Version in base suite: 7.4.7-1+deb12u10
Version in overlay suite: 7.4.7-1+deb12u11

Base version: libreoffice_7.4.7-1+deb12u11
Target version: libreoffice_7.4.7-1+deb12u12
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libr/libreoffice/libreoffice_7.4.7-1+deb12u11.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libr/libreoffice/libreoffice_7.4.7-1+deb12u12.dsc

 changelog                                           |    7 +
 patches/Fix-check-for-further-exotic-protocols.diff |  121 ++++++++++++++++++++
 patches/series                                      |    1 
 3 files changed, 129 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp0yo618f5/libreoffice_7.4.7-1+deb12u11.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp0yo618f5/libreoffice_7.4.7-1+deb12u12.dsc: no acceptable signature found
diff -Nru libreoffice-7.4.7/debian/changelog libreoffice-7.4.7/debian/changelog
--- libreoffice-7.4.7/debian/changelog	2026-03-19 20:25:21.000000000 +0000
+++ libreoffice-7.4.7/debian/changelog	2026-05-07 19:49:15.000000000 +0000
@@ -1,3 +1,10 @@
+libreoffice (4:7.4.7-1+deb12u12) bookworm; urgency=medium
+
+  * debian/patches/Fix-check-for-further-exotic-protocols.diff: add missing
+    patch for CVE-2024-12426, thanks Caolan McNamara
+
+ -- Rene Engelhard <rene@debian.org>  Thu, 07 May 2026 21:49:15 +0200
+
 libreoffice (4:7.4.7-1+deb12u11) bookworm-security; urgency=medium
 
   * debian/patches/Conform-AlignEngine-parsing-to-spec.diff: as name says;
diff -Nru libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff
--- libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff	1970-01-01 00:00:00.000000000 +0000
+++ libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff	2026-05-07 19:47:25.000000000 +0000
@@ -0,0 +1,121 @@
+From a58893f2de8210008fa7bb403e9c9000869e6c04 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <stephan.bergmann@allotropia.de>
+Date: Sat, 7 Dec 2024 17:36:22 +0100
+Subject: [PATCH] Fix check for further exotic protocols
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+...that were added in 59891cd3985469bc44dbd05c9fc704eeb07f0c78 "look at
+'embedded' protocols for protocols that support them"
+
+Change-Id: I42836d6fd27cd99e39ab07e626053f002a2651f5
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178047
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <stephan.bergmann@allotropia.de>
+(cherry picked from commit 8075798b22f2188530f57b8747589923bfd419ef)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178065
+Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178166
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
+---
+ tools/qa/cppunit/test_urlobj.cxx | 44 ++++++++++++++++++++++++++++++++
+ tools/source/fsys/urlobj.cxx     | 17 +++++++++---
+ 2 files changed, 58 insertions(+), 3 deletions(-)
+
+diff --git a/tools/qa/cppunit/test_urlobj.cxx b/tools/qa/cppunit/test_urlobj.cxx
+index fff77e41f5e7..12635eba8dd3 100644
+--- a/tools/qa/cppunit/test_urlobj.cxx
++++ b/tools/qa/cppunit/test_urlobj.cxx
+@@ -354,6 +354,49 @@ namespace tools_urlobj
+             }
+         }
+ 
++        void testIsExoticProtocol() {
++            {
++                INetURLObject url(u"vnd.sun.star.pkg://slot%3A0");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++                CPPUNIT_ASSERT(url.IsExoticProtocol());
++            }
++            {
++                INetURLObject url(u"vnd.sun.star.pkg://vnd.sun.star.pkg%3A%2F%2Fslot%253A0");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++                CPPUNIT_ASSERT(url.IsExoticProtocol());
++            }
++            {
++                INetURLObject url(u"vnd.sun.star.pkg://http%3A%2F%2Fexample.net");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++                CPPUNIT_ASSERT(!url.IsExoticProtocol());
++            }
++            {
++                INetURLObject url(u"vnd.sun.star.zip://slot%3A0");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++                CPPUNIT_ASSERT(url.IsExoticProtocol());
++            }
++            {
++                INetURLObject url(u"vnd.sun.star.zip://slot%3A0/foo");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++                CPPUNIT_ASSERT(url.IsExoticProtocol());
++            }
++            {
++                INetURLObject url(u"vnd.sun.star.zip://slot%3A0?foo");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++                CPPUNIT_ASSERT(url.IsExoticProtocol());
++            }
++            {
++                INetURLObject url(u"vnd.sun.star.zip://slot%3A0#foo");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++                CPPUNIT_ASSERT(url.IsExoticProtocol());
++            }
++            {
++                INetURLObject url(u"vnd.sun.star.zip://http%3A%2F%2Fexample.net");
++                CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++                CPPUNIT_ASSERT(!url.IsExoticProtocol());
++            }
++        }
++
+         // Change the following lines only, if you add, remove or rename
+         // member functions of the current class,
+         // because these macros are need by auto register mechanism.
+@@ -371,6 +414,7 @@ namespace tools_urlobj
+         CPPUNIT_TEST( testChangeScheme );
+         CPPUNIT_TEST( testTd146382 );
+         CPPUNIT_TEST( testParseSmart );
++        CPPUNIT_TEST( testIsExoticProtocol );
+         CPPUNIT_TEST_SUITE_END(  );
+     };                          // class createPool
+ 
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index 785fbd09404f..a9ce65ecb538 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4891,10 +4891,21 @@ bool INetURLObject::IsExoticProtocol() const
+     {
+         return true;
+     }
+-    if (isSchemeEqualTo(u"vnd.sun.star.pkg") || isSchemeEqualTo(u"vnd.sun.star.zip"))
++    if (m_eScheme == INetProtocol::VndSunStarPkg) {
++        return INetURLObject(GetHost(INetURLObject::DecodeMechanism::WithCharset))
++            .IsExoticProtocol();
++    }
++    if (isSchemeEqualTo(u"vnd.sun.star.zip"))
+     {
+-        OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::WithCharset);
+-        return sPayloadURL.startsWith(u"//") && INetURLObject(sPayloadURL.subView(2)).IsExoticProtocol();
++        OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::NONE);
++        if (!sPayloadURL.startsWith(u"//")) {
++            return false;
++        }
++        auto const find = [&sPayloadURL](auto c) {
++            auto const n = sPayloadURL.indexOf(c, 2);
++            return n == -1 ? sPayloadURL.getLength() : n;
++        };
++        return INetURLObject(decode(sPayloadURL.subView(2, std::min(find('/'), find('?')) - 2), INetURLObject::DecodeMechanism::WithCharset)).IsExoticProtocol();
+     }
+     return false;
+ }
+-- 
+2.47.3
+
diff -Nru libreoffice-7.4.7/debian/patches/series libreoffice-7.4.7/debian/patches/series
--- libreoffice-7.4.7/debian/patches/series	2026-03-19 20:24:30.000000000 +0000
+++ libreoffice-7.4.7/debian/patches/series	2026-05-07 19:49:15.000000000 +0000
@@ -66,6 +66,7 @@
 be-coservative-about-allowed-font-names.diff
 consider-VndSunStarExpand-an-exotic-protocol.diff
 look-at-embedded-protocols-too.diff
+Fix-check-for-further-exotic-protocols.diff
 Filter-out-more-unwanted-command-URIs.diff
 Improve-adbe.pkcs7.sha1-signature-verification.diff
 add-EUR-for-Bulgaria-Lew.diff