Version in base suite: 7.4.7-1+deb12u5 Base version: libreoffice_7.4.7-1+deb12u5 Target version: libreoffice_7.4.7-1+deb12u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libr/libreoffice/libreoffice_7.4.7-1+deb12u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libr/libreoffice/libreoffice_7.4.7-1+deb12u6.dsc changelog | 10 patches/be-coservative-about-allowed-font-names.diff | 63 +++ patches/consider-VndSunStarExpand-an-exotic-protocol.diff | 260 ++++++++++++++ patches/look-at-embedded-protocols-too.diff | 52 ++ patches/series | 3 5 files changed, 388 insertions(+) diff -Nru libreoffice-7.4.7/debian/changelog libreoffice-7.4.7/debian/changelog --- libreoffice-7.4.7/debian/changelog 2024-08-22 16:44:46.000000000 +0000 +++ libreoffice-7.4.7/debian/changelog 2025-01-18 12:30:17.000000000 +0000 @@ -1,3 +1,13 @@ +libreoffice (4:7.4.7-1+deb12u6) bookworm-security; urgency=medium + + * debian/patches/be-coservative-about-allowed-font-names.diff: as name says + (CVE-2024-12425) + * debian/patches/consider-VndSunStarExpand-an-exotic-protocol.diff + debian/patches/look-at-embedded-protocols-too.diff: add patches for + CVE-2024-12426 from upstream "co-22-05" branch + + -- Rene Engelhard Sat, 18 Jan 2025 13:30:17 +0100 + libreoffice (4:7.4.7-1+deb12u5) bookworm-security; urgency=medium * debian/patches/debian/patches/do-not-trust-any-signature-on-repaired-package.diff: diff -Nru libreoffice-7.4.7/debian/patches/be-coservative-about-allowed-font-names.diff libreoffice-7.4.7/debian/patches/be-coservative-about-allowed-font-names.diff --- libreoffice-7.4.7/debian/patches/be-coservative-about-allowed-font-names.diff 1970-01-01 00:00:00.000000000 +0000 +++ libreoffice-7.4.7/debian/patches/be-coservative-about-allowed-font-names.diff 2025-01-18 10:13:16.000000000 +0000 @@ -0,0 +1,63 @@ +From 5de27921ef963bdfefea098a00ec289833385c5b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 8 Nov 2024 16:51:47 +0000 +Subject: [PATCH] be conservative on allowed temp font names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Iefdc1a8c9b4c7e8c08c84f747f8287ac3c419839 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176236 +Reviewed-by: Michael Stahl +Tested-by: Jenkins +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178289 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Caolán McNamara +--- + vcl/source/gdi/embeddedfontshelper.cxx | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/vcl/source/gdi/embeddedfontshelper.cxx b/vcl/source/gdi/embeddedfontshelper.cxx +index 34d227e5f5b2..ed5c656c46cd 100644 +--- a/vcl/source/gdi/embeddedfontshelper.cxx ++++ b/vcl/source/gdi/embeddedfontshelper.cxx +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -191,10 +192,6 @@ void EmbeddedFontsHelper::activateFonts() + + OUString EmbeddedFontsHelper::fileUrlForTemporaryFont( const OUString& fontName, const char* extra ) + { +- OUString path = "${$BRAND_BASE_DIR/" LIBO_ETC_FOLDER "/" SAL_CONFIGFILE( "bootstrap") "::UserInstallation}"; +- rtl::Bootstrap::expandMacros( path ); +- path += "/user/temp/embeddedfonts/fromdocs/"; +- osl::Directory::createPath( path ); + OUString filename = fontName; + static int uniqueCounter = 0; + if( strcmp( extra, "?" ) == 0 ) +@@ -202,6 +199,17 @@ OUString EmbeddedFontsHelper::fileUrlForTemporaryFont( const OUString& fontName, + else + filename += OStringToOUString( extra, RTL_TEXTENCODING_ASCII_US ); + filename += ".ttf"; // TODO is it always ttf? ++ ++ if (!::comphelper::OStorageHelper::IsValidZipEntryFileName(filename, false)) ++ { ++ SAL_WARN( "vcl.fonts", "Cannot use filename: " << filename << " for temporary font"); ++ filename = "font" + OUString::number(uniqueCounter++) + ".ttf"; ++ } ++ ++ OUString path = "${$BRAND_BASE_DIR/" LIBO_ETC_FOLDER "/" SAL_CONFIGFILE( "bootstrap") "::UserInstallation}"; ++ rtl::Bootstrap::expandMacros( path ); ++ path += "/user/temp/embeddedfonts/fromdocs/"; ++ osl::Directory::createPath( path ); + return path + filename; + } + +-- +2.39.5 + diff -Nru libreoffice-7.4.7/debian/patches/consider-VndSunStarExpand-an-exotic-protocol.diff libreoffice-7.4.7/debian/patches/consider-VndSunStarExpand-an-exotic-protocol.diff --- libreoffice-7.4.7/debian/patches/consider-VndSunStarExpand-an-exotic-protocol.diff 1970-01-01 00:00:00.000000000 +0000 +++ libreoffice-7.4.7/debian/patches/consider-VndSunStarExpand-an-exotic-protocol.diff 2025-01-18 12:29:09.000000000 +0000 @@ -0,0 +1,260 @@ +From a2b1499afa13b855781fe1eff9e09c985b56a728 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 15 Nov 2024 12:30:39 +0000 +Subject: [PATCH] consider VndSunStarExpand an exotic protocol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +and generally don't bother with it when fetching data +from urls + +Change-Id: I51a2601c6fb7d6c32f9e2d1286ee0d3b05b370b9 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176922 +Reviewed-by: Miklos Vajna +Tested-by: Jenkins CollaboraOffice +(cherry picked from commit 4fbe740677b90d8b73842b60863e2f4c9f4ea382) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178313 +Reviewed-by: Caolán McNamara +--- + avmedia/source/viewer/mediawindow_impl.cxx | 13 +++++++------ + editeng/source/items/frmitems.cxx | 10 ++++++++-- + .../source/commonembedding/persistence.cxx | 17 +++++++++++++---- + forms/source/component/ImageControl.cxx | 4 ++++ + forms/source/component/clickableimage.cxx | 2 +- + sfx2/source/appl/linkmgr2.cxx | 5 ++++- + sw/source/filter/html/htmlgrin.cxx | 3 ++- + toolkit/source/controls/unocontrols.cxx | 3 ++- + tools/source/fsys/urlobj.cxx | 1 + + unotools/source/misc/mediadescriptor.cxx | 3 +++ + vcl/source/filter/graphicfilter.cxx | 8 +++++++- + 11 files changed, 52 insertions(+), 17 deletions(-) + +diff --git a/avmedia/source/viewer/mediawindow_impl.cxx b/avmedia/source/viewer/mediawindow_impl.cxx +index 0a0e80dc0d3f..e1759815d5d0 100644 +--- a/avmedia/source/viewer/mediawindow_impl.cxx ++++ b/avmedia/source/viewer/mediawindow_impl.cxx +@@ -170,15 +170,16 @@ void MediaWindowImpl::dispose() + + uno::Reference MediaWindowImpl::createPlayer(const OUString& rURL, const OUString& rReferer, const OUString* pMimeType) + { +- uno::Reference xPlayer; +- + if( rURL.isEmpty() ) +- return xPlayer; ++ return nullptr; + + if (SvtSecurityOptions::isUntrustedReferer(rReferer)) +- { +- return xPlayer; +- } ++ return nullptr; ++ ++ if (INetURLObject(rURL).IsExoticProtocol()) ++ return nullptr; ++ ++ uno::Reference xPlayer; + + if (!pMimeType || *pMimeType == AVMEDIA_MIMETYPE_COMMON) + { +diff --git a/editeng/source/items/frmitems.cxx b/editeng/source/items/frmitems.cxx +index 45ac886d5c50..a6f97afc2509 100644 +--- a/editeng/source/items/frmitems.cxx ++++ b/editeng/source/items/frmitems.cxx +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3188,6 +3189,13 @@ const GraphicObject* SvxBrushItem::GetGraphicObject(OUString const & referer) co + return nullptr; + } + ++ INetURLObject aGraphicURL( maStrLink ); ++ if (aGraphicURL.IsExoticProtocol()) ++ { ++ SAL_WARN("editeng", "Ignore exotic protocol: " << maStrLink); ++ return nullptr; ++ } ++ + // tdf#94088 prepare graphic and state + Graphic aGraphic; + bool bGraphicLoaded = false; +@@ -3208,8 +3216,6 @@ const GraphicObject* SvxBrushItem::GetGraphicObject(OUString const & referer) co + // a 'data:' scheme url and try to load that (embedded graphics) + if(!bGraphicLoaded) + { +- INetURLObject aGraphicURL( maStrLink ); +- + if( INetProtocol::Data == aGraphicURL.GetProtocol() ) + { + std::unique_ptr const xMemStream(aGraphicURL.getData()); +diff --git a/embeddedobj/source/commonembedding/persistence.cxx b/embeddedobj/source/commonembedding/persistence.cxx +index faf3209e1f32..1e97721f0066 100644 +--- a/embeddedobj/source/commonembedding/persistence.cxx ++++ b/embeddedobj/source/commonembedding/persistence.cxx +@@ -55,6 +55,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -370,11 +371,19 @@ uno::Reference< util::XCloseable > OCommonEmbeddedObject::LoadLink_Impl() + uno::Sequence< beans::PropertyValue > aArgs( m_aDocMediaDescriptor.getLength() + nLen ); + auto pArgs = aArgs.getArray(); + +- pArgs[0].Name = "URL"; +- if(m_aLinkTempFile.is()) +- pArgs[0].Value <<= m_aLinkTempFile->getUri(); ++ OUString sURL; ++ if (m_aLinkTempFile.is()) ++ sURL = m_aLinkTempFile->getUri(); + else +- pArgs[0].Value <<= m_aLinkURL; ++ sURL = m_aLinkURL; ++ if (INetURLObject(sURL).IsExoticProtocol()) ++ { ++ SAL_WARN("embeddedobj.common", "Ignore exotic protocol: " << pArgs[0].Value); ++ return nullptr; ++ } ++ ++ pArgs[0].Name = "URL"; ++ pArgs[0].Value <<= sURL; + + pArgs[1].Name = "FilterName"; + pArgs[1].Value <<= m_aLinkFilterName; +diff --git a/forms/source/component/ImageControl.cxx b/forms/source/component/ImageControl.cxx +index af4c1e32f979..ad1d8bf53b88 100644 +--- a/forms/source/component/ImageControl.cxx ++++ b/forms/source/component/ImageControl.cxx +@@ -397,6 +397,10 @@ void OImageControlModel::read(const Reference& _rxInStream) + + bool OImageControlModel::impl_updateStreamForURL_lck( const OUString& _rURL, ValueChangeInstigator _eInstigator ) + { ++ if (INetURLObject(_rURL).IsExoticProtocol()) { ++ return false; ++ } ++ + // create a stream for the image specified by the URL + std::unique_ptr< SvStream > pImageStream; + Reference< XInputStream > xImageStream; +diff --git a/forms/source/component/clickableimage.cxx b/forms/source/component/clickableimage.cxx +index 808f05e6e1ce..25099453116e 100644 +--- a/forms/source/component/clickableimage.cxx ++++ b/forms/source/component/clickableimage.cxx +@@ -740,7 +740,7 @@ namespace frm + + // the SfxMedium is not allowed to be created with an invalid URL, so we have to check this first + INetURLObject aUrl(rURL); +- if (INetProtocol::NotValid == aUrl.GetProtocol()) ++ if (INetProtocol::NotValid == aUrl.GetProtocol() || aUrl.IsExoticProtocol()) + // we treat an invalid URL like we would treat no URL + return; + +diff --git a/sfx2/source/appl/linkmgr2.cxx b/sfx2/source/appl/linkmgr2.cxx +index 4b77bcf90fb6..eb792dbbbbdb 100644 +--- a/sfx2/source/appl/linkmgr2.cxx ++++ b/sfx2/source/appl/linkmgr2.cxx +@@ -526,8 +526,11 @@ bool LinkManager::GetGraphicFromAny(const OUString& rMimeType, + sReferer = sh->GetMedium()->GetName(); + + OUString sURL = rValue.get(); +- if (!SvtSecurityOptions::isUntrustedReferer(sReferer)) ++ if (!SvtSecurityOptions::isUntrustedReferer(sReferer) && ++ !INetURLObject(sURL).IsExoticProtocol()) ++ { + rGraphic = vcl::graphic::loadFromURL(sURL, pParentWin); ++ } + if (rGraphic.IsNone()) + rGraphic.SetDefaultType(); + rGraphic.setOriginURL(sURL); +diff --git a/sw/source/filter/html/htmlgrin.cxx b/sw/source/filter/html/htmlgrin.cxx +index 582f30caa4f6..94d0909b9f9b 100644 +--- a/sw/source/filter/html/htmlgrin.cxx ++++ b/sw/source/filter/html/htmlgrin.cxx +@@ -672,7 +672,7 @@ IMAGE_SETEVENT: + bool bNeedWidth = (!bPercentWidth && !nWidth) || bRelWidthScale; + bool bRelHeightScale = bPercentHeight && nHeight == SwFormatFrameSize::SYNCED; + bool bNeedHeight = (!bPercentHeight && !nHeight) || bRelHeightScale; +- if ((bNeedWidth || bNeedHeight) && !m_bFuzzing && allowAccessLink(*m_xDoc)) ++ if ((bNeedWidth || bNeedHeight) && !m_bFuzzing && allowAccessLink(*m_xDoc) && !aGraphicURL.IsExoticProtocol()) + { + GraphicDescriptor aDescriptor(aGraphicURL); + if (aDescriptor.Detect(/*bExtendedInfo=*/true)) +diff --git a/toolkit/source/controls/unocontrols.cxx b/toolkit/source/controls/unocontrols.cxx +index 3d528bd5e68b..7c9cbdbda40b 100644 +--- a/toolkit/source/controls/unocontrols.cxx ++++ b/toolkit/source/controls/unocontrols.cxx +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + + // for introspection +@@ -69,7 +70,7 @@ css::uno::Reference< css::graphic::XGraphic > + ImageHelper::getGraphicFromURL_nothrow( const OUString& _rURL ) + { + uno::Reference< graphic::XGraphic > xGraphic; +- if ( _rURL.isEmpty() ) ++ if (_rURL.isEmpty() || INetURLObject(_rURL).IsExoticProtocol()) + return xGraphic; + + try +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index bcedfe4ff973..88755f4a8b9d 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4834,6 +4834,7 @@ bool INetURLObject::IsExoticProtocol() const + return m_eScheme == INetProtocol::Slot || + m_eScheme == INetProtocol::Macro || + m_eScheme == INetProtocol::Uno || ++ m_eScheme == INetProtocol::VndSunStarExpand || + isSchemeEqualTo(u"vnd.sun.star.script") || + isSchemeEqualTo(u"service"); + } +diff --git a/unotools/source/misc/mediadescriptor.cxx b/unotools/source/misc/mediadescriptor.cxx +index 348fa8fe7673..bbf0c8c5c887 100644 +--- a/unotools/source/misc/mediadescriptor.cxx ++++ b/unotools/source/misc/mediadescriptor.cxx +@@ -335,6 +335,9 @@ bool MediaDescriptor::impl_openStreamWithPostData( const css::uno::Reference< cs + /*-----------------------------------------------*/ + bool MediaDescriptor::impl_openStreamWithURL( const OUString& sURL, bool bLockFile ) + { ++ if (INetURLObject(sURL).IsExoticProtocol()) ++ return false; ++ + OUString referer(getUnpackedValueOrDefault(PROP_REFERRER, OUString())); + if (SvtSecurityOptions::isUntrustedReferer(referer)) { + return false; +diff --git a/vcl/source/filter/graphicfilter.cxx b/vcl/source/filter/graphicfilter.cxx +index 17710e85650c..5318224ac737 100644 +--- a/vcl/source/filter/graphicfilter.cxx ++++ b/vcl/source/filter/graphicfilter.cxx +@@ -524,10 +524,16 @@ ErrCode GraphicFilter::CanImportGraphic( const OUString& rMainUrl, SvStream& rIS + ErrCode GraphicFilter::ImportGraphic( Graphic& rGraphic, const INetURLObject& rPath, + sal_uInt16 nFormat, sal_uInt16 * pDeterminedFormat, GraphicFilterImportFlags nImportFlags ) + { +- ErrCode nRetValue = ERRCODE_GRFILTER_FORMATERROR; + SAL_WARN_IF( rPath.GetProtocol() == INetProtocol::NotValid, "vcl.filter", "GraphicFilter::ImportGraphic() : ProtType == INetProtocol::NotValid" ); + + OUString aMainUrl( rPath.GetMainURL( INetURLObject::DecodeMechanism::NONE ) ); ++ if (rPath.IsExoticProtocol()) ++ { ++ SAL_WARN("vcl.filter", "GraphicFilter::ImportGraphic(), ignore exotic protocol: " << aMainUrl); ++ return ERRCODE_GRFILTER_FORMATERROR; ++ } ++ ++ ErrCode nRetValue = ERRCODE_GRFILTER_FORMATERROR; + std::unique_ptr xStream(::utl::UcbStreamHelper::CreateStream( aMainUrl, StreamMode::READ | StreamMode::SHARE_DENYNONE )); + if (xStream) + { +-- +2.39.5 + diff -Nru libreoffice-7.4.7/debian/patches/look-at-embedded-protocols-too.diff libreoffice-7.4.7/debian/patches/look-at-embedded-protocols-too.diff --- libreoffice-7.4.7/debian/patches/look-at-embedded-protocols-too.diff 1970-01-01 00:00:00.000000000 +0000 +++ libreoffice-7.4.7/debian/patches/look-at-embedded-protocols-too.diff 2025-01-18 10:16:34.000000000 +0000 @@ -0,0 +1,52 @@ +From 4915889ab56bc946264c257391ba6eeedfdfad95 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 6 Dec 2024 14:41:19 +0000 +Subject: [PATCH] look at 'embedded' protocols too +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ie99f5f5a390639bdc69397c831e0a32594a5030c +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/177981 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 59891cd3985469bc44dbd05c9fc704eeb07f0c78) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/177987 +Reviewed-by: Stephan Bergmann +(cherry picked from commit b63aa51c55244ee67410201fa5e7c003427b1009) +--- + tools/source/fsys/urlobj.cxx | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index d95a874a8c2d6..e38b2f1bc9764 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4773,12 +4773,21 @@ OUString INetURLObject::CutExtension() + + bool INetURLObject::IsExoticProtocol() const + { +- return m_eScheme == INetProtocol::Slot || +- m_eScheme == INetProtocol::Macro || +- m_eScheme == INetProtocol::Uno || +- m_eScheme == INetProtocol::VndSunStarExpand || +- isSchemeEqualTo(u"vnd.sun.star.script") || +- isSchemeEqualTo(u"service"); ++ if (m_eScheme == INetProtocol::Slot || ++ m_eScheme == INetProtocol::Macro || ++ m_eScheme == INetProtocol::Uno || ++ m_eScheme == INetProtocol::VndSunStarExpand || ++ isSchemeEqualTo(u"vnd.sun.star.script") || ++ isSchemeEqualTo(u"service")) ++ { ++ return true; ++ } ++ if (isSchemeEqualTo(u"vnd.sun.star.pkg") || isSchemeEqualTo(u"vnd.sun.star.zip")) ++ { ++ OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::WithCharset); ++ return sPayloadURL.startsWith(u"//") && INetURLObject(sPayloadURL.subView(2)).IsExoticProtocol(); ++ } ++ return false; + } + + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff -Nru libreoffice-7.4.7/debian/patches/series libreoffice-7.4.7/debian/patches/series --- libreoffice-7.4.7/debian/patches/series 2024-08-22 16:44:43.000000000 +0000 +++ libreoffice-7.4.7/debian/patches/series 2025-01-18 11:12:49.000000000 +0000 @@ -63,3 +63,6 @@ fix-32bit-build.diff remove-ability-to-trust-not-validated-macro-signatures-in-high-security.diff do-not-trust-any-signature-on-repaired-package.diff +be-coservative-about-allowed-font-names.diff +consider-VndSunStarExpand-an-exotic-protocol.diff +look-at-embedded-protocols-too.diff