Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libreoffice
User: [email protected]
Usertags: pu
Hi,
it was discovered that
libreoffice (4:7.4.7-1+deb12u6) bookworm-security; urgency=medium
* debian/patches/be-coservative-about-allowed-font-names.diff: as name says
(CVE-2024-12425)
* debian/patches/consider-VndSunStarExpand-an-exotic-protocol.diff
debian/patches/look-at-embedded-protocols-too.diff: add patches for
CVE-2024-12426 from upstream "co-22-05" branch
-- Rene Engelhard <[email protected]> Sat, 18 Jan 2025 13:30:17 +0100
back then (https://security-tracker.debian.org/tracker/CVE-2024-12426).
didn't fix all cases because I apparently missed an upstream patch in
the series.
The security team suggests to fix this with next weeks point release.
[ Tests ]
There is a test added in the code, just test building
[ Risks ]
Is already upstream for ages so no risk. And it has a test...
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add the patch from https://gerrit.libreoffice.org/c/core/+/178166
Diff attached. For bookworm of course s/bookworm-security//
Regards,
Rene
diff -Nru libreoffice-7.4.7/debian/changelog libreoffice-7.4.7/debian/changelog
--- libreoffice-7.4.7/debian/changelog 2026-03-19 21:25:21.000000000 +0100
+++ libreoffice-7.4.7/debian/changelog 2026-05-07 21:49:15.000000000 +0200
@@ -1,3 +1,10 @@
+libreoffice (4:7.4.7-1+deb12u12) bookworm-security; urgency=medium
+
+ * debian/patches/Fix-check-for-further-exotic-protocols.diff: add missing
+ patch for CVE-2024-12426, thanks Caolan McNamara
+
+ -- Rene Engelhard <[email protected]> Thu, 07 May 2026 21:49:15 +0200
+
libreoffice (4:7.4.7-1+deb12u11) bookworm-security; urgency=medium
* debian/patches/Conform-AlignEngine-parsing-to-spec.diff: as name says;
diff -Nru libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff
--- libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff 1970-01-01 01:00:00.000000000 +0100
+++ libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff 2026-05-07 21:47:25.000000000 +0200
@@ -0,0 +1,121 @@
+From a58893f2de8210008fa7bb403e9c9000869e6c04 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <[email protected]>
+Date: Sat, 7 Dec 2024 17:36:22 +0100
+Subject: [PATCH] Fix check for further exotic protocols
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+...that were added in 59891cd3985469bc44dbd05c9fc704eeb07f0c78 "look at
+'embedded' protocols for protocols that support them"
+
+Change-Id: I42836d6fd27cd99e39ab07e626053f002a2651f5
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178047
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <[email protected]>
+(cherry picked from commit 8075798b22f2188530f57b8747589923bfd419ef)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178065
+Tested-by: Caolán McNamara <[email protected]>
+Reviewed-by: Caolán McNamara <[email protected]>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178166
+Reviewed-by: Miklos Vajna <[email protected]>
+Tested-by: Jenkins CollaboraOffice <[email protected]>
+---
+ tools/qa/cppunit/test_urlobj.cxx | 44 ++++++++++++++++++++++++++++++++
+ tools/source/fsys/urlobj.cxx | 17 +++++++++---
+ 2 files changed, 58 insertions(+), 3 deletions(-)
+
+diff --git a/tools/qa/cppunit/test_urlobj.cxx b/tools/qa/cppunit/test_urlobj.cxx
+index fff77e41f5e7..12635eba8dd3 100644
+--- a/tools/qa/cppunit/test_urlobj.cxx
++++ b/tools/qa/cppunit/test_urlobj.cxx
+@@ -354,6 +354,49 @@ namespace tools_urlobj
+ }
+ }
+
++ void testIsExoticProtocol() {
++ {
++ INetURLObject url(u"vnd.sun.star.pkg://slot%3A0");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.pkg://vnd.sun.star.pkg%3A%2F%2Fslot%253A0");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.pkg://http%3A%2F%2Fexample.net");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++ CPPUNIT_ASSERT(!url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0/foo");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0?foo");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0#foo");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://http%3A%2F%2Fexample.net");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(!url.IsExoticProtocol());
++ }
++ }
++
+ // Change the following lines only, if you add, remove or rename
+ // member functions of the current class,
+ // because these macros are need by auto register mechanism.
+@@ -371,6 +414,7 @@ namespace tools_urlobj
+ CPPUNIT_TEST( testChangeScheme );
+ CPPUNIT_TEST( testTd146382 );
+ CPPUNIT_TEST( testParseSmart );
++ CPPUNIT_TEST( testIsExoticProtocol );
+ CPPUNIT_TEST_SUITE_END( );
+ }; // class createPool
+
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index 785fbd09404f..a9ce65ecb538 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4891,10 +4891,21 @@ bool INetURLObject::IsExoticProtocol() const
+ {
+ return true;
+ }
+- if (isSchemeEqualTo(u"vnd.sun.star.pkg") || isSchemeEqualTo(u"vnd.sun.star.zip"))
++ if (m_eScheme == INetProtocol::VndSunStarPkg) {
++ return INetURLObject(GetHost(INetURLObject::DecodeMechanism::WithCharset))
++ .IsExoticProtocol();
++ }
++ if (isSchemeEqualTo(u"vnd.sun.star.zip"))
+ {
+- OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::WithCharset);
+- return sPayloadURL.startsWith(u"//") && INetURLObject(sPayloadURL.subView(2)).IsExoticProtocol();
++ OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::NONE);
++ if (!sPayloadURL.startsWith(u"//")) {
++ return false;
++ }
++ auto const find = [&sPayloadURL](auto c) {
++ auto const n = sPayloadURL.indexOf(c, 2);
++ return n == -1 ? sPayloadURL.getLength() : n;
++ };
++ return INetURLObject(decode(sPayloadURL.subView(2, std::min(find('/'), find('?')) - 2), INetURLObject::DecodeMechanism::WithCharset)).IsExoticProtocol();
+ }
+ return false;
+ }
+--
+2.47.3
+
diff -Nru libreoffice-7.4.7/debian/patches/series libreoffice-7.4.7/debian/patches/series
--- libreoffice-7.4.7/debian/patches/series 2026-03-19 21:24:30.000000000 +0100
+++ libreoffice-7.4.7/debian/patches/series 2026-05-07 21:49:15.000000000 +0200
@@ -66,6 +66,7 @@
be-coservative-about-allowed-font-names.diff
consider-VndSunStarExpand-an-exotic-protocol.diff
look-at-embedded-protocols-too.diff
+Fix-check-for-further-exotic-protocols.diff
Filter-out-more-unwanted-command-URIs.diff
Improve-adbe.pkcs7.sha1-signature-verification.diff
add-EUR-for-Bulgaria-Lew.diff
