
++    static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPassword, css::task::PasswordRequestMode mode );
+ 
+     /// @throws css::uno::RuntimeException
+-    static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPassword );
++    static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPassword );
+ 
+ public:
+     PasswordContainer( const css::uno::Reference< css::lang::XMultiServiceFactory >& );
+-- 
+2.37.1
+

SOURCES/0004-CVE-2021-25634.patch

@@ -0,0 +1,397 @@
+From 9ef423d4e7c85629772131b3216b98e17d7b8d7e Mon Sep 17 00:00:00 2001
+From: Michael Stahl <michael.stahl@allotropia.de>
+Date: Thu, 18 Feb 2021 19:22:31 +0100
+Subject: [PATCH 4/6] CVE-2021-25634
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+xmlsecurity: XSecParser confused about multiple timestamps
+
+LO writes timestamp both to dc:date and xades:SigningTime elements.
+
+The parser tries to avoid reading multiple dc:date, preferring the first
+one, but doesn't care about multiple xades:SigningTime, for undocumented
+reasons.
+
+Ideally something should check all read values for consistency.
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111160
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit 4ab8d9c09a5873ca0aea56dafa1ab34758d52ef7)
+
+xmlsecurity: remove XSecController::setPropertyId()
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111252
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit d2a345e1163616fe3201ef1d6c758e2e819214e0)
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111908
+Tested-by: Jenkins
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit abe77c4fcb9ea97d9fff07eaea6d8863bcba5b02)
+
+Change-Id: Ic018ee89797a1c8a4f870ae102af48006de930ef
+---
+ include/svl/sigstruct.hxx                    |  7 +-
+ xmlsecurity/inc/xsecctl.hxx                  |  5 +-
+ xmlsecurity/source/helper/ooxmlsecparser.cxx |  4 +-
+ xmlsecurity/source/helper/xsecctl.cxx        |  2 +-
+ xmlsecurity/source/helper/xsecparser.cxx     | 81 ++++++++++----------
+ xmlsecurity/source/helper/xsecparser.hxx     |  6 --
+ xmlsecurity/source/helper/xsecsign.cxx       |  4 +-
+ xmlsecurity/source/helper/xsecverify.cxx     | 39 ++++------
+ 8 files changed, 68 insertions(+), 80 deletions(-)
+
+diff --git a/include/svl/sigstruct.hxx b/include/svl/sigstruct.hxx
+index f6ee242c84d1..7a0296fa9fae 100644
+--- a/include/svl/sigstruct.hxx
++++ b/include/svl/sigstruct.hxx
+@@ -103,6 +103,9 @@ struct SignatureInformation
+     // XAdES EncapsulatedX509Certificate values
+     std::set<OUString> maEncapsulatedX509Certificates;
+ 
++    OUString ouSignatureId;
++    // signature may contain multiple time stamps - check they're consistent
++    bool hasInconsistentSigningTime = false;
+     //We also keep the date and time as string. This is done when this
+     //structure is created as a result of a XML signature being read.
+     //When then a signature is added or another removed, then the original
+@@ -115,8 +118,8 @@ struct SignatureInformation
+     //and the converted time is written back, then the string looks different
+     //and the signature is broken.
+     OUString ouDateTime;
+-    OUString ouSignatureId;
+-    OUString ouPropertyId;
++    /// The Id attribute of the <SignatureProperty> element that contains the <dc:date>.
++    OUString ouDateTimePropertyId;
+     /// Characters of the <dc:description> element inside the signature.
+     OUString ouDescription;
+     /// The Id attribute of the <SignatureProperty> element that contains the <dc:description>.
+diff --git a/xmlsecurity/inc/xsecctl.hxx b/xmlsecurity/inc/xsecctl.hxx
+index 351c94a2a3e6..7baa219fb13c 100644
+--- a/xmlsecurity/inc/xsecctl.hxx
++++ b/xmlsecurity/inc/xsecctl.hxx
+@@ -271,8 +271,8 @@ private:
+     void setGpgCertificate( OUString const & ouGpgCert );
+     void setGpgOwner( OUString const & ouGpgOwner );
+ 
+-    void setDate( OUString const & ouDate );
+-    void setDescription(const OUString& rDescription);
++    void setDate(OUString const& rId, OUString const& ouDate);
++    void setDescription(OUString const& rId, OUString const& rDescription);
+     void setCertDigest(const OUString& rCertDigest);
+     void setValidSignatureImage(const OUString& rValidSigImg);
+     void setInvalidSignatureImage(const OUString& rInvalidSigImg);
+@@ -283,7 +283,6 @@ public:
+ 
+ private:
+     void setId( OUString const & ouId );
+-    void setPropertyId( OUString const & ouPropertyId );
+ 
+     css::uno::Reference< css::xml::crypto::sax::XReferenceResolvedListener > prepareSignatureToRead(
+         sal_Int32 nSecurityId );
+diff --git a/xmlsecurity/source/helper/ooxmlsecparser.cxx b/xmlsecurity/source/helper/ooxmlsecparser.cxx
+index c22e8c2261bf..a200de60c07a 100644
+--- a/xmlsecurity/source/helper/ooxmlsecparser.cxx
++++ b/xmlsecurity/source/helper/ooxmlsecparser.cxx
+@@ -192,12 +192,12 @@ void SAL_CALL OOXMLSecParser::endElement(const OUString& rName)
+     }
+     else if (rName == "mdssi:Value")
+     {
+-        m_pXSecController->setDate(m_aMdssiValue);
++        m_pXSecController->setDate("", m_aMdssiValue);
+         m_bInMdssiValue = false;
+     }
+     else if (rName == "SignatureComments")
+     {
+-        m_pXSecController->setDescription(m_aSignatureComments);
++        m_pXSecController->setDescription("", m_aSignatureComments);
+         m_bInSignatureComments = false;
+     }
+     else if (rName == "X509IssuerName")
+diff --git a/xmlsecurity/source/helper/xsecctl.cxx b/xmlsecurity/source/helper/xsecctl.cxx
+index ab108d13c224..8d5ea68c768b 100644
+--- a/xmlsecurity/source/helper/xsecctl.cxx
++++ b/xmlsecurity/source/helper/xsecctl.cxx
+@@ -819,7 +819,7 @@ void XSecController::exportSignature(
+                 pAttributeList = new SvXMLAttributeList();
+                 pAttributeList->AddAttribute(
+                     "Id",
+-                    signatureInfo.ouPropertyId);
++                    signatureInfo.ouDateTimePropertyId);
+                 pAttributeList->AddAttribute(
+                     "Target",
+                     "#" + signatureInfo.ouSignatureId);
+diff --git a/xmlsecurity/source/helper/xsecparser.cxx b/xmlsecurity/source/helper/xsecparser.cxx
+index 5c92e5efa104..9cc9312b4d9f 100644
+--- a/xmlsecurity/source/helper/xsecparser.cxx
++++ b/xmlsecurity/source/helper/xsecparser.cxx
+@@ -978,6 +978,9 @@ class XSecParser::XadesSigningCertificateContext
+ class XSecParser::XadesSigningTimeContext
+     : public XSecParser::Context
+ {
++    private:
++        OUString m_Value;
++
+     public:
+         XadesSigningTimeContext(XSecParser & rParser,
+                 std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+@@ -985,20 +988,14 @@ class XSecParser::XadesSigningTimeContext
+         {
+         }
+ 
+-        virtual void StartElement(
+-            css::uno::Reference<css::xml::sax::XAttributeList> const& /*xAttrs*/) override
+-        {
+-            m_rParser.m_ouDate.clear();
+-        }
+-
+         virtual void EndElement() override
+         {
+-            m_rParser.m_pXSecController->setDate( m_rParser.m_ouDate );
++            m_rParser.m_pXSecController->setDate("", m_Value);
+         }
+ 
+         virtual void Characters(OUString const& rChars) override
+         {
+-            m_rParser.m_ouDate += rChars;
++            m_Value += rChars;
+         }
+ };
+ 
+@@ -1104,35 +1101,20 @@ class XSecParser::DcDateContext
+     : public XSecParser::Context
+ {
+     private:
+-        bool m_isIgnore = false;
++        OUString & m_rValue;
+ 
+     public:
+         DcDateContext(XSecParser & rParser,
+-                std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
++                std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++                OUString & rValue)
+             : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++            , m_rValue(rValue)
+         {
+         }
+ 
+-        virtual void StartElement(
+-            css::uno::Reference<css::xml::sax::XAttributeList> const& /*xAttrs*/) override
+-        {
+-            m_isIgnore = !m_rParser.m_ouDate.isEmpty();
+-        }
+-
+-        virtual void EndElement() override
+-        {
+-            if (!m_isIgnore)
+-            {
+-                m_rParser.m_pXSecController->setDate( m_rParser.m_ouDate );
+-            }
+-        }
+-
+         virtual void Characters(OUString const& rChars) override
+         {
+-            if (!m_isIgnore)
+-            {
+-                m_rParser.m_ouDate += rChars;
+-            }
++            m_rValue += rChars;
+         }
+ };
+ 
+@@ -1140,29 +1122,32 @@ class XSecParser::DcDescriptionContext
+     : public XSecParser::Context
+ {
+     private:
+-        OUString m_Value;
++        OUString & m_rValue;
+ 
+     public:
+         DcDescriptionContext(XSecParser & rParser,
+-                std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
++                std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap,
++                OUString & rValue)
+             : XSecParser::Context(rParser, std::move(pOldNamespaceMap))
++            , m_rValue(rValue)
+         {
+         }
+ 
+-        virtual void EndElement() override
+-        {
+-            m_rParser.m_pXSecController->setDescription(m_Value);
+-        }
+-
+         virtual void Characters(OUString const& rChars) override
+         {
+-            m_Value += rChars;
++            m_rValue += rChars;
+         }
+ };
+ 
+ class XSecParser::DsSignaturePropertyContext
+     : public XSecParser::Context
+ {
++    private:
++        enum class SignatureProperty { Unknown, Date, Description };
++        SignatureProperty m_Property = SignatureProperty::Unknown;
++        OUString m_Id;
++        OUString m_Value;
++
+     public:
+         DsSignaturePropertyContext(XSecParser & rParser,
+                 std::unique_ptr<SvXMLNamespaceMap> pOldNamespaceMap)
+@@ -1173,10 +1158,22 @@ class XSecParser::DsSignaturePropertyContext
+         virtual void StartElement(
+             css::uno::Reference<css::xml::sax::XAttributeList> const& xAttrs) override
+         {
+-            OUString const ouIdAttr(m_rParser.HandleIdAttr(xAttrs));
+-            if (!ouIdAttr.isEmpty())
++            m_Id = m_rParser.HandleIdAttr(xAttrs);
++        }
++
++        virtual void EndElement() override
++        {
++            switch (m_Property)
+             {
+-                m_rParser.m_pXSecController->setPropertyId( ouIdAttr );
++                case SignatureProperty::Unknown:
++                    SAL_INFO("xmlsecurity.helper", "Unknown property in ds:Object ignored");
++                    break;
++                case SignatureProperty::Date:
++                    m_rParser.m_pXSecController->setDate(m_Id, m_Value);
++                    break;
++                case SignatureProperty::Description:
++                    m_rParser.m_pXSecController->setDescription(m_Id, m_Value);
++                    break;
+             }
+         }
+ 
+@@ -1186,11 +1183,13 @@ class XSecParser::DsSignaturePropertyContext
+         {
+             if (nNamespace == XML_NAMESPACE_DC && rName == "date")
+             {
+-                return std::make_unique<DcDateContext>(m_rParser, std::move(pOldNamespaceMap));
++                m_Property = SignatureProperty::Date;
++                return std::make_unique<DcDateContext>(m_rParser, std::move(pOldNamespaceMap), m_Value);
+             }
+             if (nNamespace == XML_NAMESPACE_DC && rName == "description")
+             {
+-                return std::make_unique<DcDescriptionContext>(m_rParser, std::move(pOldNamespaceMap));
++                m_Property = SignatureProperty::Description;
++                return std::make_unique<DcDescriptionContext>(m_rParser, std::move(pOldNamespaceMap), m_Value);
+             }
+             return XSecParser::Context::CreateChildContext(std::move(pOldNamespaceMap), nNamespace, rName);
+         }
+diff --git a/xmlsecurity/source/helper/xsecparser.hxx b/xmlsecurity/source/helper/xsecparser.hxx
+index 93efcb766e3e..7a0eb08bca28 100644
+--- a/xmlsecurity/source/helper/xsecparser.hxx
++++ b/xmlsecurity/source/helper/xsecparser.hxx
+@@ -97,12 +97,6 @@ private:
+     class DsSignatureContext;
+     class DsigSignaturesContext;
+ 
+-    /*
+-     * the following members are used to reserve the signature information,
+-     * including X509IssuerName, X509SerialNumber, and X509Certificate,etc.
+-     */
+-    OUString m_ouDate;
+-
+     std::stack<std::unique_ptr<Context>> m_ContextStack;
+     std::unique_ptr<SvXMLNamespaceMap> m_pNamespaceMap;
+ 
+diff --git a/xmlsecurity/source/helper/xsecsign.cxx b/xmlsecurity/source/helper/xsecsign.cxx
+index 4d1b89949feb..5ed23281f083 100644
+--- a/xmlsecurity/source/helper/xsecsign.cxx
++++ b/xmlsecurity/source/helper/xsecsign.cxx
+@@ -132,8 +132,8 @@ cssu::Reference< cssxc::sax::XReferenceResolvedListener > XSecController::prepar
+     if (nStorageFormat != embed::StorageFormats::OFOPXML)
+     {
+         internalSignatureInfor.signatureInfor.ouSignatureId = createId();
+-        internalSignatureInfor.signatureInfor.ouPropertyId = createId();
+-        internalSignatureInfor.addReference(SignatureReferenceType::SAMEDOCUMENT, digestID, internalSignatureInfor.signatureInfor.ouPropertyId, -1, OUString() );
++        internalSignatureInfor.signatureInfor.ouDateTimePropertyId = createId();
++        internalSignatureInfor.addReference(SignatureReferenceType::SAMEDOCUMENT, digestID, internalSignatureInfor.signatureInfor.ouDateTimePropertyId, -1, OUString() );
+         size++;
+ 
+         if (bXAdESCompliantIfODF)
+diff --git a/xmlsecurity/source/helper/xsecverify.cxx b/xmlsecurity/source/helper/xsecverify.cxx
+index 1f7fa9ac8ca8..5f5840334254 100644
+--- a/xmlsecurity/source/helper/xsecverify.cxx
++++ b/xmlsecurity/source/helper/xsecverify.cxx
+@@ -321,7 +321,7 @@ void XSecController::setGpgOwner( OUString const & ouGpgOwner )
+     isi.signatureInfor.ouGpgOwner = ouGpgOwner;
+ }
+ 
+-void XSecController::setDate( OUString const & ouDate )
++void XSecController::setDate(OUString const& rId, OUString const& ouDate)
+ {
+     if (m_vInternalSignatureInformations.empty())
+     {
+@@ -329,17 +329,31 @@ void XSecController::setDate( OUString const & ouDate )
+         return;
+     }
+     InternalSignatureInformation &isi = m_vInternalSignatureInformations.back();
++    // there may be multiple timestamps in a signature - check them for consistency
++    if (!isi.signatureInfor.ouDateTime.isEmpty()
++        && isi.signatureInfor.ouDateTime != ouDate)
++    {
++        isi.signatureInfor.hasInconsistentSigningTime = true;
++    }
+     (void)utl::ISO8601parseDateTime( ouDate, isi.signatureInfor.stDateTime);
+     isi.signatureInfor.ouDateTime = ouDate;
++    if (!rId.isEmpty())
++    {
++        isi.signatureInfor.ouDateTimePropertyId = rId;
++    }
+ }
+ 
+-void XSecController::setDescription(const OUString& rDescription)
++void XSecController::setDescription(OUString const& rId, OUString const& rDescription)
+ {
+     if (m_vInternalSignatureInformations.empty())
+         return;
+ 
+     InternalSignatureInformation& rInformation = m_vInternalSignatureInformations.back();
+     rInformation.signatureInfor.ouDescription = rDescription;
++    if (!rId.isEmpty())
++    {
++        rInformation.signatureInfor.ouDescriptionPropertyId = rId;
++    }
+ }
+ 
+ void XSecController::setSignatureBytes(const uno::Sequence<sal_Int8>& rBytes)
+@@ -433,27 +447,6 @@ void XSecController::setId( OUString const & ouId )
+     isi.signatureInfor.ouSignatureId = ouId;
+ }
+ 
+-void XSecController::setPropertyId( OUString const & ouPropertyId )
+-{
+-    if (m_vInternalSignatureInformations.empty())
+-    {
+-        SAL_INFO("xmlsecurity.helper","XSecController::setPropertyId: no signature");
+-        return;
+-    }
+-    InternalSignatureInformation &isi = m_vInternalSignatureInformations.back();
+-
+-    if (isi.signatureInfor.ouPropertyId.isEmpty())
+-    {
+-        // <SignatureProperty> ID attribute is for the date.
+-        isi.signatureInfor.ouPropertyId = ouPropertyId;
+-    }
+-    else
+-    {
+-        // <SignatureProperty> ID attribute is for the description.
+-        isi.signatureInfor.ouDescriptionPropertyId = ouPropertyId;
+-    }
+-}
+-
+ /* public: for signature verify */
+ void XSecController::collectToVerify( const OUString& referenceId )
+ {
+-- 
+2.32.0
+

SOURCES/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch

@@ -0,0 +1,117 @@
+From 4cfd591942e4cfd3efc416bfac8e46e3580d37ba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 23 Mar 2022 13:03:30 +0000
+Subject: [PATCH] add infobar to prompt to refresh to replace old format
+
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131976
+Tested-by: Jenkins
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+(cherry picked from commit bbd196ff82bda9f66b4ba32a412f10cefe6da60e)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132307
+Reviewed-by: Sophie Gautier <sophi@libreoffice.org>
+Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+(cherry picked from commit c5d01b11db3c83cb4a89d3b388d78e20dd3990b5)
+
+Change-Id: Id99cbf2b50a4ebf289dae6fc67e22e20afcda35b
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133906
+Tested-by: Michael Stahl <michael.stahl@allotropia.de>
+Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
+---
+ include/sfx2/strings.hrc     |  2 ++
+ include/sfx2/viewfrm.hxx     |  1 +
+ sfx2/source/view/viewfrm.cxx | 40 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 43 insertions(+)
+
+diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc
+index 1f21f0a0f186..1db36e733c0c 100644
+--- a/include/sfx2/strings.hrc
++++ b/include/sfx2/strings.hrc
+@@ -297,6 +297,8 @@
+ #define STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK   NC_("STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK", "The certificate could not be validated and the document is only partially signed.")
+ #define STR_SIGNATURE_OK                        NC_("STR_SIGNATURE_OK", "This document is digitally signed and the signature is valid.")
+ #define STR_SIGNATURE_SHOW                      NC_("STR_SIGNATURE_SHOW", "Show Signatures")
++#define STR_REFRESH_MASTER_PASSWORD             NC_("STR_REFRESH_MASTER_PASSWORD", "The master password is stored in an outdated format, you should refresh it")
++#define STR_REFRESH_PASSWORD                    NC_("STR_REFRESH_PASSWORD", "Refresh Password")
+ 
+ #define STR_CLOSE_PANE                          NC_("STR_CLOSE_PANE", "Close Pane")
+ #define STR_SFX_DOCK                            NC_("STR_SFX_DOCK", "Dock")
+diff --git a/include/sfx2/viewfrm.hxx b/include/sfx2/viewfrm.hxx
+index fe336ba5f091..cc6a7dae7047 100644
+--- a/include/sfx2/viewfrm.hxx
++++ b/include/sfx2/viewfrm.hxx
+@@ -61,6 +61,7 @@ protected:
+     DECL_LINK(WhatsNewHandler, Button*, void);
+     DECL_LINK(SwitchReadOnlyHandler, Button*, void);
+     DECL_LINK(SignDocumentHandler, Button*, void);
++    DECL_DLLPRIVATE_LINK(RefreshMasterPasswordHdl, Button*, void);
+     SAL_DLLPRIVATE void KillDispatcher_Impl();
+ 
+     virtual                 ~SfxViewFrame() override;
+diff --git a/sfx2/source/view/viewfrm.cxx b/sfx2/source/view/viewfrm.cxx
+index 5a64599e5894..86e7d51bbfea 100644
+--- a/sfx2/source/view/viewfrm.cxx
++++ b/sfx2/source/view/viewfrm.cxx
+@@ -32,6 +32,7 @@
+ #include <com/sun/star/frame/XLoadable.hpp>
+ #include <com/sun/star/frame/XLayoutManager.hpp>
+ #include <com/sun/star/frame/XComponentLoader.hpp>
++#include <com/sun/star/task/PasswordContainer.hpp>
+ #include <officecfg/Office/Common.hxx>
+ #include <officecfg/Setup.hxx>
+ #include <toolkit/helper/vclunohelper.hxx>
+@@ -1390,6 +1391,24 @@ void SfxViewFrame::Notify( SfxBroadcaster& /*rBC*/, const SfxHint& rHint )
+                     batch->commit();
+                 }
+ 
++                if (officecfg::Office::Common::Passwords::HasMaster::get() &&
++                    officecfg::Office::Common::Passwords::StorageVersion::get() == 0)
++                {
++                    // master password stored in deprecated format
++                    VclPtr<SfxInfoBarWindow> pOldMasterPasswordInfoBar =
++                        AppendInfoBar("oldmasterpassword", "",
++                                      SfxResId(STR_REFRESH_MASTER_PASSWORD), InfobarType::DANGER, false);
++                    if (pOldMasterPasswordInfoBar)
++                    {
++                        VclPtrInstance<PushButton> const xBtn(&GetWindow());
++                        xBtn->SetText(SfxResId(STR_REFRESH_PASSWORD));
++                        xBtn->SetSizePixel(xBtn->GetOptimalSize());
++                        xBtn->SetClickHdl(LINK(this,
++                           SfxViewFrame, RefreshMasterPasswordHdl));
++                        pOldMasterPasswordInfoBar->addButton(xBtn);
++                    }
++                }
++
+                 // read-only infobar if necessary
+                 const SfxViewShell *pVSh;
+                 const SfxShell *pFSh;
+@@ -1565,6 +1584,27 @@ IMPL_LINK_NOARG(SfxViewFrame, SignDocumentHandler, Button*, void)
+     GetDispatcher()->Execute(SID_SIGNATURE);
+ }
+ 
++IMPL_LINK_NOARG(SfxViewFrame, RefreshMasterPasswordHdl, Button*, void)
++{
++    bool bChanged = false;
++    try
++    {
++        Reference< task::XPasswordContainer2 > xMasterPasswd(
++            task::PasswordContainer::create(comphelper::getProcessComponentContext()));
++
++        css::uno::Reference<css::frame::XFrame> xFrame = GetFrame().GetFrameInterface();
++        css::uno::Reference<css::awt::XWindow> xContainerWindow = xFrame->getContainerWindow();
++
++        uno::Reference<task::XInteractionHandler> xTmpHandler(task::InteractionHandler::createWithParent(comphelper::getProcessComponentContext(),
++                                                              xContainerWindow));
++        bChanged = xMasterPasswd->changeMasterPassword(xTmpHandler);
++    }
++    catch (const Exception&)
++    {}
++    if (bChanged)
++        RemoveInfoBar(u"oldmasterpassword");
++}
++
+ void SfxViewFrame::Construct_Impl( SfxObjectShell *pObjSh )
+ {
+     m_pImpl->bResizeInToOut = true;
+-- 
+2.37.1
+

SOURCES/libreoffice-base-symbolic.svg

@@ -1,27 +0,0 @@
-<?xml version='1.0' encoding='UTF-8' standalone='no'?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg xmlns:cc='http://creativecommons.org/ns#' xmlns:dc='http://purl.org/dc/elements/1.1/' sodipodi:docname='libreoffice-base-symbolic.svg' height='16' id='svg7384' xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape' xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd' xmlns:svg='http://www.w3.org/2000/svg' inkscape:version='0.48.2 r9819' version='1.1' width='16' xmlns='http://www.w3.org/2000/svg'>
-  <metadata id='metadata90'>
-    <rdf:RDF>
-      <cc:Work rdf:about=''>
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type rdf:resource='http://purl.org/dc/dcmitype/StillImage'/>
-        <dc:title>Gnome Symbolic Icon Theme</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <sodipodi:namedview inkscape:bbox-paths='true' bordercolor='#666666' borderopacity='1' inkscape:current-layer='layer9' inkscape:cx='-65.007495' inkscape:cy='2.627089' gridtolerance='10' inkscape:guide-bbox='true' guidetolerance='10' id='namedview88' inkscape:object-nodes='false' inkscape:object-paths='false' objecttolerance='10' pagecolor='#555753' inkscape:pageopacity='1' inkscape:pageshadow='2' showborder='false' showgrid='false' showguides='true' inkscape:snap-bbox='false' inkscape:snap-bbox-midpoints='false' inkscape:snap-global='true' inkscape:snap-grids='true' inkscape:snap-nodes='true' inkscape:snap-others='false' inkscape:snap-to-guides='true' inkscape:window-height='1381' inkscape:window-maximized='1' inkscape:window-width='2560' inkscape:window-x='1600' inkscape:window-y='27' inkscape:zoom='22.627417'>
-    <inkscape:grid empspacing='2' enabled='true' id='grid4866' snapvisiblegridlinesonly='true' spacingx='1px' spacingy='1px' type='xygrid' visible='true'/>
-  </sodipodi:namedview>
-  <title id='title9167'>Gnome Symbolic Icon Theme</title>
-  <defs id='defs7386'/>
-  <g inkscape:groupmode='layer' id='layer9' inkscape:label='apps' style='display:inline' transform='translate(-143.00018,-195)'>
-    
-    <path inkscape:connector-curvature='0' d='m 154.28125,195.00525 c -0.27821,0.0752 -0.37465,0.49932 -0.15625,0.68727 l 3.1875,3.18646 c 0.21982,0.23021 0.69212,0.0371 0.6875,-0.28116 l 0,-3.21769 c -0.0122,-0.20318 -0.20269,-0.37897 -0.40625,-0.37488 l -3.1875,0 c -0.0413,-0.007 -0.0837,-0.007 -0.125,0 z' id='path18821' sodipodi:nodetypes='cccccccc' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:0.79782361px;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans'/>
-    <path inkscape:connector-curvature='0' d='m 144.84395,195.00525 c -0.4813,0.0874 -0.85238,0.53322 -0.84375,0.99967 l 0,13.99541 c 6e-5,0.52341 0.51276,0.99962 1.0625,0.99967 l 11.875,0 c 0.54975,-5e-5 1.06245,-0.47626 1.0625,-0.99967 l -0.0312,-7.59126 c 0.006,-0.26397 -0.0884,-0.52879 -0.28125,-0.71852 l -6.40625,-6.40414 c -0.19927,-0.18364 -0.47275,-0.28728 -0.75,-0.28116 l -5.46875,0 c -0.0654,-0.006 -0.15331,-0.006 -0.21875,0 z m 1.15625,1.99934 4,0 3.5,3.49885 2.5,2.49918 0,5.99804 -10,0 0,-11.99607 z' id='path18823' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0pt;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;text-anchor:start;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;font-family:Andale Mono'/>
-    <path inkscape:connector-curvature='0' d='m 148.03145,203.7172 c 0,0.951 0,0 0,0.951 2.10295,1.09462 4,0 4,0 l 0,-0.951 c 0,0 -2.05961,1.05726 -4,0 z' id='path18853' sodipodi:nodetypes='ccccc' style='fill:#bebebe;fill-opacity:1;stroke:none'/>
-    <path sodipodi:cx='29.633902' sodipodi:cy='5.3320975' d='m 31.999999,5.3320975 a 2.3660977,0.66790265 0 1 1 -4.732195,0 2.3660977,0.66790265 0 1 1 4.732195,0 z' id='path18855' sodipodi:rx='2.3660977' sodipodi:ry='0.66790265' style='fill:#bebebe;fill-opacity:1;stroke:none' transform='matrix(0.84527458,0,0,1.4972236,124.98267,194.01666)' sodipodi:type='arc'/>
-    <path inkscape:connector-curvature='0' d='m 148.03145,205.7172 c 0,0.951 0,0 0,0.951 2.10295,1.09462 4,0 4,0 l 0,-0.951 c 0,0 -2.05961,1.05726 -4,0 z' id='path18864' sodipodi:nodetypes='ccccc' style='fill:#bebebe;fill-opacity:1;stroke:none'/>
-  </g>
-</svg>

SOURCES/libreoffice-calc-symbolic.svg

@@ -1,27 +0,0 @@
-<?xml version='1.0' encoding='UTF-8' standalone='no'?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg xmlns:cc='http://creativecommons.org/ns#' xmlns:dc='http://purl.org/dc/elements/1.1/' sodipodi:docname='libreoffice-calc-symbolic.svg' height='16' id='svg7384' xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape' xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd' xmlns:svg='http://www.w3.org/2000/svg' inkscape:version='0.48.2 r9819' version='1.1' width='16' xmlns='http://www.w3.org/2000/svg'>
-  <metadata id='metadata90'>
-    <rdf:RDF>
-      <cc:Work rdf:about=''>
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type rdf:resource='http://purl.org/dc/dcmitype/StillImage'/>
-        <dc:title>Gnome Symbolic Icon Theme</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <sodipodi:namedview inkscape:bbox-paths='true' bordercolor='#666666' borderopacity='1' inkscape:current-layer='layer9' inkscape:cx='19.52026' inkscape:cy='1.7874' gridtolerance='10' inkscape:guide-bbox='true' guidetolerance='10' id='namedview88' inkscape:object-nodes='false' inkscape:object-paths='false' objecttolerance='10' pagecolor='#555753' inkscape:pageopacity='1' inkscape:pageshadow='2' showborder='false' showgrid='false' showguides='true' inkscape:snap-bbox='false' inkscape:snap-bbox-midpoints='false' inkscape:snap-global='true' inkscape:snap-grids='true' inkscape:snap-nodes='true' inkscape:snap-others='false' inkscape:snap-to-guides='true' inkscape:window-height='1381' inkscape:window-maximized='1' inkscape:window-width='2560' inkscape:window-x='1600' inkscape:window-y='27' inkscape:zoom='22.627417'>
-    <inkscape:grid empspacing='2' enabled='true' id='grid4866' snapvisiblegridlinesonly='true' spacingx='1px' spacingy='1px' type='xygrid' visible='true'/>
-  </sodipodi:namedview>
-  <title id='title9167'>Gnome Symbolic Icon Theme</title>
-  <defs id='defs7386'/>
-  <g inkscape:groupmode='layer' id='layer9' inkscape:label='apps' style='display:inline' transform='translate(-83.000198,-195)'>
-    
-    <path inkscape:connector-curvature='0' d='m 94.28125,195.00525 c -0.27821,0.0752 -0.37465,0.49932 -0.15625,0.68727 l 3.1875,3.18646 c 0.21982,0.23021 0.69212,0.0371 0.6875,-0.28116 l 0,-3.21769 c -0.0122,-0.20318 -0.20269,-0.37897 -0.40625,-0.37488 l -3.1875,0 c -0.0413,-0.007 -0.0837,-0.007 -0.125,0 z' id='path12998' sodipodi:nodetypes='cccccccc' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:0.79782361px;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans'/>
-    <path inkscape:connector-curvature='0' d='m 84.84395,195.00525 c -0.4813,0.0874 -0.85238,0.53322 -0.84375,0.99967 l 0,13.99541 c 6e-5,0.52341 0.51276,0.99962 1.0625,0.99967 l 11.875,0 c 0.54975,-5e-5 1.06245,-0.47626 1.0625,-0.99967 l -0.0312,-7.59126 c 0.006,-0.26397 -0.0884,-0.52879 -0.28125,-0.71852 l -6.40625,-6.40414 c -0.19927,-0.18364 -0.47275,-0.28728 -0.75,-0.28116 l -5.46875,0 c -0.0654,-0.006 -0.15331,-0.006 -0.21875,0 z m 1.15625,1.99934 4,0 3.5,3.49885 2.5,2.49918 0,5.99804 -10,0 0,-11.99607 z' id='path13000' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0pt;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;text-anchor:start;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;font-family:Andale Mono'/>
-    <rect height='3' id='rect18593' style='fill:#bebebe;fill-opacity:1;stroke:none' transform='scale(-1,1)' width='1.9999983' x='-89.000198' y='204'/>
-    <rect height='2' id='rect18595' style='fill:#bebebe;fill-opacity:1;stroke:none' width='2.0000017' x='93.000198' y='205'/>
-    <rect height='5' id='rect18597' style='fill:#bebebe;fill-opacity:1;stroke:none' transform='scale(-1,1)' width='2' x='-92.000198' y='202'/>
-  </g>
-</svg>

SOURCES/libreoffice-draw-symbolic.svg

@@ -1,26 +0,0 @@
-<?xml version='1.0' encoding='UTF-8' standalone='no'?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg xmlns:cc='http://creativecommons.org/ns#' xmlns:dc='http://purl.org/dc/elements/1.1/' sodipodi:docname='libreoffice-draw-symbolic.svg' height='16' id='svg7384' xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape' xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd' xmlns:svg='http://www.w3.org/2000/svg' inkscape:version='0.48.2 r9819' version='1.1' width='16' xmlns='http://www.w3.org/2000/svg'>
-  <metadata id='metadata90'>
-    <rdf:RDF>
-      <cc:Work rdf:about=''>
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type rdf:resource='http://purl.org/dc/dcmitype/StillImage'/>
-        <dc:title>Gnome Symbolic Icon Theme</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <sodipodi:namedview inkscape:bbox-paths='true' bordercolor='#666666' borderopacity='1' inkscape:current-layer='layer9' inkscape:cx='-45.00751' inkscape:cy='2.627089' gridtolerance='10' inkscape:guide-bbox='true' guidetolerance='10' id='namedview88' inkscape:object-nodes='false' inkscape:object-paths='false' objecttolerance='10' pagecolor='#555753' inkscape:pageopacity='1' inkscape:pageshadow='2' showborder='false' showgrid='false' showguides='true' inkscape:snap-bbox='false' inkscape:snap-bbox-midpoints='false' inkscape:snap-global='true' inkscape:snap-grids='true' inkscape:snap-nodes='true' inkscape:snap-others='false' inkscape:snap-to-guides='true' inkscape:window-height='1381' inkscape:window-maximized='1' inkscape:window-width='2560' inkscape:window-x='1600' inkscape:window-y='27' inkscape:zoom='22.627417'>
-    <inkscape:grid empspacing='2' enabled='true' id='grid4866' snapvisiblegridlinesonly='true' spacingx='1px' spacingy='1px' type='xygrid' visible='true'/>
-  </sodipodi:namedview>
-  <title id='title9167'>Gnome Symbolic Icon Theme</title>
-  <defs id='defs7386'/>
-  <g inkscape:groupmode='layer' id='layer9' inkscape:label='apps' style='display:inline' transform='translate(-123.0002,-195)'>
-    
-    <path inkscape:connector-curvature='0' d='m 134.28125,195.00525 c -0.27821,0.0752 -0.37465,0.49932 -0.15625,0.68727 l 3.1875,3.18646 c 0.21982,0.23021 0.69212,0.0371 0.6875,-0.28116 l 0,-3.21769 c -0.0122,-0.20318 -0.20269,-0.37897 -0.40625,-0.37488 l -3.1875,0 c -0.0413,-0.007 -0.0837,-0.007 -0.125,0 z' id='path18767' sodipodi:nodetypes='cccccccc' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:0.79782361px;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans'/>
-    <path inkscape:connector-curvature='0' d='m 124.84395,195.00525 c -0.4813,0.0874 -0.85238,0.53322 -0.84375,0.99967 l 0,13.99541 c 6e-5,0.52341 0.51276,0.99962 1.0625,0.99967 l 11.875,0 c 0.54975,-5e-5 1.06245,-0.47626 1.0625,-0.99967 l -0.0312,-7.59126 c 0.006,-0.26397 -0.0884,-0.52879 -0.28125,-0.71852 l -6.40625,-6.40414 c -0.19927,-0.18364 -0.47275,-0.28728 -0.75,-0.28116 l -5.46875,0 c -0.0654,-0.006 -0.15331,-0.006 -0.21875,0 z m 1.15625,1.99934 4,0 3.5,3.49885 2.5,2.49918 0,5.99804 -10,0 0,-11.99607 z' id='path18769' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0pt;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;text-anchor:start;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;font-family:Andale Mono'/>
-    <path inkscape:connector-curvature='0' d='m 132.0002,203 -3,4 6,0 z' id='path18798' sodipodi:nodetypes='cccc' style='fill:#bebebe;fill-opacity:1;stroke:none'/>
-    <path sodipodi:cx='8.203125' sodipodi:cy='4' d='M 10,4 A 1.7968751,2 0 1 1 6.4062499,4 1.7968751,2 0 1 1 10,4 z' id='path18805' sodipodi:rx='1.7968751' sodipodi:ry='2' style='fill:#bebebe;fill-opacity:1;stroke:none' transform='matrix(1.1130434,0,0,1,119.86977,197)' sodipodi:type='arc'/>
-  </g>
-</svg>

SOURCES/libreoffice-impress-symbolic.svg

@@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='UTF-8' standalone='no'?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg xmlns:cc='http://creativecommons.org/ns#' xmlns:dc='http://purl.org/dc/elements/1.1/' sodipodi:docname='libreoffice-impress-symbolic.svg' height='16' id='svg7384' xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape' xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd' xmlns:svg='http://www.w3.org/2000/svg' inkscape:version='0.48.2 r9819' version='1.1' width='16' xmlns='http://www.w3.org/2000/svg'>
-  <metadata id='metadata90'>
-    <rdf:RDF>
-      <cc:Work rdf:about=''>
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type rdf:resource='http://purl.org/dc/dcmitype/StillImage'/>
-        <dc:title>Gnome Symbolic Icon Theme</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <sodipodi:namedview inkscape:bbox-paths='true' bordercolor='#666666' borderopacity='1' inkscape:current-layer='layer9' inkscape:cx='-25.00751' inkscape:cy='2.627089' gridtolerance='10' inkscape:guide-bbox='true' guidetolerance='10' id='namedview88' inkscape:object-nodes='false' inkscape:object-paths='false' objecttolerance='10' pagecolor='#555753' inkscape:pageopacity='1' inkscape:pageshadow='2' showborder='false' showgrid='false' showguides='true' inkscape:snap-bbox='false' inkscape:snap-bbox-midpoints='false' inkscape:snap-global='true' inkscape:snap-grids='true' inkscape:snap-nodes='true' inkscape:snap-others='false' inkscape:snap-to-guides='true' inkscape:window-height='1381' inkscape:window-maximized='1' inkscape:window-width='2560' inkscape:window-x='1600' inkscape:window-y='27' inkscape:zoom='22.627417'>
-    <inkscape:grid empspacing='2' enabled='true' id='grid4866' snapvisiblegridlinesonly='true' spacingx='1px' spacingy='1px' type='xygrid' visible='true'/>
-  </sodipodi:namedview>
-  <title id='title9167'>Gnome Symbolic Icon Theme</title>
-  <defs id='defs7386'/>
-  <g inkscape:groupmode='layer' id='layer9' inkscape:label='apps' style='display:inline' transform='translate(-103.0002,-195)'>
-    
-    <path inkscape:connector-curvature='0' d='m 114.28125,195.00525 c -0.27821,0.0752 -0.37465,0.49932 -0.15625,0.68727 l 3.1875,3.18646 c 0.21982,0.23021 0.69212,0.0371 0.6875,-0.28116 l 0,-3.21769 c -0.0122,-0.20318 -0.20269,-0.37897 -0.40625,-0.37488 l -3.1875,0 c -0.0413,-0.007 -0.0837,-0.007 -0.125,0 z' id='path18661' sodipodi:nodetypes='cccccccc' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:0.79782361px;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans'/>
-    <path inkscape:connector-curvature='0' d='m 104.84395,195.00525 c -0.4813,0.0874 -0.85238,0.53322 -0.84375,0.99967 l 0,13.99541 c 6e-5,0.52341 0.51276,0.99962 1.0625,0.99967 l 11.875,0 c 0.54975,-5e-5 1.06245,-0.47626 1.0625,-0.99967 l -0.0312,-7.59126 c 0.006,-0.26397 -0.0884,-0.52879 -0.28125,-0.71852 l -6.40625,-6.40414 c -0.19927,-0.18364 -0.47275,-0.28728 -0.75,-0.28116 l -5.46875,0 c -0.0654,-0.006 -0.15331,-0.006 -0.21875,0 z m 1.15625,1.99934 4,0 3.5,3.49885 2.5,2.49918 0,5.99804 -10,0 0,-11.99607 z' id='path18663' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0pt;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;text-anchor:start;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;font-family:Andale Mono'/>
-    <path inkscape:connector-curvature='0' d='m 107.5002,203 c -0.277,0 -0.5,0.223 -0.5,0.5 l 0,4 c 0,0.277 0.223,0.5 0.5,0.5 l 7,0 c 0.277,0 0.5,-0.223 0.5,-0.5 l 0,-4 c 0,-0.277 -0.223,-0.5 -0.5,-0.5 l -7,0 z m 1,1 c 0.27614,0 0.5,0.22386 0.5,0.5 0,0.27614 -0.22386,0.5 -0.5,0.5 -0.27614,0 -0.5,-0.22386 -0.5,-0.5 0,-0.27614 0.22386,-0.5 0.5,-0.5 z m 2,0 3,0 c 0.277,0 0.5,0.223 0.5,0.5 0,0.277 -0.223,0.5 -0.5,0.5 l -3,0 c -0.277,0 -0.5,-0.223 -0.5,-0.5 0,-0.277 0.223,-0.5 0.5,-0.5 z m -2,2 c 0.27614,0 0.5,0.22386 0.5,0.5 0,0.27614 -0.22386,0.5 -0.5,0.5 -0.27614,0 -0.5,-0.22386 -0.5,-0.5 0,-0.27614 0.22386,-0.5 0.5,-0.5 z m 2,0 3,0 c 0.277,0 0.5,0.223 0.5,0.5 0,0.277 -0.223,0.5 -0.5,0.5 l -3,0 c -0.277,0 -0.5,-0.223 -0.5,-0.5 0,-0.277 0.223,-0.5 0.5,-0.5 z' id='rect18746' style='fill:#bebebe;fill-opacity:1;stroke:none'/>
-  </g>
-</svg>

SOURCES/libreoffice-main-symbolic.svg

@@ -1,24 +0,0 @@
-<?xml version='1.0' encoding='UTF-8' standalone='no'?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg xmlns:cc='http://creativecommons.org/ns#' xmlns:dc='http://purl.org/dc/elements/1.1/' sodipodi:docname='libreoffice-main-symbolic.svg' height='16' id='svg7384' xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape' xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd' xmlns:svg='http://www.w3.org/2000/svg' inkscape:version='0.48.2 r9819' version='1.1' width='16' xmlns='http://www.w3.org/2000/svg'>
-  <metadata id='metadata90'>
-    <rdf:RDF>
-      <cc:Work rdf:about=''>
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type rdf:resource='http://purl.org/dc/dcmitype/StillImage'/>
-        <dc:title>Gnome Symbolic Icon Theme</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <sodipodi:namedview inkscape:bbox-paths='true' bordercolor='#666666' borderopacity='1' inkscape:current-layer='layer9' inkscape:cx='34.99249' inkscape:cy='2.627089' gridtolerance='10' inkscape:guide-bbox='true' guidetolerance='10' id='namedview88' inkscape:object-nodes='false' inkscape:object-paths='false' objecttolerance='10' pagecolor='#555753' inkscape:pageopacity='1' inkscape:pageshadow='2' showborder='false' showgrid='false' showguides='true' inkscape:snap-bbox='false' inkscape:snap-bbox-midpoints='false' inkscape:snap-global='true' inkscape:snap-grids='true' inkscape:snap-nodes='true' inkscape:snap-others='false' inkscape:snap-to-guides='true' inkscape:window-height='1381' inkscape:window-maximized='1' inkscape:window-width='2560' inkscape:window-x='1600' inkscape:window-y='27' inkscape:zoom='22.627417'>
-    <inkscape:grid empspacing='2' enabled='true' id='grid4866' snapvisiblegridlinesonly='true' spacingx='1px' spacingy='1px' type='xygrid' visible='true'/>
-  </sodipodi:namedview>
-  <title id='title9167'>Gnome Symbolic Icon Theme</title>
-  <defs id='defs7386'/>
-  <g inkscape:groupmode='layer' id='layer9' inkscape:label='apps' style='display:inline' transform='translate(-43.000198,-195)'>
-    
-    <path inkscape:connector-curvature='0' d='m 54.28125,195.00525 c -0.27821,0.0752 -0.37465,0.49932 -0.15625,0.68727 l 3.1875,3.18646 c 0.21982,0.23021 0.69212,0.0371 0.6875,-0.28116 l 0,-3.21769 c -0.0122,-0.20318 -0.20269,-0.37897 -0.40625,-0.37488 l -3.1875,0 c -0.0413,-0.007 -0.0837,-0.007 -0.125,0 z' id='path6692' sodipodi:nodetypes='cccccccc' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:0.79782361px;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans'/>
-    <path inkscape:connector-curvature='0' d='m 44.84395,195.00525 c -0.4813,0.0874 -0.85238,0.53322 -0.84375,0.99967 l 0,13.99541 c 6e-5,0.52341 0.51276,0.99962 1.0625,0.99967 l 11.875,0 c 0.54975,-5e-5 1.06245,-0.47626 1.0625,-0.99967 l -0.0312,-7.59126 c 0.006,-0.26397 -0.0884,-0.52879 -0.28125,-0.71852 l -6.40625,-6.40414 c -0.19927,-0.18364 -0.47275,-0.28728 -0.75,-0.28116 l -5.46875,0 c -0.0654,-0.006 -0.15331,-0.006 -0.21875,0 z m 1.15625,1.99934 4,0 3.5,3.49885 2.5,2.49918 0,5.99804 -10,0 0,-11.99607 z' id='path14007' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0pt;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;text-anchor:start;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;font-family:Andale Mono'/>
-  </g>
-</svg>

SOURCES/libreoffice-math-symbolic.svg

@@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='UTF-8' standalone='no'?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg xmlns:cc='http://creativecommons.org/ns#' xmlns:dc='http://purl.org/dc/elements/1.1/' sodipodi:docname='libreoffice-math-symbolic.svg' height='16' id='svg7384' xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape' xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd' xmlns:svg='http://www.w3.org/2000/svg' inkscape:version='0.48.2 r9819' version='1.1' width='16' xmlns='http://www.w3.org/2000/svg'>
-  <metadata id='metadata90'>
-    <rdf:RDF>
-      <cc:Work rdf:about=''>
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type rdf:resource='http://purl.org/dc/dcmitype/StillImage'/>
-        <dc:title>Gnome Symbolic Icon Theme</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <sodipodi:namedview inkscape:bbox-paths='true' bordercolor='#666666' borderopacity='1' inkscape:current-layer='layer9' inkscape:cx='-85.00751' inkscape:cy='2.627089' gridtolerance='10' inkscape:guide-bbox='true' guidetolerance='10' id='namedview88' inkscape:object-nodes='false' inkscape:object-paths='false' objecttolerance='10' pagecolor='#555753' inkscape:pageopacity='1' inkscape:pageshadow='2' showborder='false' showgrid='false' showguides='true' inkscape:snap-bbox='false' inkscape:snap-bbox-midpoints='false' inkscape:snap-global='true' inkscape:snap-grids='true' inkscape:snap-nodes='true' inkscape:snap-others='false' inkscape:snap-to-guides='true' inkscape:window-height='1381' inkscape:window-maximized='1' inkscape:window-width='2560' inkscape:window-x='1600' inkscape:window-y='27' inkscape:zoom='22.627417'>
-    <inkscape:grid empspacing='2' enabled='true' id='grid4866' snapvisiblegridlinesonly='true' spacingx='1px' spacingy='1px' type='xygrid' visible='true'/>
-  </sodipodi:namedview>
-  <title id='title9167'>Gnome Symbolic Icon Theme</title>
-  <defs id='defs7386'/>
-  <g inkscape:groupmode='layer' id='layer9' inkscape:label='apps' style='display:inline' transform='translate(-163.0002,-195)'>
-    
-    <path inkscape:connector-curvature='0' d='m 174.28125,195.00525 c -0.27821,0.0752 -0.37465,0.49932 -0.15625,0.68727 l 3.1875,3.18646 c 0.21982,0.23021 0.69212,0.0371 0.6875,-0.28116 l 0,-3.21769 c -0.0122,-0.20318 -0.20269,-0.37897 -0.40625,-0.37488 l -3.1875,0 c -0.0413,-0.007 -0.0837,-0.007 -0.125,0 z' id='path18879' sodipodi:nodetypes='cccccccc' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:0.79782361px;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans'/>
-    <path inkscape:connector-curvature='0' d='m 164.84395,195.00525 c -0.4813,0.0874 -0.85238,0.53322 -0.84375,0.99967 l 0,13.99541 c 6e-5,0.52341 0.51276,0.99962 1.0625,0.99967 l 11.875,0 c 0.54975,-5e-5 1.06245,-0.47626 1.0625,-0.99967 l -0.0312,-7.59126 c 0.006,-0.26397 -0.0884,-0.52879 -0.28125,-0.71852 l -6.40625,-6.40414 c -0.19927,-0.18364 -0.47275,-0.28728 -0.75,-0.28116 l -5.46875,0 c -0.0654,-0.006 -0.15331,-0.006 -0.21875,0 z m 1.15625,1.99934 4,0 3.5,3.49885 2.5,2.49918 0,5.99804 -10,0 0,-11.99607 z' id='path18881' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0pt;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;text-anchor:start;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;font-family:Andale Mono'/>
-    <path inkscape:connector-curvature='0' d='m 174.0002,201 -2,0 -2,4 -1,-2 -2,0 0,2 1.45956,0 1.54044,3 2.6029,-5 1.3971,0 z' id='rect13006-2' sodipodi:nodetypes='ccccccccccc' style='fill:#bebebe;fill-opacity:1;stroke:none'/>
-  </g>
-</svg>

SOURCES/libreoffice-writer-symbolic.svg

@@ -1,28 +0,0 @@
-<?xml version='1.0' encoding='UTF-8' standalone='no'?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg xmlns:cc='http://creativecommons.org/ns#' xmlns:dc='http://purl.org/dc/elements/1.1/' sodipodi:docname='libreoffice-writer-symbolic.svg' height='16' id='svg7384' xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape' xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd' xmlns:svg='http://www.w3.org/2000/svg' inkscape:version='0.48.2 r9819' version='1.1' width='16' xmlns='http://www.w3.org/2000/svg'>
-  <metadata id='metadata90'>
-    <rdf:RDF>
-      <cc:Work rdf:about=''>
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type rdf:resource='http://purl.org/dc/dcmitype/StillImage'/>
-        <dc:title>Gnome Symbolic Icon Theme</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <sodipodi:namedview inkscape:bbox-paths='true' bordercolor='#666666' borderopacity='1' inkscape:current-layer='layer9' inkscape:cx='14.99249' inkscape:cy='2.627089' gridtolerance='10' inkscape:guide-bbox='true' guidetolerance='10' id='namedview88' inkscape:object-nodes='false' inkscape:object-paths='false' objecttolerance='10' pagecolor='#555753' inkscape:pageopacity='1' inkscape:pageshadow='2' showborder='false' showgrid='false' showguides='true' inkscape:snap-bbox='false' inkscape:snap-bbox-midpoints='false' inkscape:snap-global='true' inkscape:snap-grids='true' inkscape:snap-nodes='true' inkscape:snap-others='false' inkscape:snap-to-guides='true' inkscape:window-height='1381' inkscape:window-maximized='1' inkscape:window-width='2560' inkscape:window-x='1600' inkscape:window-y='27' inkscape:zoom='22.627417'>
-    <inkscape:grid empspacing='2' enabled='true' id='grid4866' snapvisiblegridlinesonly='true' spacingx='1px' spacingy='1px' type='xygrid' visible='true'/>
-  </sodipodi:namedview>
-  <title id='title9167'>Gnome Symbolic Icon Theme</title>
-  <defs id='defs7386'/>
-  <g inkscape:groupmode='layer' id='layer9' inkscape:label='apps' style='display:inline' transform='translate(-63.000198,-195)'>
-    
-    <path inkscape:connector-curvature='0' d='m 74.28125,195.00525 c -0.27821,0.0752 -0.37465,0.49932 -0.15625,0.68727 l 3.1875,3.18646 c 0.21982,0.23021 0.69212,0.0371 0.6875,-0.28116 l 0,-3.21769 c -0.0122,-0.20318 -0.20269,-0.37897 -0.40625,-0.37488 l -3.1875,0 c -0.0413,-0.007 -0.0837,-0.007 -0.125,0 z' id='path6699' sodipodi:nodetypes='cccccccc' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:0.79782361px;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans'/>
-    <path inkscape:connector-curvature='0' d='m 64.84395,195.00525 c -0.4813,0.0874 -0.85238,0.53322 -0.84375,0.99967 l 0,13.99541 c 6e-5,0.52341 0.51276,0.99962 1.0625,0.99967 l 11.875,0 c 0.54975,-5e-5 1.06245,-0.47626 1.0625,-0.99967 l -0.0312,-7.59126 c 0.006,-0.26397 -0.0884,-0.52879 -0.28125,-0.71852 l -6.40625,-6.40414 c -0.19927,-0.18364 -0.47275,-0.28728 -0.75,-0.28116 l -5.46875,0 c -0.0654,-0.006 -0.15331,-0.006 -0.21875,0 z m 1.15625,1.99934 4,0 3.5,3.49885 2.5,2.49918 0,5.99804 -10,0 0,-11.99607 z' id='path6701' style='font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0pt;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;text-anchor:start;color:#000000;fill:#bebebe;fill-opacity:1;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;font-family:Andale Mono'/>
-    <rect height='0.96875' id='rect12972' style='fill:#bebebe;fill-opacity:1;stroke:none' width='2.9999998' x='68.000198' y='206'/>
-    <rect height='1.0625' id='rect12974' style='fill:#bebebe;fill-opacity:1;stroke:none' width='6' x='68.000198' y='203.96875'/>
-    <rect height='0.96875' id='rect12976' style='fill:#bebebe;fill-opacity:1;stroke:none' width='5' x='68.000198' y='202.03125'/>
-    <rect height='0.96875' id='rect12980' style='fill:#bebebe;fill-opacity:1;stroke:none' width='2.9999983' x='68.000198' y='200.03125'/>
-  </g>
-</svg>

SPECS/libreoffice.spec

@@ -54,7 +54,7 @@ Summary:        Free Software Productivity Suite
 Name:           libreoffice
 Epoch:          1
 Version:        %{libo_version}.2
-Release:        6%{?libo_prerelease}%{?dist}
+Release:        13%{?libo_prerelease}%{?dist}
 License:        (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
 URL:            http://www.libreoffice.org/
 
@@ -269,6 +269,22 @@ Patch25: 0008-Resolves-tdf-137215-restore-original-modality-before.patch
 Patch26: 0001-rhbz-1882616-move-cursor-one-step-at-a-time-in-the-d.patch
 Patch27: 0001-rhbz-1980800-allow-convert-to-csv-to-write-each-shee.patch
 Patch28: 0001-Resolves-tdf-132739-two-style-tags-where-there-shoul.patch
+Patch29: 0001-backports-to-ease-CVE-backporting.patch
+Patch30: 0002-CVE-2021-25635.patch
+Patch31: 0003-xmlsecurity-replace-XSecParser-implementation.patch
+Patch32: 0004-CVE-2021-25634.patch
+Patch33: 0005-CVE-2021-25633.patch
+Patch34: 0006-xmlsecurity-replace-OOXMLSecParser-implementation.patch
+Patch35: 0001-Correctly-read-PNG-into-bitmaps-N32BitTcA.-formats-w.patch
+Patch36: 0001-Read-MOSDocumentLockFile-UTF-16-string-data-with-sam.patch
+Patch37: 0001-Convert-attribute-value-to-UTF-8-when-passing-it-to-.patch
+Patch38: 0001-Fix-endianness-issues-in-OOX-crypto-routines.patch
+Patch39: 0001-CVE-2021-25636.patch
+Patch40: 0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch
+Patch41: 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch
+Patch42: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch
+Patch43: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch
+Patch44: 0001-CVE-2022-3140.patch
 
 %if 0%{?rhel}
 # not upstreamed
@@ -318,7 +334,9 @@ Summary: Core modules for LibreOffice
 Requires: %{name}-%{fontname}-fonts = %{epoch}:%{version}-%{release}
 Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-data = %{epoch}:%{version}-%{release}
+%ifnarch s390 s390x aarch64
 Requires: %{name}-plugin%{?_isa} = %{epoch}:%{version}-%{release}
+%endif
 Requires: liberation-sans-fonts, liberation-serif-fonts, liberation-mono-fonts
 Requires: dejavu-sans-fonts, dejavu-serif-fonts, dejavu-sans-mono-fonts
 Requires: google-crosextra-caladea-fonts, google-crosextra-carlito-fonts
@@ -1021,6 +1039,11 @@ sed -i -e /CppunitTest_sw_uiwriter/d sw/Module_sw.mk
 sed -i -e /CppunitTest_sc_subsequent_filters_test/d sc/Module_sc.mk
 %endif
 sed -i -e /CppunitTest_sal_osl/d sal/Module_sal.mk
+%ifarch s390x
+sed -i -e /CppunitTest_dbaccess_hsqlbinary_import/d dbaccess/Module_dbaccess.mk
+sed -i -e /CppunitTest_vcl_svm_test/d vcl/Module_vcl.mk
+sed -i -e /CustomTarget_uno_test/d testtools/Module_testtools.mk
+%endif
 
 git commit -q -a -m 'temporarily disable failing tests'
 
@@ -1112,7 +1135,13 @@ touch autogen.lastrun
 
 ulimit -c unlimited || true
 
-make verbose=true build-nocheck
+if ! make verbose=true build-nocheck; then
+    echo "build attempt 1 failed"
+    if ! make verbose=true build-nocheck; then
+        echo "build attempt 2 failed"
+        make verbose=true GMAKE_OPTIONS=-rj1 build-nocheck
+    fi
+fi
 
 #generate the icons and mime type stuff
 export DESTDIR=../output
@@ -1338,7 +1367,12 @@ for file in *.desktop; do
         $file
 done
 # rhbz#186515 do not show startcenter
-sed -i -e /NoDisplay/s/false/true/ startcenter.desktop
+desktop-file-edit --set-key=NoDisplay --set-value=true startcenter.desktop
+%ifarch s390 s390x aarch64
+for app in base calc draw impress math startcenter writer xsltfilter; do
+    desktop-file-edit --set-key=NoDisplay --set-value=true $app.desktop
+done
+%endif
 # relocate the .desktop and icon files
 install -m 0755 -d %{buildroot}%{_datadir}/applications
 for app in base calc draw impress math startcenter writer xsltfilter; do
@@ -1500,8 +1534,8 @@ for jar in %{buildroot}%{baseinstdir}/program/classes/*.jar; do
 done
 
 %check
-%ifnarch ppc64 s390x aarch64 armv7hl
-make
+%ifnarch ppc64 aarch64 armv7hl
+make unitcheck slowcheck
 # we don't need this anymore
 rm -f %{buildroot}%{baseinstdir}/program/classes/smoketest.jar
 %endif
@@ -2253,6 +2287,33 @@ done
 %{_includedir}/LibreOfficeKit
 
 %changelog
+* Mon Nov 21 2022 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-13
+- Resolves: rhbz#2031681 Failure saving to smb share
+
+* Fri Oct 14 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-12
+- Resolves: rhbz#2118928 CVE-2022-26305 Untrusted Macros
+- Resolves: rhbz#2118924 CVE-2022-26307 Weak Master Keys
+- Resolves: rhbz#2118920 CVE-2022-26306 Static Initialization Vector
+- Resolves: rhbz#2134702 CVE-2022-3140 Macro URL arbitrary script execution
+
+* Mon Mar 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-11
+- Resolves: rhbz#2060559 CVE-2021-25636
+
+* Mon Feb 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-10
+- Related: rhbz#2029810  bump n-v-r
+
+* Mon Jan 31 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-9
+- Related: rhbz#2029810 set NoDisplay=true for .desktop on s390x/aarch64
+- Related: rhbz#2029810 don't Require any vclplug for s390x/aarch64
+
+* Tue Dec 07 2021 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-8
+- Resolves: rhbz#2029810 enable make check on s390x
+
+* Fri Oct 15 2021 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-7
+- Resolves: rhbz#2013858 CVE-2021-25633
+- Resolves: rhbz#2014215 CVE-2021-25634
+- Resolves: rhbz#2014209 CVE-2021-25635
+
 * Mon Sep 06 2021 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-6
 - Resolves: rhbz#1980800 allow convert to csv to write each sheet to
   separate file