More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2369829 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
FWIW I incorporated the Debian patches for the three 2024 CVEs identified and addressed by the Cisco Talos team into my fork of catdoc at https://github.com/skierpage/catdoc, in addition to years of patches that Debian's maintainer has carried, in particular a fix for high-priority Red Hat bug 2150140. I also introduced CI that runs a basic `make check` test suite and produces source and dist tar files, and made various other fixes. So if Fedora wants these CVEs and others addressed, just change catdoc-spec to point to my repo. I brought this up on #rpm IRC back in 2023 and user @rsc was dubious about switching to some random dog on the Internet. But since the current upstream is utterly dead (no commits since 2016, broken bug tracker, maintainer Victor Wagner unresponsive) and my repo is essentially the same source code that Debian's patched catdoc produces, I don't see how it can be worse than the current situation for Fedora to use my fork as upstream. I'm around and eager to help! I can tag a v0.97 whenever it's convenient for Fedora.