Your message dated Sat, 16 May 2026 11:07:42 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1135965,
regarding bookworm-pu: package libreoffice/4:7.4.7-1+deb12u12
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135965
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libreoffice
User: [email protected]
Usertags: pu
Hi,
it was discovered that
libreoffice (4:7.4.7-1+deb12u6) bookworm-security; urgency=medium
* debian/patches/be-coservative-about-allowed-font-names.diff: as name says
(CVE-2024-12425)
* debian/patches/consider-VndSunStarExpand-an-exotic-protocol.diff
debian/patches/look-at-embedded-protocols-too.diff: add patches for
CVE-2024-12426 from upstream "co-22-05" branch
-- Rene Engelhard <[email protected]> Sat, 18 Jan 2025 13:30:17 +0100
back then (https://security-tracker.debian.org/tracker/CVE-2024-12426).
didn't fix all cases because I apparently missed an upstream patch in
the series.
The security team suggests to fix this with next weeks point release.
[ Tests ]
There is a test added in the code, just test building
[ Risks ]
Is already upstream for ages so no risk. And it has a test...
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add the patch from https://gerrit.libreoffice.org/c/core/+/178166
Diff attached. For bookworm of course s/bookworm-security//
Regards,
Rene
diff -Nru libreoffice-7.4.7/debian/changelog libreoffice-7.4.7/debian/changelog
--- libreoffice-7.4.7/debian/changelog 2026-03-19 21:25:21.000000000 +0100
+++ libreoffice-7.4.7/debian/changelog 2026-05-07 21:49:15.000000000 +0200
@@ -1,3 +1,10 @@
+libreoffice (4:7.4.7-1+deb12u12) bookworm-security; urgency=medium
+
+ * debian/patches/Fix-check-for-further-exotic-protocols.diff: add missing
+ patch for CVE-2024-12426, thanks Caolan McNamara
+
+ -- Rene Engelhard <[email protected]> Thu, 07 May 2026 21:49:15 +0200
+
libreoffice (4:7.4.7-1+deb12u11) bookworm-security; urgency=medium
* debian/patches/Conform-AlignEngine-parsing-to-spec.diff: as name says;
diff -Nru libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff
--- libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff 1970-01-01 01:00:00.000000000 +0100
+++ libreoffice-7.4.7/debian/patches/Fix-check-for-further-exotic-protocols.diff 2026-05-07 21:47:25.000000000 +0200
@@ -0,0 +1,121 @@
+From a58893f2de8210008fa7bb403e9c9000869e6c04 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <[email protected]>
+Date: Sat, 7 Dec 2024 17:36:22 +0100
+Subject: [PATCH] Fix check for further exotic protocols
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+...that were added in 59891cd3985469bc44dbd05c9fc704eeb07f0c78 "look at
+'embedded' protocols for protocols that support them"
+
+Change-Id: I42836d6fd27cd99e39ab07e626053f002a2651f5
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178047
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <[email protected]>
+(cherry picked from commit 8075798b22f2188530f57b8747589923bfd419ef)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178065
+Tested-by: Caolán McNamara <[email protected]>
+Reviewed-by: Caolán McNamara <[email protected]>
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/178166
+Reviewed-by: Miklos Vajna <[email protected]>
+Tested-by: Jenkins CollaboraOffice <[email protected]>
+---
+ tools/qa/cppunit/test_urlobj.cxx | 44 ++++++++++++++++++++++++++++++++
+ tools/source/fsys/urlobj.cxx | 17 +++++++++---
+ 2 files changed, 58 insertions(+), 3 deletions(-)
+
+diff --git a/tools/qa/cppunit/test_urlobj.cxx b/tools/qa/cppunit/test_urlobj.cxx
+index fff77e41f5e7..12635eba8dd3 100644
+--- a/tools/qa/cppunit/test_urlobj.cxx
++++ b/tools/qa/cppunit/test_urlobj.cxx
+@@ -354,6 +354,49 @@ namespace tools_urlobj
+ }
+ }
+
++ void testIsExoticProtocol() {
++ {
++ INetURLObject url(u"vnd.sun.star.pkg://slot%3A0");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.pkg://vnd.sun.star.pkg%3A%2F%2Fslot%253A0");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.pkg://http%3A%2F%2Fexample.net");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::VndSunStarPkg, url.GetProtocol());
++ CPPUNIT_ASSERT(!url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0/foo");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0?foo");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://slot%3A0#foo");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(url.IsExoticProtocol());
++ }
++ {
++ INetURLObject url(u"vnd.sun.star.zip://http%3A%2F%2Fexample.net");
++ CPPUNIT_ASSERT_EQUAL(INetProtocol::Generic, url.GetProtocol());
++ CPPUNIT_ASSERT(!url.IsExoticProtocol());
++ }
++ }
++
+ // Change the following lines only, if you add, remove or rename
+ // member functions of the current class,
+ // because these macros are need by auto register mechanism.
+@@ -371,6 +414,7 @@ namespace tools_urlobj
+ CPPUNIT_TEST( testChangeScheme );
+ CPPUNIT_TEST( testTd146382 );
+ CPPUNIT_TEST( testParseSmart );
++ CPPUNIT_TEST( testIsExoticProtocol );
+ CPPUNIT_TEST_SUITE_END( );
+ }; // class createPool
+
+diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx
+index 785fbd09404f..a9ce65ecb538 100644
+--- a/tools/source/fsys/urlobj.cxx
++++ b/tools/source/fsys/urlobj.cxx
+@@ -4891,10 +4891,21 @@ bool INetURLObject::IsExoticProtocol() const
+ {
+ return true;
+ }
+- if (isSchemeEqualTo(u"vnd.sun.star.pkg") || isSchemeEqualTo(u"vnd.sun.star.zip"))
++ if (m_eScheme == INetProtocol::VndSunStarPkg) {
++ return INetURLObject(GetHost(INetURLObject::DecodeMechanism::WithCharset))
++ .IsExoticProtocol();
++ }
++ if (isSchemeEqualTo(u"vnd.sun.star.zip"))
+ {
+- OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::WithCharset);
+- return sPayloadURL.startsWith(u"//") && INetURLObject(sPayloadURL.subView(2)).IsExoticProtocol();
++ OUString sPayloadURL = GetURLPath(INetURLObject::DecodeMechanism::NONE);
++ if (!sPayloadURL.startsWith(u"//")) {
++ return false;
++ }
++ auto const find = [&sPayloadURL](auto c) {
++ auto const n = sPayloadURL.indexOf(c, 2);
++ return n == -1 ? sPayloadURL.getLength() : n;
++ };
++ return INetURLObject(decode(sPayloadURL.subView(2, std::min(find('/'), find('?')) - 2), INetURLObject::DecodeMechanism::WithCharset)).IsExoticProtocol();
+ }
+ return false;
+ }
+--
+2.47.3
+
diff -Nru libreoffice-7.4.7/debian/patches/series libreoffice-7.4.7/debian/patches/series
--- libreoffice-7.4.7/debian/patches/series 2026-03-19 21:24:30.000000000 +0100
+++ libreoffice-7.4.7/debian/patches/series 2026-05-07 21:49:15.000000000 +0200
@@ -66,6 +66,7 @@
be-coservative-about-allowed-font-names.diff
consider-VndSunStarExpand-an-exotic-protocol.diff
look-at-embedded-protocols-too.diff
+Fix-check-for-further-exotic-protocols.diff
Filter-out-more-unwanted-command-URIs.diff
Improve-adbe.pkcs7.sha1-signature-verification.diff
add-EUR-for-Bulgaria-Lew.diff
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
