diff --git a/0001-Fix-cve-CVE-2022-3140.patch b/0001-Fix-cve-CVE-2022-3140.patch new file mode 100644 index 0000000000000000000000000000000000000000..21ac939b895a9fc1f9cb8ef6c8cc0258a2dfefa1 --- /dev/null +++ b/0001-Fix-cve-CVE-2022-3140.patch @@ -0,0 +1,172 @@ +From 19514d67bf5da1ca86f2033a81336a4ab6b5593f Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 14 Jul 2025 17:30:29 +0800 +Subject: [PATCH] fix cve CVE-2022-3140 + +--- + desktop/source/app/cmdlineargs.cxx | 10 +++++++++- + sfx2/source/appl/macroloader.cxx | 9 +++++++-- + sfx2/source/doc/iframe.cxx | 21 ++++++++++++++++----- + sfx2/source/inc/macroloader.hxx | 2 ++ + sw/source/filter/html/htmlplug.cxx | 4 +++- + wizards/source/access2base/DoCmd.xba | 4 ++-- + 6 files changed, 39 insertions(+), 11 deletions(-) + +diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx +index 41d3512..8a2d224 100644 +--- a/desktop/source/app/cmdlineargs.cxx ++++ b/desktop/source/app/cmdlineargs.cxx +@@ -26,6 +26,7 @@ + #endif + + #include "cmdlineargs.hxx" ++#include + #include + #include + #include +@@ -164,7 +165,14 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur + } + if (nURIlen < 0) + nURIlen = rest2.getLength(); +- arg = rest2.copy(0, nURIlen); ++ auto const uri = rest2.copy(0, nURIlen); ++ if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) { ++ // Let the "Open" machinery process the full command URI (leading to failure, by intention, ++ // as the "Open" machinery does not know about those command URI schemes): ++ curEvt = CommandLineEvent::Open; ++ } else { ++ arg = uri; ++ } + return curEvt; + } + +diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx +index 3ab011f..e7d93ab 100644 +--- a/sfx2/source/appl/macroloader.cxx ++++ b/sfx2/source/appl/macroloader.cxx +@@ -77,10 +77,10 @@ css::uno::Sequence SAL_CALL SfxMacroLoader::getSupportedServiceNames() + return aSeq; + } + +-SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() ++SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference & xFrame) + { + SfxObjectShell* pDocShell = nullptr; +- Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); ++ + if ( xFrame.is() ) + { + SfxFrame* pFrame=nullptr; +@@ -97,6 +97,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() + return pDocShell; + } + ++SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() ++{ ++ Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); ++ return SfxMacroLoader::GetObjectShell(xFrame); ++} + + uno::Reference SAL_CALL SfxMacroLoader::queryDispatch( + const util::URL& aURL , +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index d504270..db53a99 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -39,10 +39,12 @@ + #include + #include + #include ++#include + #include + #include + #include + #include ++#include + + using namespace ::com::sun::star; + +@@ -167,6 +169,19 @@ throw( uno::RuntimeException, std::exception ) + { + if ( SvtMiscOptions().IsPluginsEnabled() ) + { ++ util::URL aTargetURL; ++ aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NO_DECODE ); ++ uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); ++ xTrans->parseStrict( aTargetURL ); ++ ++ if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro) ++ { ++ uno::Reference xParentFrame = xFrame->getCreator(); ++ SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); ++ if (pDoc && !pDoc->AdjustMacroMode()) ++ return false; ++ } ++ + DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); + VclPtr pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() ); + VclPtr pWin = VclPtr::Create( pParent, maFrmDescr.IsFrameBorderOn() ); +@@ -189,16 +204,12 @@ throw( uno::RuntimeException, std::exception ) + if ( xFramesSupplier.is() ) + mxFrame->setCreator( xFramesSupplier ); + +- util::URL aTargetURL; +- aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::NO_DECODE ); +- uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); +- xTrans->parseStrict( aTargetURL ); +- + uno::Sequence < beans::PropertyValue > aProps(2); + aProps[0].Name = "PluginMode"; + aProps[0].Value <<= (sal_Int16) 2; + aProps[1].Name = "ReadOnly"; + aProps[1].Value <<= true; ++ + uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 ); + if ( xDisp.is() ) + xDisp->dispatch( aTargetURL, aProps ); +diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx +index a4251e2..c27d9aa 100644 +--- a/sfx2/source/inc/macroloader.hxx ++++ b/sfx2/source/inc/macroloader.hxx +@@ -88,6 +88,8 @@ public: + + virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) + throw (css::uno::RuntimeException, std::exception) override; ++ ++ static SfxObjectShell* GetObjectShell(const css::uno::Reference& xFrame); + }; + + #endif +diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx +index 468ba55..a518a19 100644 +--- a/sw/source/filter/html/htmlplug.cxx ++++ b/sw/source/filter/html/htmlplug.cxx +@@ -886,7 +886,9 @@ void SwHTMLParser::InsertFloatingFrame() + bool bHasBorder = aFrameDesc.HasFrameBorder(); + Size aMargin = aFrameDesc.GetMargin(); + +- xSet->setPropertyValue("FrameURL", uno::makeAny( OUString( aFrameDesc.GetURL().GetMainURL( INetURLObject::NO_DECODE ) ) ) ); ++ OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NO_DECODE ); ++ ++ xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) ); + xSet->setPropertyValue("FrameName", uno::makeAny( aName ) ); + + if ( eScroll == ScrollingAuto ) +diff --git a/wizards/source/access2base/DoCmd.xba b/wizards/source/access2base/DoCmd.xba +index 9b6500c..a68c2dc 100644 +--- a/wizards/source/access2base/DoCmd.xba ++++ b/wizards/source/access2base/DoCmd.xba +@@ -2646,7 +2646,7 @@ Private Sub _ShellExecute(sCommand As String) + + Dim oShell As Object + Set oShell = createUnoService("com.sun.star.system.SystemShellExecute") +- oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.DEFAULTS) ++ oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY) + + End Sub ' _ShellExecute V0.8.5 +- +\ No newline at end of file ++ +-- +2.48.1 + diff --git a/0001-fix-cve-CVE-2023-6186.patch b/0001-fix-cve-CVE-2023-6186.patch new file mode 100644 index 0000000000000000000000000000000000000000..72e69d3ec680fbd817a41e21ba2e4349b50551fd --- /dev/null +++ b/0001-fix-cve-CVE-2023-6186.patch @@ -0,0 +1,68 @@ +From 19514d67bf5da1ca86f2033a81336a4ab6b5593f Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 14 Jul 2025 17:30:29 +0800 +Subject: [PATCH] fix cve CVE-2023-6186 + +--- + include/tools/urlobj.hxx | 4 ++++ + sfx2/source/doc/iframe.cxx | 9 ++++----- + tools/source/fsys/urlobj.cxx | 9 +++++++++ + 3 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx +index 9fa5bee..0a9d669 100644 +--- a/include/tools/urlobj.hxx ++++ b/include/tools/urlobj.hxx +@@ -940,6 +940,10 @@ public: + + static bool IsCaseSensitive() { return true; } + ++ // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot, ++ // vnd.sun.star.script, etc. All the types of URLs which shouldn't ++ // be accepted from an outside controlled source ++ bool IsExoticProtocol() const; + + private: + // General Structure: +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index db53a99..0abb30a 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -174,12 +174,11 @@ throw( uno::RuntimeException, std::exception ) + uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); + xTrans->parseStrict( aTargetURL ); + +- if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro) ++ INetURLObject aURLObject(aTargetURL.Complete); ++ if (aURLObject.IsExoticProtocol()) + { +- uno::Reference xParentFrame = xFrame->getCreator(); +- SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); +- if (pDoc && !pDoc->AdjustMacroMode()) +- return false; ++ //SAL_WARN("sfx", "IFrameObject::load ignoring: " << aTargetURL.Complete); ++ return false; + } + + DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index 8b38c70..e544617 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4942,4 +4942,13 @@ OUString INetURLObject::CutExtension() + ? aTheExtension : OUString(); + } + ++bool INetURLObject::IsExoticProtocol() const ++{ ++ return m_eScheme == INetProtocol::Slot || ++ m_eScheme == INetProtocol::Macro || ++ m_eScheme == INetProtocol::Uno || ++ isSchemeEqualTo(u"vnd.sun.star.script") || ++ isSchemeEqualTo(u"service"); ++} ++ + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ +-- +2.48.1 + diff --git a/0001-fix-cve-CVE-2025-1080.patch b/0001-fix-cve-CVE-2025-1080.patch new file mode 100644 index 0000000000000000000000000000000000000000..539071181a86816afc6e48f56b659b4ffa2aa995 --- /dev/null +++ b/0001-fix-cve-CVE-2025-1080.patch @@ -0,0 +1,25 @@ +From 19514d67bf5da1ca86f2033a81336a4ab6b5593f Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 14 Jul 2025 17:30:29 +0800 +Subject: [PATCH] fix cve CVE-2025-1080 + +--- + desktop/source/app/cmdlineargs.cxx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx +index 93d9e87..70b9f05 100644 +--- a/desktop/source/app/cmdlineargs.cxx ++++ b/desktop/source/app/cmdlineargs.cxx +@@ -168,7 +168,7 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur + if (nURIlen < 0) + nURIlen = rest2.getLength(); + auto const uri = rest2.copy(0, nURIlen); +- if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) { ++ if (INetURLObject(uri).IsExoticProtocol()) { + // Let the "Open" machinery process the full command URI (leading to failure, by intention, + // as the "Open" machinery does not know about those command URI schemes): + curEvt = CommandLineEvent::Open; +-- +2.48.1 + diff --git a/download b/download new file mode 100644 index 0000000000000000000000000000000000000000..ebfb3381ec02422487d9c3b15f6dbee1a6c55648 --- /dev/null +++ b/download @@ -0,0 +1,3 @@ +361153226d8c6b4058355cf7cffe297b libreoffice-5.3.6.1.tar.xz +c942f959691de14af571ec88986dd5d7 libreoffice-help-5.3.6.1.tar.xz +e608fe5cd446835ee311fc6ac9629b33 libreoffice-translations-5.3.6.1.tar.xz diff --git a/libreoffice-5.3.6.1.tar.xz b/libreoffice-5.3.6.1.tar.xz deleted file mode 100644 index 7c1cd826e415184501efffc5f149cca4e02c63cf..0000000000000000000000000000000000000000 Binary files a/libreoffice-5.3.6.1.tar.xz and /dev/null differ diff --git a/libreoffice-help-5.3.6.1.tar.xz b/libreoffice-help-5.3.6.1.tar.xz deleted file mode 100644 index 4b6358eed24f99294edef2d2f3887a749252cd11..0000000000000000000000000000000000000000 Binary files a/libreoffice-help-5.3.6.1.tar.xz and /dev/null differ diff --git a/libreoffice-translations-5.3.6.1.tar.xz b/libreoffice-translations-5.3.6.1.tar.xz deleted file mode 100644 index c776133bcfdad3281005fc720644379e4f8c812f..0000000000000000000000000000000000000000 Binary files a/libreoffice-translations-5.3.6.1.tar.xz and /dev/null differ diff --git a/libreoffice.spec b/libreoffice.spec index ca94ba47d2f505999ab6554e3c32c000ee8f32d8..6d9f144bf0c2cd74a866030b10e882c67e15c2a8 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -57,7 +57,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 26%{?libo_prerelease}%{?dist} +Release: 27%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -297,6 +297,9 @@ Patch67: 0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch Patch68: 0003-Always-push-a-result-even-if-it-s-only-an-error.patch Patch69: 0001-disable-script-dump.patch Patch70: 0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch +Patch71: 0001-Fix-cve-CVE-2022-3140.patch +Patch72: 0001-fix-cve-CVE-2023-6186.patch +Patch73: 0001-fix-cve-CVE-2025-1080.patch %if 0%{?rhel} # not upstreamed @@ -2363,6 +2366,9 @@ done %{_includedir}/LibreOfficeKit %changelog +* Mon Jul 14 2025 zhuhongbo - 1:5.3.6.1-27 +- fix: fix cve CVE-2025-1080 + * Fri May 17 2024 Eike Rathke - 1:5.3.6.1-26 - Fix CVE-2022-38745 Empty entry in Java class path - Fix CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing