Version in base suite: 25.2.3-2+deb13u3 Base version: libreoffice_25.2.3-2+deb13u3 Target version: libreoffice_25.2.3-2+deb13u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libr/libreoffice/libreoffice_25.2.3-2+deb13u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libr/libreoffice/libreoffice_25.2.3-2+deb13u4.dsc changelog | 7 +++ patches/Conform-AlignEngine-parsing-to-spec.diff | 53 +++++++++++++++++++++++ patches/series | 1 3 files changed, 61 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphgyxjvam/libreoffice_25.2.3-2+deb13u3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphgyxjvam/libreoffice_25.2.3-2+deb13u4.dsc: no acceptable signature found diff -Nru libreoffice-25.2.3/debian/changelog libreoffice-25.2.3/debian/changelog --- libreoffice-25.2.3/debian/changelog 2025-11-28 15:24:35.000000000 +0000 +++ libreoffice-25.2.3/debian/changelog 2026-03-19 20:20:19.000000000 +0000 @@ -1,3 +1,10 @@ +libreoffice (4:25.2.3-2+deb13u4) trixie-security; urgency=medium + + * debian/patches/Conform-AlignEngine-parsing-to-spec.diff: as name says; + from libreoffice-26-2 branch; fixes CVE-2026-4430 + + -- Rene Engelhard Thu, 19 Mar 2026 21:20:19 +0100 + libreoffice (4:25.2.3-2+deb13u3) trixie; urgency=medium * debian/patches/add-EUR-for-Bulgaria-Lew.diff: fix typo: s/BLN/BGN/, thanks diff -Nru libreoffice-25.2.3/debian/patches/Conform-AlignEngine-parsing-to-spec.diff libreoffice-25.2.3/debian/patches/Conform-AlignEngine-parsing-to-spec.diff --- libreoffice-25.2.3/debian/patches/Conform-AlignEngine-parsing-to-spec.diff 1970-01-01 00:00:00.000000000 +0000 +++ libreoffice-25.2.3/debian/patches/Conform-AlignEngine-parsing-to-spec.diff 2026-03-19 20:19:19.000000000 +0000 @@ -0,0 +1,53 @@ +From aec21c1ca9be845c75f20c5dfd002b859e1702fb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 16 Mar 2026 17:22:23 +0000 +Subject: [PATCH] Conform AlignEngine parsing to what section 2.3.4.10 of the + spec has + +Change-Id: Ibb9162b1ce7993ef74665ec0329c95b423fa8174 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/201944 +Reviewed-by: Adolfo Jayme Barrientos +Tested-by: Jenkins +--- + oox/source/crypto/AgileEngine.cxx | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/oox/source/crypto/AgileEngine.cxx b/oox/source/crypto/AgileEngine.cxx +index fb9720872e3e..9599b492e5b9 100644 +--- a/oox/source/crypto/AgileEngine.cxx ++++ b/oox/source/crypto/AgileEngine.cxx +@@ -9,6 +9,8 @@ + * + */ + ++#include ++#include + #include + + #include +@@ -551,8 +553,21 @@ bool AgileEngine::readEncryptionInfo(uno::Reference & rxInputS + if (0 > mInfo.spinCount || mInfo.spinCount > 10000000) + return false; + +- if (1 > mInfo.saltSize|| mInfo.saltSize > 65536) // Check ++ // [MS-OFFCRYPTO] 2.3.4.10: saltSize "MUST be at least 1 and no greater than 65,536" ++ if (1 > mInfo.saltSize || mInfo.saltSize > 65536) ++ { ++ SAL_WARN("oox", "AgileEngine::readEncryptionInfo(): saltSize out of range: " << mInfo.saltSize); ++ return false; ++ } ++ ++ // [MS-OFFCRYPTO] 2.3.4.10: "The number of bytes required to decode the saltValue ++ // attribute MUST be equal to the value of the saltSize attribute" ++ if (mInfo.keyDataSalt.size() != o3tl::make_unsigned(mInfo.saltSize)) ++ { ++ SAL_WARN("oox", "AgileEngine::readEncryptionInfo(): keyDataSalt size " << mInfo.keyDataSalt.size() ++ << " does not match saltSize " << mInfo.saltSize); + return false; ++ } + + // AES 128 CBC with SHA1 + if (mInfo.keyBits == 128 && +-- +2.47.3 + diff -Nru libreoffice-25.2.3/debian/patches/series libreoffice-25.2.3/debian/patches/series --- libreoffice-25.2.3/debian/patches/series 2025-11-28 15:24:20.000000000 +0000 +++ libreoffice-25.2.3/debian/patches/series 2026-03-19 20:20:19.000000000 +0000 @@ -55,3 +55,4 @@ avmedia-qt-use-gstreamer-frame-grabber-by-default.diff qt-Consolidate-to-one-toOUString-helper.diff default-to-Euro-for-Bulgaria.diff +Conform-AlignEngine-parsing-to-spec.diff