Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted libreoffice 1:7.0.4-4+deb11u12 (source) into oldstable-security
Date: Sat, 18 Jan 2025 10:50:44 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 Jan 2025 22:18:17 +0000
Source: libreoffice
Architecture: source
Version: 1:7.0.4-4+deb11u12
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
 libreoffice (1:7.0.4-4+deb11u12) bullseye-security; urgency=medium
 .
   * LTS team upload
   * Fix CVE-2024-12425:
     Path traversal leading to arbitrary .ttf file write
     Various file formats can contain embedded font files which
     are extracted to temporary files which are added to
     LibreOffice's font lists.
     Prior to this fix, an attacker could craft a document
     with embedded font file path names which could cause
     LibreOffice to write the contents of the embedded font
     to a filename in an arbitrary location the user has
     permission to write to. Albeit always with a
     ".ttf" suffix.
   * Fix CVE-2024-12426
     URL fetching can be used to exfiltrate arbitrary INI
     file values and environment variables
     URLs could be constructed which expanded environmental
     variables or INI file values, so potentially sensitive
     information could be exfiltrated to a remote server on
     opening a document containing such links.
     Prior to this fix, documents could include links that
     made use of an internal feature that expands environmental
     variables and INI file values in URLS. In the fixed version,
     the expansion feature is not available in document hosted urls.
   * Remove CJK test that fail on some builder (flaky test)
Checksums-Sha1:
 d35ab97f1dc82a441acfdc5c87c694d4f896adf7 31324 libreoffice_7.0.4-4+deb11u12.dsc
 cdbd0cc8c305db165d117e12de86c93e98d6e7c3 110142616 libreoffice_7.0.4.orig-helpcontent2.tar.xz
 12a5024b20272d8e20d6d503bfbb46c35b6c4d1e 176691588 libreoffice_7.0.4.orig-translations.tar.xz
 8ffff9e324ec3b72ef521cfaea9600b783d0c53c 236477520 libreoffice_7.0.4.orig.tar.xz
 66cea38b1450e5527dba5f074733ac937e0bc029 833 libreoffice_7.0.4.orig.tar.xz.asc
 1deeccd0bd6e0025a13fe03d5aba083f5e58f6f5 19547000 libreoffice_7.0.4-4+deb11u12.debian.tar.xz
 2fadb984495f612a93514a189945b895f53515ef 119525 libreoffice_7.0.4-4+deb11u12_amd64.buildinfo
Checksums-Sha256:
 9228014ee46b31b2d52ade0c773ed4957a8791f161de92d31d848498551ab512 31324 libreoffice_7.0.4-4+deb11u12.dsc
 8311462f214e27841ba4970bbae518b9a4b2088380877b8dff5e2005587357c1 110142616 libreoffice_7.0.4.orig-helpcontent2.tar.xz
 28d7421771af20a310983dec5c64da8103eb6a159e098c6e5f1a1c1e6731e146 176691588 libreoffice_7.0.4.orig-translations.tar.xz
 9fa9d2cc8d02f12b1f302b93056d5c0ff986090a6f309bafa506ba53779f2abd 236477520 libreoffice_7.0.4.orig.tar.xz
 773a0034f2f4a26e3e285ac605e704df6d90b06722af64b95e42ea4452a34b91 833 libreoffice_7.0.4.orig.tar.xz.asc
 6185e13bb07568ef4d8c2ed22106bd44a359e7638ca8a379bdd394c7340db4c7 19547000 libreoffice_7.0.4-4+deb11u12.debian.tar.xz
 3a1e628670f64a1472effbd3dcfbd63d6a926175745dc10b2f11b936b05d43fc 119525 libreoffice_7.0.4-4+deb11u12_amd64.buildinfo
Files:
 8b07483faa028743a582826372ef6947 31324 editors optional libreoffice_7.0.4-4+deb11u12.dsc
 f76a9b75c5b2e334751b3bda4c3bce9c 110142616 editors optional libreoffice_7.0.4.orig-helpcontent2.tar.xz
 ec39192b68eabc0b56405a96f31bc165 176691588 editors optional libreoffice_7.0.4.orig-translations.tar.xz
 cad93ef2c87928b5a2971ae7e6474fe1 236477520 editors optional libreoffice_7.0.4.orig.tar.xz
 95f6830c549f3393ac49f0c743ba9a20 833 editors optional libreoffice_7.0.4.orig.tar.xz.asc
 1935f81e5bdcb76f2e5caf3db928bee1 19547000 editors optional libreoffice_7.0.4-4+deb11u12.debian.tar.xz
 ff1761b3f5e61c2174900a11c46b7291 119525 editors optional libreoffice_7.0.4-4+deb11u12_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmeLhEgACgkQADoaLapB
CF/mLg//Tm/pCIZOgARjNi52iz4vV2xvTNBN7jTZh9W/halC5Wjjn30I61Gzxslo
5OlhwqozTltUla3rQyUefehiGhAUAdCNJkd2XdEkXgnTobyf/1xoXFig6dBlkrKv
VlLcXTCPTtGMrvaAA8GYOvrPE2M+feU/zYNS/VqecW5UQI7aIKWeV70KB048ViND
kDtiaX677z5X4mzfjKv7zFMWOxcGqNE3FxYuqUZKjSBoVYLzQOdwssKZsIR/0Ew5
3nmsenTiVD41Mtls0d1IfCSIujXULaeP0nTKHbGzsaC+TDruN8Ri/pKXNdgGnLux
zwlKshp9WPFvvY0RQQnf9dJgF1LvQ17XZIOle45W+XDj+XzWbYjRs0/atWbbzf0B
NJMeNMJ/OtJVOTucVo2f5TVBOxjV9MzUNG8a6VMB0dxTutyIHXmC6Ae0Jv84zvlT
UAW5UuLcn9td1Tnon8m++zUGcUTF75HuvbBHxSbKD2h4lTA8ZOMxAy/QJhLXP7M8
PKBUL/j1NSnor93Er6kLBJXTDP4yejkxRI7AcKrfgXAQ69hlhFHff+yrb8EgY3c7
/cOpba4ZDHaIwQKDAElHKua+5ATBeCWHBhVCo0RpRPa9CNmfWKiGsWF1jB2k1XWu
PnDfgHeIeZiiLSevWqRC31P1OaQ85SbgXEMbBoyUfFd+muby3m8=
=bm9b
-----END PGP SIGNATURE-----
News for package libreoffice
