From 11004721a9a1ba60d2d34b690ba937dc4370ace2 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 05 2022 09:49:01 +0000
Subject: import libreoffice-7.1.8.1-6.el9


---

diff --git a/SOURCES/0001-CVE-2021-25636.patch b/SOURCES/0001-CVE-2021-25636.patch
new file mode 100644
index 0000000..9ec1f6a
--- /dev/null
+++ b/SOURCES/0001-CVE-2021-25636.patch
@@ -0,0 +1,69 @@
+From 26c9da40d44f1469df97398362667c74553be7d2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 20 Dec 2021 17:05:44 +0000
+Subject: [PATCH] only use X509Data
+
+Change-Id: I52e6588f5fac04bb26d77c1f3af470db73e41f72
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127193
+Tested-by: Jenkins
+Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
+(cherry picked from commit be446d81e07b5499152efeca6ca23034e51ea5ff)
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127178
+Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
+(cherry picked from commit b0404f80577de9ff69e58390c6f6ef949fdb0139)
+---
+ .../source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx      | 6 ++++++
+ xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx      | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+index c699c950f351..9f816479f9dd 100644
+--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
++++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx
+@@ -22,6 +22,8 @@
+ #include <rtl/uuid.h>
+ #include <xmlsec-wrapper.h>
+ 
++#include <xmlsec/mscng/x509.h>
++
+ #include <com/sun/star/xml/crypto/SecurityOperationStatus.hpp>
+ #include <com/sun/star/xml/crypto/XXMLSignature.hpp>
+ 
+@@ -233,6 +235,10 @@ SAL_CALL XMLSignature_MSCryptImpl::validate(
+     // We do certificate verification ourselves.
+     pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+ 
++    // limit possible key data to valid X509 certificates only, no KeyValues
++    if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecMSCngKeyDataX509GetKlass()) < 0)
++        throw RuntimeException("failed to limit allowed key data");
++
+     //Verify signature
+     //The documentation says that the signature is only valid if the return value is 0 (that is, not < 0)
+     //AND pDsigCtx->status == xmlSecDSigStatusSucceeded. That is, we must not make any assumptions, if
+diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+index b41d754f7407..975c17272dc7 100644
+--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
++++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx
+@@ -20,6 +20,8 @@
+ #include <sal/config.h>
+ #include <xmlsec-wrapper.h>
+ 
++#include <xmlsec/nss/x509.h>
++
+ #include <xmlelementwrapper_xmlsecimpl.hxx>
+ #include <xmlsec/xmlstreamio.hxx>
+ #include <xmlsec/errorcallback.hxx>
+@@ -247,6 +249,10 @@ SAL_CALL XMLSignature_NssImpl::validate(
+         // We do certificate verification ourselves.
+         pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS;
+ 
++        // limit possible key data to valid X509 certificates only, no KeyValues
++        if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecNssKeyDataX509GetKlass()) < 0)
++            throw RuntimeException("failed to limit allowed key data");
++
+         //Verify signature
+         int rs = xmlSecDSigCtxVerify( pDsigCtx.get() , pNode );
+ 
+-- 
+2.35.1
+
diff --git a/SOURCES/0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch b/SOURCES/0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch
new file mode 100644
index 0000000..c4b0fff
--- /dev/null
+++ b/SOURCES/0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch
@@ -0,0 +1,53 @@
+From 3925cf39742ebee935498b14571f13f3e8b64b49 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Sat, 19 Feb 2022 20:43:33 +0000
+Subject: [PATCH] EditTextObjectImpl copy ctor doesn't exactly copy
+ EditTextObjectImpl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+and this is apparently relied on, so eliding the copy gives unexpected
+results.
+
+EditTextObjectImpl::Clone returns a copy of *this, but the
+EditTextObjectImpl copy ctor explicitly does not copy the "PortionInfo"
+member, so in:
+
+commit fb8973f31f111229be5184f4e4223e963ced2c7b
+Author: Caolán McNamara <caolanm@redhat.com>
+Date:   Sat Oct 10 19:21:38 2020 +0100
+
+    ofz#23492 the only user of this ctor throws away the original of the clone
+
+    so we can take ownership of the original instead
+
+where the copy was optimized away we want from a state where there was a
+new EditTextObjectImpl with an empty PortionInfo member to one where the
+PortionInfo of the EditTextObjectImpl was retained.
+
+So explicitly clear this unwanted info.
+
+It's very hard to make rational judgements about code if a copy behaves
+differently than the orignal :-(
+
+Change-Id: I642d60841d6bdccbf830f8a2ccdbd9f542a8aa18
+---
+ editeng/source/outliner/outliner.cxx | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/editeng/source/outliner/outliner.cxx b/editeng/source/outliner/outliner.cxx
+index 9c474131352c..d48e4a542723 100644
+--- a/editeng/source/outliner/outliner.cxx
++++ b/editeng/source/outliner/outliner.cxx
+@@ -383,6 +383,7 @@ std::unique_ptr<OutlinerParaObject> Outliner::CreateParaObject( sal_Int32 nStart
+         aParagraphDataVector[nPara-nStartPara] = *GetParagraph(nPara);
+     }
+ 
++    xText->ClearPortionInfo(); // tdf#147166 the PortionInfo is unwanted here
+     std::unique_ptr<OutlinerParaObject> pPObj(new OutlinerParaObject(std::move(xText), aParagraphDataVector, bIsEditDoc));
+     pPObj->SetOutlinerMode(GetMode());
+ 
+-- 
+2.35.1
+
diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec
index 9505646..2c3c1e4 100644
--- a/SPECS/libreoffice.spec
+++ b/SPECS/libreoffice.spec
@@ -57,7 +57,7 @@ Summary:        Free Software Productivity Suite
 Name:           libreoffice
 Epoch:          1
 Version:        %{libo_version}.1
-Release:        5%{?libo_prerelease}%{?dist}
+Release:        6%{?libo_prerelease}%{?dist}
 License:        (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
 URL:            http://www.libreoffice.org/
 
@@ -271,6 +271,8 @@ Patch15: 0001-Resolves-tdf-140250-don-t-share-adjustments-between-.patch
 Patch16: 0001-fix-comparison-when-searching-cache.patch
 Patch17: 0001-tdf-121546-sw-don-t-use-undo-array-s-m_pOutlineNodes.patch
 Patch18: 0001-annocheck-warning-about-missing-.note.gnu.property-s.patch
+Patch19: 0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch
+Patch20: 0001-CVE-2021-25636.patch
 
 # not upstreamed
 Patch500: 0001-disable-libe-book-support.patch
@@ -2267,6 +2269,9 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || :
 %{_includedir}/LibreOfficeKit
 
 %changelog
+* Tue Feb 22 2022 Caolán McNamara <caolanm@redhat.com> - 1:7.1.8.1-6
+- Resolves: rhbz#2056412 merge in fedoa 34 changes
+
 * Thu Feb 10 2022 Caolán McNamara <caolanm@redhat.com> - 1:7.1.8.1-5
 - Related: rhbz#2042817 bump n-v-r