From: Raspbian automatic forward porter Date: Sat, 18 Jan 2025 20:05:42 +0000 (+0000) Subject: Merge version 1:7.0.4-4+rpi1+deb11u11 and 1:7.0.4-4+deb11u12 to produce 1:7.0.4-4... X-Git-Tag: raspbian/1%7.0.4-4+rpi1+deb11u12 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6bada8b17858084ed8c8c678a7c167242abfb714;p=libreoffice.git Merge version 1:7.0.4-4+rpi1+deb11u11 and 1:7.0.4-4+deb11u12 to produce 1:7.0.4-4+rpi1+deb11u12 --- 22400060a3e7a9580629dd51a8a103555841da61 diff --cc debian/changelog index 4f67bc69ab1,2f9aca6c0e4..09cf7758c4a --- a/debian/changelog +++ b/debian/changelog @@@ -1,12 -1,31 +1,41 @@@ - libreoffice (1:7.0.4-4+rpi1+deb11u11) bullseye-staging; urgency=medium ++libreoffice (1:7.0.4-4+rpi1+deb11u12) bullseye-staging; urgency=medium + + [changes brought forward from 1:6.0.2-1+rpi2 by Peter Michael Green at Fri, 27 Apr 2018 02:14:18 +0000] + * Disable testsuite. + + [changes introduced in 1:5.4.0-1+rpi1 by Peter Michael Green] + * Disable pdfium, it fails to build for armv6 + - -- Raspbian forward porter Thu, 17 Oct 2024 15:49:13 +0000 ++ -- Raspbian forward porter Sat, 18 Jan 2025 20:05:39 +0000 ++ + libreoffice (1:7.0.4-4+deb11u12) bullseye-security; urgency=medium + + * LTS team upload + * Fix CVE-2024-12425: + Path traversal leading to arbitrary .ttf file write + Various file formats can contain embedded font files which + are extracted to temporary files which are added to + LibreOffice's font lists. + Prior to this fix, an attacker could craft a document + with embedded font file path names which could cause + LibreOffice to write the contents of the embedded font + to a filename in an arbitrary location the user has + permission to write to. Albeit always with a + ".ttf" suffix. + * Fix CVE-2024-12426 + URL fetching can be used to exfiltrate arbitrary INI + file values and environment variables + URLs could be constructed which expanded environmental + variables or INI file values, so potentially sensitive + information could be exfiltrated to a remote server on + opening a document containing such links. + Prior to this fix, documents could include links that + made use of an internal feature that expands environmental + variables and INI file values in URLS. In the fixed version, + the expansion feature is not available in document hosted urls. + * Remove CJK test that fail on some builder (flaky test) + + -- Bastien Roucariès Mon, 13 Jan 2025 22:18:17 +0000 libreoffice (1:7.0.4-4+deb11u11) bullseye-security; urgency=medium