xmlsecurity: XSecParser confused about multiple timestamps

LO writes timestamp both to dc:date and xades:SigningTime elements.

The parser tries to avoid reading multiple dc:date, preferring the first
one, but doesn't care about multiple xades:SigningTime, for undocumented
reasons.

Ideally something should check all read values for consistency.

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111160
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 4ab8d9c09a5873ca0aea56dafa1ab34758d52ef7)

xmlsecurity: remove XSecController::setPropertyId()

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111252
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit d2a345e1163616fe3201ef1d6c758e2e819214e0)

Change-Id: Ic018ee89797a1c8a4f870ae102af48006de930ef
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111908
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Gbp-Pq: Name xmlsecurity-XSecParser-confused-about-multiple-timestamps.diff

xmlsecurity: replace XSecParser implementation

Implement Namespaces in XML and follow xmldsig-core and XAdES schemas.

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/110833
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 12b15be8f4f930a04d8056b9219ac969b42a9784)

xmlsecurity: move XSecParser state into contexts

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111158
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 59df9e70ce1a7ec797b836bda7f9642912febc53)

xmlsecurity: move XSecParser Reference state into contexts

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111159
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit cfeb89a758b5f0ec406f0d72444e52ed2f47b85e)

Change-Id: I03537b51bb757ecbfa63a826b38de543c70ba032
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111907
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Gbp-Pq: Name xmlsecurity-replace-XSecParser-implementation.diff

apparmor-updates

Gbp-Pq: Name apparmor-updates.diff

pdfium-m68k

don't break pdfium build on m68k

FIXME: Make this set by autoconf, most of the defines in build_config.h are not actually
used anyway in pdfium...

Gbp-Pq: Name pdfium-m68k.diff

unowinreg-static-libgcc

Gbp-Pq: Name unowinreg-static-libgcc.diff

fix-bluez-external

Gbp-Pq: Name fix-bluez-external.diff

add pdf to DRAWDOCS for bash-completion

Change-Id: I02195cb235774d205e9f9cc8821b897a841fa54f

Gbp-Pq: Name bash-completion-DRAWDOCS-pdf.diff

Upgrade liborcus to 0.16.0.

Change-Id: Iae29fb26417dfc161698a81bee84e81545969065
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102502
Tested-by: Jenkins
Reviewed-by: Kohei Yoshida <kohei@libreoffice.org>
Gbp-Pq: Name liborcus-0.16.diff

Convert attribute value to UTF-8 when passing it to libxml2

Using toUtf8, requiring the OUString to actually contain well-formed data, but
which is likely OK for this test-code--only function, and is also what similar
dumpAsXml functions e.g. in editeng/source/items/textitem.cxx already use.

This appears to have been broken ever since the code's introduction in
553f10c71a2cc92f5f5890e24948f5277e3d2758 "add dumpAsXml() to more pool items",
and it would typically only have written the leading zero or one
(depending on the architecture's endianness) characters.  (I ran across it on
big-endian s390x, where CppunitTest_sd_tiledrendering
SdTiledRenderingTest::testTdf104405 failed because of

> Entity: line 2: parser error : Input is not proper UTF-8, indicate encoding !
> Bytes: 0xCF 0x22 0x2F 0x3E
> ation=""/><SfxPoolItem whichId="4017" typeName="13SvxBulletItem" presentation="%
>                                                                                ^

apparently reported from within libxml2.)

Change-Id: I4b116d3be84098bd8b8a13b6937da70a1ee02c7f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103236
Reviewed-by: Noel Grandin <noel.grandin@collabora.co.uk>
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Tested-by: Jenkins
Gbp-Pq: Name bigendian.diff

[PATCH] Resolves: rhbz#1432468 disable opencl by default

Change-Id: Ie037fcabdd219f195425979dd721501fb5527573

Gbp-Pq: Name no-opencl-per-default.diff

disable-shortcuts_tab_navigation-uitest

Gbp-Pq: Name disable-shortcuts_tab_navigation-uitest.diff

fix-lo-xlate-lang-nb

Gbp-Pq: Name fix-lo-xlate-lang-nb.diff

sc-opengl-optional

Gbp-Pq: Name sc-opengl-optional.diff

add-access2base-doc

Gbp-Pq: Name add-access2base-doc.diff

Add safer float comparisons to bridgetest equals()

Bug-Ubuntu: https://launchpad.net/bugs/1832360

Gbp-Pq: Name fix-flaky-bridgetest.diff

fix rounding errors that cause autopkgtests to fail on i386

Gbp-Pq: Name fix-uicheck-tests-on-i386.patch

apparmor-opencl

apparmor: Add opencl support

AppArmor in Debian Buster now has OpenCL abstractions.

Include OpenCL abstractions to fix OpenCL usage in Calc.

Gbp-Pq: Name apparmor-opencl.diff

[PATCH] mariadb

Gbp-Pq: Name use-mariadb-java-instead-of-mysql-java.diff

disableClassPathURLCheck

Gbp-Pq: Name disableClassPathURLCheck.diff

apparmor-mesa

Gbp-Pq: Name apparmor-mesa.diff

[PATCH] apparmor: use dri-enumerate abstraction

Remove backported rule and use new dri-enumerate abstraction instead.
dri-enumerate is available in AppArmor 2.13, which recently migrated
into Debian Buster.

Change-Id: I64919edc1882f7bc1e65cfb94686464c5350f699

Gbp-Pq: Name apparmor-cleanups.diff

apparmor-allow-java.security

Gbp-Pq: Name apparmor-allow-java.security.diff

do-not-hide-test-output

Gbp-Pq: Name do-not-hide-test-output.diff

disable-java-in-odk-build-examples-on-zero-vm

Gbp-Pq: Name disable-java-in-odk-build-examples-on-zero-vm.diff

appstream-ignore-startcenter

Gbp-Pq: Name appstream-ignore-startcenter.diff

Hide startcenter and math from the shell

Bug-Ubuntu: https://launchpad.net/bugs/1696250
Forwarded: not-needed

Gbp-Pq: Name hide-math-desktop-file.patch

apparmor-complain

Gbp-Pq: Name apparmor-complain.diff

cppunit-optional

Gbp-Pq: Name cppunit-optional.diff

no-openssl

don't add -lssl etc if not needed (because we use system-postgresql)

Gbp-Pq: Name no-openssl.diff

system-officeotron-and-odfvalidator

Gbp-Pq: Name system-officeotron-and-odfvalidator.diff

no-packagekit-per-default

Gbp-Pq: Name no-packagekit-per-default.diff

hppa-is-32bit

Gbp-Pq: Name hppa-is-32bit.diff

javadoc-optional

Gemeinsame Unterverzeichnisse: odk-old/config und odk/config.
Gemeinsame Unterverzeichnisse: odk-old/docs und odk/docs.
Gemeinsame Unterverzeichnisse: odk-old/examples und odk/examples.

Gemeinsame Unterverzeichnisse: odk-old/config und odk/config.
Gemeinsame Unterverzeichnisse: odk-old/docs und odk/docs.
Gemeinsame Unterverzeichnisse: odk-old/examples und odk/examples.

Gbp-Pq: Name javadoc-optional.diff

fix-internal-hsqldb-build

Gbp-Pq: Name fix-internal-hsqldb-build.diff

disable-flaky-tests

14:13 < mst__> _rene_, the toolkit unoapi tests are known to be flaky (in some
               system dependent way) e.g. on the Win@6 tinderbox it always
               crashes
14:14 < mst__> _rene_, sc.ScAccessible* tests also fail on some systems some of
               the time

Gbp-Pq: Name disable-flaky-tests.diff

debian-hardened-buildflags-no-LO-fstack-protector-strong

don't hardcode -fstack-protector-strong in configure.ac/gbuild. We get the
hardening flags from dpkg-buildflags anyway.

Gbp-Pq: Name debian-hardened-buildflags-no-LO-fstack-protector-strong.diff

debian-hardened-buildflags-CPPFLAGS

Gbp-Pq: Name debian-hardened-buildflags-CPPFLAGS.diff

mediwiki-oor-replace

Gbp-Pq: Name mediwiki-oor-replace.diff

make-package-modules-not-suck

Gbp-Pq: Name make-package-modules-not-suck.diff

jdbc-driver-classpaths

Gbp-Pq: Name jdbc-driver-classpaths.diff

reportdesign-mention-package

Gbp-Pq: Name reportdesign-mention-package.diff

sensible-lomua

===================================================================

Gbp-Pq: Name sensible-lomua.diff

help-msg-add-package-info

Gbp-Pq: Name help-msg-add-package-info.diff

mention-java-common-package

Gbp-Pq: Name mention-java-common-package.diff

install-fixes

Gbp-Pq: Name install-fixes.diff

build-against-shared-lpsolve

Gbp-Pq: Name build-against-shared-lpsolve.diff

debian-debug

Gbp-Pq: Name debian-debug.diff

split-evoab

Gbp-Pq: Name split-evoab.diff

jurt-soffice-location

commit b71107fb12e3c3125e0cb62c5a4f6636a80c6408
Author:     Bjoern Michaelsen <bjoern.michaelsen@canonical.com>
AuthorDate: Tue Jun 7 11:52:37 2011 +0200
Commit:     Bjoern Michaelsen <bjoern.michaelsen@canonical.com>
CommitDate: Tue Jun 7 11:52:37 2011 +0200

    on debian-based systems, we know where our soffice binary is

Gbp-Pq: Name jurt-soffice-location.diff

debian-opt

Gbp-Pq: Name debian-opt.diff

no-check-if-root

Gbp-Pq: Name no-check-if-root.diff

libreoffice (1:7.0.4-4+deb11u12) bullseye-security; urgency=medium

  * LTS team upload
  * Fix CVE-2024-12425:
    Path traversal leading to arbitrary .ttf file write
    Various file formats can contain embedded font files which
    are extracted to temporary files which are added to
    LibreOffice's font lists.
    Prior to this fix, an attacker could craft a document
    with embedded font file path names which could cause
    LibreOffice to write the contents of the embedded font
    to a filename in an arbitrary location the user has
    permission to write to. Albeit always with a
    ".ttf" suffix.
  * Fix CVE-2024-12426
    URL fetching can be used to exfiltrate arbitrary INI
    file values and environment variables
    URLs could be constructed which expanded environmental
    variables or INI file values, so potentially sensitive
    information could be exfiltrated to a remote server on
    opening a document containing such links.
    Prior to this fix, documents could include links that
    made use of an internal feature that expands environmental
    variables and INI file values in URLS. In the fixed version,
    the expansion feature is not available in document hosted urls.
  * Remove CJK test that fail on some builder (flaky test)

[dgit import unpatched libreoffice 1:7.0.4-4+deb11u12]

Import libreoffice_7.0.4-4+deb11u12.debian.tar.xz

[dgit import tarball libreoffice 1:7.0.4-4+deb11u12 libreoffice_7.0.4-4+deb11u12.debian.tar.xz]

Import libreoffice_7.0.4.orig.tar.xz

[dgit import orig libreoffice_7.0.4.orig.tar.xz]

Import libreoffice_7.0.4.orig-helpcontent2.tar.xz

[dgit import orig libreoffice_7.0.4.orig-helpcontent2.tar.xz]

Import libreoffice_7.0.4.orig-translations.tar.xz

[dgit import orig libreoffice_7.0.4.orig-translations.tar.xz]