* CVE-2024-12425 (https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425) """ Various file formats can contain embedded font files which are extracted to temporary files which are added to LibreOffice's font lists. Prior to this fix, an attacker could craft a document with embedded font file path names which could cause LibreOffice to write the contents of the embedded font to a filename in an arbitrary location the user has permission to write to. Albeit always with a ".ttf" suffix. Users are recommended to upgrade to 24.8.4 to avoid this issue. Credit: Thanks to Thomas Rinsma of Codean Labs for finding and reporting this issue. Thanks to Caolán McNamara of Collabora Productivity for providing a fix. """ * CVE-2024-12426 (https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426) """ Description: URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. Prior to this fix, documents could include links that made use of an internal feature that expands environmental variables and INI file values in URLS. In the fixed version, the expansion feature is not available in document hosted urls. Users are recommended to upgrade to 24.8.4 to avoid this issue. Credit: Thanks to Thomas Rinsma of Codean Labs for finding and reporting this issue. Thanks to Caolán McNamara of Collabora Productivity for providing a fix. """ -- Note that the CVE descriptions for both at https://nvd.nist.gov/vuln/detail/CVE-2024-12425 and https://nvd.nist.gov/vuln/detail/CVE-2024-12426 say "This issue affects LibreOffice: from 24.8 before < 24.8.4." but the official advisories linked above don't. We often see this sort of thing being incorrect. Not only that, e.g. Ubuntu has backported to before 24.8 (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=libreoffice&field.status_filter=published&field.series_filter=).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59d270e10d5676649b9921e7dd93bf77f382a2e1 commit 59d270e10d5676649b9921e7dd93bf77f382a2e1 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2025-01-25 19:45:14 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2025-01-25 20:28:36 +0000 app-office/libreoffice: Fix CVE-2024-12425, CVE-2024-12426; drop Qt5 - Cleanup masked IUSE firebird - Cleanup obsolete/broken IUSE=odk tarball from SRC_URI - Fix some pkgcheck warnings Additional backports over -r0: Caolán McNamara (3): be conservative on allowed temp font names consider VndSunStarExpand an exotic protocol look at 'embedded' protocols too Stephan Bergmann (2): Some missing "block untrusted referer links" for form controls Fix check for further exotic protocols Bug: https://bugs.gentoo.org/946290 Bug: https://bugs.gentoo.org/948825 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-office/libreoffice/Manifest | 1 + .../libreoffice/libreoffice-24.2.7.2-r1.ebuild | 670 +++++++++++++++++++++ 2 files changed, 671 insertions(+)
I assume this also applies to libreoffice-bin and we need to add a fixed version there as well?
(In reply to Hans de Graaff from comment #2) > I assume this also applies to libreoffice-bin and we need to add a fixed > version there as well? >=24.8.4 is based on upstream binaries now. Filed bug 950131 for stabling that.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdd726d74596fbbb199336e4c0c81b769b0b5e99 commit fdd726d74596fbbb199336e4c0c81b769b0b5e99 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2025-02-26 20:49:38 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2025-02-26 20:49:38 +0000 app-office/libreoffice: drop 24.2.7.2 Closes: https://bugs.gentoo.org/948833 Bug: https://bugs.gentoo.org/948825 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-office/libreoffice/Manifest | 2 - ...reoffice-24.2.7.2-no-std-basic_string-int.patch | 119 ---- .../files/libreoffice-24.2.7.2-poppler-24.12.patch | 38 -- app-office/libreoffice/libreoffice-24.2.7.2.ebuild | 706 --------------------- 4 files changed, 865 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81ed50b89f453c75086cb4e04b909859dc37e150 commit 81ed50b89f453c75086cb4e04b909859dc37e150 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2025-03-09 22:18:53 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2025-03-09 22:22:08 +0000 app-office/libreoffice-bin: drop 24.2.7.2 Bug: https://bugs.gentoo.org/948825 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-office/libreoffice-bin/Manifest | 6 - .../libreoffice-bin-24.2.7.2.ebuild | 244 --------------------- 2 files changed, 250 deletions(-)
