From b1bd9fecf512508273f3553149ac91c2cb013b7d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 31 2020 09:36:34 +0000 Subject: import libreoffice-5.3.6.1-24.el7 --- diff --git a/SOURCES/0001-rhbz-1728763-bg-of-blocks-is-black.patch b/SOURCES/0001-rhbz-1728763-bg-of-blocks-is-black.patch new file mode 100644 index 0000000..cc038ba --- /dev/null +++ b/SOURCES/0001-rhbz-1728763-bg-of-blocks-is-black.patch @@ -0,0 +1,114 @@ +From de56e13f6ddc291f2039cab57e017e9e2dd67016 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Tue, 23 Jul 2019 10:38:09 +0100 +Subject: [PATCH] rhbz#1728763 bg of blocks is black + +Change-Id: I31a331c8ada44b6d1424d122b54cbbe91cc8c221 +--- + cppcanvas/source/mtfrenderer/emfplus.cxx | 4 ++-- + cppcanvas/source/mtfrenderer/textaction.cxx | 11 ++++++++++- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/cppcanvas/source/mtfrenderer/emfplus.cxx b/cppcanvas/source/mtfrenderer/emfplus.cxx +index 5a9076e82a0f..8b2059a8d187 100644 +--- a/cppcanvas/source/mtfrenderer/emfplus.cxx ++++ b/cppcanvas/source/mtfrenderer/emfplus.cxx +@@ -1305,7 +1305,7 @@ namespace cppcanvas + ::Color(), + ::Size(), + ::Color(), +- ::Color(), ++ ::Color(COL_AUTO), + text, + 0, + stringLength, +@@ -1621,7 +1621,7 @@ namespace cppcanvas + ::Color(), + ::Size(), + ::Color(), +- ::Color(), ++ ::Color(COL_AUTO), + text, + 0, + glyphsCount, +diff --git a/cppcanvas/source/mtfrenderer/textaction.cxx b/cppcanvas/source/mtfrenderer/textaction.cxx +index ad38d6c8a131..0bb23720b6a5 100644 +--- a/cppcanvas/source/mtfrenderer/textaction.cxx ++++ b/cppcanvas/source/mtfrenderer/textaction.cxx +@@ -766,6 +766,7 @@ namespace cppcanvas + const ::Color& rReliefColor, + const ::basegfx::B2DSize& rShadowOffset, + const ::Color& rShadowColor, ++ const ::Color& rTextFillColor, + const OUString& rText, + sal_Int32 nStartPos, + sal_Int32 nLen, +@@ -778,6 +779,7 @@ namespace cppcanvas + const ::Color& rReliefColor, + const ::basegfx::B2DSize& rShadowOffset, + const ::Color& rShadowColor, ++ const ::Color& rTextFillColor, + const OUString& rText, + sal_Int32 nStartPos, + sal_Int32 nLen, +@@ -834,6 +836,7 @@ namespace cppcanvas + const ::Color& rReliefColor, + const ::basegfx::B2DSize& rShadowOffset, + const ::Color& rShadowColor, ++ const ::Color& rTextFillColor, + const OUString& rText, + sal_Int32 nStartPos, + sal_Int32 nLen, +@@ -852,6 +855,7 @@ namespace cppcanvas + maReliefColor( rReliefColor ), + maShadowOffset( rShadowOffset ), + maShadowColor( rShadowColor ), ++ maTextFillColor( rTextFillColor ), + maTextDirection( rState.textDirection ) + { + initEffectLinePolyPolygon( maLinesOverallSize, +@@ -873,6 +877,7 @@ namespace cppcanvas + const ::Color& rReliefColor, + const ::basegfx::B2DSize& rShadowOffset, + const ::Color& rShadowColor, ++ const ::Color& rTextFillColor, + const OUString& rText, + sal_Int32 nStartPos, + sal_Int32 nLen, +@@ -892,6 +897,7 @@ namespace cppcanvas + maReliefColor( rReliefColor ), + maShadowOffset( rShadowOffset ), + maShadowColor( rShadowColor ), ++ maTextFillColor( rTextFillColor ), + maTextDirection( rState.textDirection ) + { + initEffectLinePolyPolygon( maLinesOverallSize, +@@ -2196,7 +2202,8 @@ namespace cppcanvas + !rState.textUnderlineStyle && + !rState.textStrikeoutStyle && + rReliefColor == aEmptyColor && +- rShadowColor == aEmptyColor ) ++ rShadowColor == aEmptyColor && ++ rTextFillColor == aEmptyColor ) + { + // nope + if( rParms.maTextTransformation.is_initialized() ) +@@ -2231,6 +2238,7 @@ namespace cppcanvas + rReliefColor, + aShadowOffset, + rShadowColor, ++ rTextFillColor, + rText, + nStartPos, + nLen, +@@ -2245,6 +2253,7 @@ namespace cppcanvas + rReliefColor, + aShadowOffset, + rShadowColor, ++ rTextFillColor, + rText, + nStartPos, + nLen, +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9848.patch b/SOURCES/CVE-2019-9848.patch new file mode 100644 index 0000000..59ec30a --- /dev/null +++ b/SOURCES/CVE-2019-9848.patch @@ -0,0 +1,47 @@ +From 3dd024a28a98a9d4b4efc3c7ec6acaa94d2b25fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 7 Jun 2019 14:04:07 +0100 +Subject: [PATCH] explictly exclude LibreLogo from XScript usage + +Change-Id: I567647f0e2f8b82e4ef2995c673abe82f4564228 +Reviewed-on: https://gerrit.libreoffice.org/73708 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +--- + sfx2/source/doc/objmisc.cxx | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index e245800f2fec..beea5170e44d 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1340,6 +1340,16 @@ namespace + } + } + ++namespace { ++ ++// don't allow LibreLogo to be used with our mouseover/etc dom-alike events ++bool UnTrustedScript(const OUString& rScriptURL) ++{ ++ return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); ++} ++ ++} ++ + ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, + const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller ) + { +@@ -1352,6 +1362,9 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon + if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) + return ERRCODE_IO_ACCESSDENIED; + ++ if ( UnTrustedScript(_rScriptURL) ) ++ return ERRCODE_IO_ACCESSDENIED; ++ + bool bCaughtException = false; + Any aException; + try +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9849.patch b/SOURCES/CVE-2019-9849.patch new file mode 100644 index 0000000..902cad4 --- /dev/null +++ b/SOURCES/CVE-2019-9849.patch @@ -0,0 +1,166 @@ +From 5d0796bc14c43fa6c3e1417046e241db89306fed Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Fri, 7 Jun 2019 09:28:12 +0200 +Subject: [PATCH] More uses of referer URL with SvxBrushItem + +Reviewed-on: https://gerrit.libreoffice.org/73643 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit b518882de8213ef71a8003f95fbdf7689069c06d) +Conflicts: + sw/source/core/text/porfld.cxx + sw/source/core/unocore/unosett.cxx + +Change-Id: I04b524784df4ef453d8b1feec13b62f183a17e23 +Reviewed-on: https://gerrit.libreoffice.org/73860 +Tested-by: Jenkins +Reviewed-by: Miklos Vajna +--- + sw/inc/unosett.hxx | 2 +- + sw/source/core/text/porfld.cxx | 4 ++-- + sw/source/core/text/porfld.hxx | 1 + + sw/source/core/text/txtfld.cxx | 12 +++++++++++- + sw/source/core/unocore/unosett.cxx | 15 ++++++++++++--- + .../uibase/config/StoredChapterNumbering.cxx | 2 +- + 6 files changed, 28 insertions(+), 8 deletions(-) + +diff --git a/sw/inc/unosett.hxx b/sw/inc/unosett.hxx +index 6386f4f..e90797e 100644 +--- a/sw/inc/unosett.hxx ++++ b/sw/inc/unosett.hxx +@@ -208,7 +208,7 @@ public: + + static css::uno::Sequence GetPropertiesForNumFormat( + const SwNumFormat& rFormat, OUString const& rCharFormatName, +- OUString const* pHeadingStyleName); ++ OUString const* pHeadingStyleName, OUString const & referer); + static void SetPropertiesToNumFormat( + SwNumFormat & aFormat, + OUString & rCharStyleName, +diff --git a/sw/source/core/text/porfld.cxx b/sw/source/core/text/porfld.cxx +index 4f24e63..ba60112 100644 +--- a/sw/source/core/text/porfld.cxx ++++ b/sw/source/core/text/porfld.cxx +@@ -756,7 +756,7 @@ SwBulletPortion::SwBulletPortion( const sal_Unicode cBullet, + SwGrfNumPortion::SwGrfNumPortion( + SwFrame*, + const OUString& rGraphicFollowedBy, +- const SvxBrushItem* pGrfBrush, ++ const SvxBrushItem* pGrfBrush, OUString const & referer, + const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize, + const bool bLft, const bool bCntr, const sal_uInt16 nMinDst, + const bool bLabelAlignmentPosAndSpaceModeActive ) : +@@ -770,7 +770,7 @@ SwGrfNumPortion::SwGrfNumPortion( + if( pGrfBrush ) + { + *pBrush = *pGrfBrush; +- const Graphic* pGraph = pGrfBrush->GetGraphic(); ++ const Graphic* pGraph = pGrfBrush->GetGraphic(referer); + if( pGraph ) + SetAnimated( pGraph->IsAnimated() ); + else +diff --git a/sw/source/core/text/porfld.hxx b/sw/source/core/text/porfld.hxx +index 740c2d9..d648a0f 100644 +--- a/sw/source/core/text/porfld.hxx ++++ b/sw/source/core/text/porfld.hxx +@@ -170,6 +170,7 @@ public: + SwGrfNumPortion( SwFrame *pFrame, + const OUString& rGraphicFollowedBy, + const SvxBrushItem* pGrfBrush, ++ OUString const & referer, + const SwFormatVertOrient* pGrfOrient, + const Size& rGrfSize, + const bool bLeft, +diff --git a/sw/source/core/text/txtfld.cxx b/sw/source/core/text/txtfld.cxx +index 239e2a3..b6f2c5e 100644 +--- a/sw/source/core/text/txtfld.cxx ++++ b/sw/source/core/text/txtfld.cxx +@@ -52,6 +52,7 @@ + #include "flddat.hxx" + #include "fmtautofmt.hxx" + #include ++#include + #include + + static bool lcl_IsInBody( SwFrame *pFrame ) +@@ -478,9 +479,18 @@ SwNumberPortion *SwTextFormatter::NewNumberPortion( SwTextFormatInfo &rInf ) con + + if( SVX_NUM_BITMAP == rNumFormat.GetNumberingType() ) + { ++ OUString referer; ++ if (auto const sh1 = rInf.GetVsh()) { ++ if (auto const doc = sh1->GetDoc()) { ++ auto const sh2 = doc->GetPersist(); ++ if (sh2 != nullptr && sh2->HasName()) { ++ referer = sh2->GetMedium()->GetName(); ++ } ++ } ++ } + pRet = new SwGrfNumPortion( const_cast(GetTextFrame()), + pTextNd->GetLabelFollowedBy(), +- rNumFormat.GetBrush(), ++ rNumFormat.GetBrush(), referer, + rNumFormat.GetGraphicOrientation(), + rNumFormat.GetGraphicSize(), + bLeft, bCenter, nMinDist, +diff --git a/sw/source/core/unocore/unosett.cxx b/sw/source/core/unocore/unosett.cxx +index 716ab9d..13dc05f 100644 +--- a/sw/source/core/unocore/unosett.cxx ++++ b/sw/source/core/unocore/unosett.cxx +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1342,13 +1343,21 @@ uno::Sequence SwXNumberingRules::GetNumberingRuleByIndex( + SwStyleNameMapper::FillProgName(sValue, aUString, SwGetPoolIdFromName::TxtColl, true); + } + +- return GetPropertiesForNumFormat(rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr); ++ OUString referer; ++ if (pDoc != nullptr) { ++ auto const sh = pDoc->GetPersist(); ++ if (sh != nullptr && sh->HasName()) { ++ referer = sh->GetMedium()->GetName(); ++ } ++ } ++ return GetPropertiesForNumFormat( ++ rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr, referer); + + } + + uno::Sequence SwXNumberingRules::GetPropertiesForNumFormat( + const SwNumFormat& rFormat, OUString const& rCharFormatName, +- OUString const*const pHeadingStyleName) ++ OUString const*const pHeadingStyleName, OUString const & referer) + { + bool bChapterNum = pHeadingStyleName != nullptr; + +@@ -1480,7 +1489,7 @@ uno::Sequence SwXNumberingRules::GetPropertiesForNumFormat + //graphicbitmap + const Graphic* pGraphic = nullptr; + if(pBrush ) +- pGraphic = pBrush->GetGraphic(); ++ pGraphic = pBrush->GetGraphic(referer); + if(pGraphic) + { + uno::Reference xBmp = VCLUnoHelper::CreateBitmap( pGraphic->GetBitmapEx() ); +diff --git a/sw/source/uibase/config/StoredChapterNumbering.cxx b/sw/source/uibase/config/StoredChapterNumbering.cxx +index 2464878..a56aeeb 100644 +--- a/sw/source/uibase/config/StoredChapterNumbering.cxx ++++ b/sw/source/uibase/config/StoredChapterNumbering.cxx +@@ -135,7 +135,7 @@ public: + OUString dummy; // pass in empty HeadingStyleName - can't import anyway + uno::Sequence const ret( + SwXNumberingRules::GetPropertiesForNumFormat( +- *pNumFormat, *pCharStyleName, &dummy)); ++ *pNumFormat, *pCharStyleName, &dummy, "")); + return uno::makeAny(ret); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2019-9850.patch b/SOURCES/CVE-2019-9850.patch new file mode 100644 index 0000000..71209d6 --- /dev/null +++ b/SOURCES/CVE-2019-9850.patch @@ -0,0 +1,68 @@ +From 143eedd298113bb20c2807baa49a4c83c2cef70b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 26 Jul 2019 13:25:31 +0100 +Subject: [PATCH 1/3] decode url escape codes and check each path segment + +Change-Id: Ie8f7cef912e8dacbc2a0bca73534a7a242a53ca1 +Reviewed-on: https://gerrit.libreoffice.org/76378 +Reviewed-by: Stephan Bergmann +Tested-by: Jenkins +(cherry picked from commit 7942929685fafb0f9c82feb8da7279e5103c87f0) +Reviewed-on: https://gerrit.libreoffice.org/76451 +Reviewed-by: Thorsten Behrens +Tested-by: Thorsten Behrens +--- + sfx2/source/doc/objmisc.cxx | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 8594e9522e48..7e9288524b34 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -41,6 +41,8 @@ + #include + #include + #include ++#include ++#include + #include + + #include +@@ -1351,7 +1353,33 @@ namespace { + // don't allow LibreLogo to be used with our mouseover/etc dom-alike events + bool UnTrustedScript(const OUString& rScriptURL) + { +- return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); ++ if (!rScriptURL.startsWith("vnd.sun.star.script:")) ++ return false; ++ ++ // ensure URL Escape Codes are decoded ++ css::uno::Reference uri( ++ css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())->parse(rScriptURL)); ++ css::uno::Reference sfUri(uri, css::uno::UNO_QUERY); ++ ++ if (!sfUri.is()) ++ return false; ++ ++ // pyuno encodes path separator as | ++ OUString sScript = sfUri->getName().replace('|', '/'); ++ ++ // check if any path portion matches LibreLogo and ban it if it does ++ sal_Int32 nIndex = 0; ++ do ++ { ++ OUString aToken = sScript.getToken(0, '/', nIndex); ++ if (aToken.startsWithIgnoreAsciiCase("LibreLogo")) ++ { ++ return true; ++ } ++ } ++ while (nIndex >= 0); ++ ++ return false; + } + + } +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9851.patch b/SOURCES/CVE-2019-9851.patch new file mode 100644 index 0000000..82736c7 --- /dev/null +++ b/SOURCES/CVE-2019-9851.patch @@ -0,0 +1,99 @@ +From 292fe2f32df0e9096e63383eb45924eceb2179db Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Tue, 23 Jul 2019 15:31:05 +0100 +Subject: [PATCH 2/3] expand LibreLogo check to global events +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-on: https://gerrit.libreoffice.org/76189 +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +(cherry picked from commit 4a66c7eda6ccde26a42c4e31725248c59940255d) + +Change-Id: I7f436983ba0eb4b76b02d08ee52626e54b103d5f +Reviewed-on: https://gerrit.libreoffice.org/76305 +Reviewed-by: Thorsten Behrens +Tested-by: Thorsten Behrens +--- + include/sfx2/objsh.hxx | 2 ++ + sfx2/source/doc/objmisc.cxx | 6 +----- + sfx2/source/notify/eventsupplier.cxx | 18 ++++++++++++------ + 3 files changed, 15 insertions(+), 11 deletions(-) + +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index d04758567c80..ed09fc6e2acb 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -404,6 +404,8 @@ public: + */ + bool AdjustMacroMode(); + ++ static bool UnTrustedScript(const OUString& rScriptURL); ++ + SvKeyValueIterator* GetHeaderAttributes(); + void ClearHeaderAttributesForSourceViewHack(); + void SetHeaderAttributesForSourceViewHack(); +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 7e9288524b34..9b82742302ab 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1348,10 +1348,8 @@ namespace + } + } + +-namespace { +- + // don't allow LibreLogo to be used with our mouseover/etc dom-alike events +-bool UnTrustedScript(const OUString& rScriptURL) ++bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL) + { + if (!rScriptURL.startsWith("vnd.sun.star.script:")) + return false; +@@ -1382,8 +1380,6 @@ bool UnTrustedScript(const OUString& rScriptURL) + return false; + } + +-} +- + ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, + const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller ) + { +diff --git a/sfx2/source/notify/eventsupplier.cxx b/sfx2/source/notify/eventsupplier.cxx +index 78667a1d8036..2656e9c213ec 100644 +--- a/sfx2/source/notify/eventsupplier.cxx ++++ b/sfx2/source/notify/eventsupplier.cxx +@@ -207,18 +207,24 @@ void SfxEvents_Impl::Execute( uno::Any const & aEventData, const document::Docum + else if (aType == "Service" || + aType == "Script") + { +- if ( !aScript.isEmpty() ) ++ bool bAllowed = false; ++ util::URL aURL; ++ if (!aScript.isEmpty()) + { +- SfxViewFrame* pView = pDoc ? +- SfxViewFrame::GetFirst( pDoc ) : +- SfxViewFrame::Current(); +- + uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( ::comphelper::getProcessComponentContext() ) ); + +- util::URL aURL; + aURL.Complete = aScript; + xTrans->parseStrict( aURL ); + ++ bAllowed = !SfxObjectShell::UnTrustedScript(aURL.Complete); ++ } ++ ++ if (bAllowed) ++ { ++ SfxViewFrame* pView = pDoc ? ++ SfxViewFrame::GetFirst( pDoc ) : ++ SfxViewFrame::Current(); ++ + uno::Reference + < frame::XDispatchProvider > xProv; + +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9852.patch b/SOURCES/CVE-2019-9852.patch new file mode 100644 index 0000000..2333556 --- /dev/null +++ b/SOURCES/CVE-2019-9852.patch @@ -0,0 +1,39 @@ +From 3a827091172b9ce3982323b838ed55d896d585d4 Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Sat, 3 Aug 2019 16:37:48 +0100 +Subject: [PATCH 3/3] keep name percent-encoded +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I470c4b24192c3e3c9b556a9bbb3b084359e0033b +Reviewed-on: https://gerrit.libreoffice.org/77006 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +(cherry picked from commit 315c51731384230194af26b86a976bf5d06c9dcc) +Reviewed-on: https://gerrit.libreoffice.org/77090 +Reviewed-by: Thorsten Behrens +Tested-by: Thorsten Behrens +--- + scripting/source/pyprov/pythonscript.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py +index f1b2bfc75ee3..64e1337d642e 100644 +--- a/scripting/source/pyprov/pythonscript.py ++++ b/scripting/source/pyprov/pythonscript.py +@@ -219,7 +219,9 @@ class MyUriHelper: + + # path to the .py file + "$functionname, arguments, etc + xStorageUri = self.m_uriRefFac.parse(scriptURI) +- sStorageUri = xStorageUri.getName().replace( "|", "/" ); ++ # getName will apply url-decoding to the name, so encode back ++ sStorageUri = xStorageUri.getName().replace("%", "%25") ++ sStorageUri = sStorageUri.replace( "|", "/" ) + + # path to the .py file, relative to the base + sFileUri = sStorageUri[0:sStorageUri.find("$")] +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9853.patch b/SOURCES/CVE-2019-9853.patch new file mode 100644 index 0000000..c56ef4c --- /dev/null +++ b/SOURCES/CVE-2019-9853.patch @@ -0,0 +1,89 @@ +From 2c71565673c4750732c7e507d2aaf9c3b1f679df Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Tue, 6 Aug 2019 13:29:22 +0200 +Subject: [PATCH] Properly obtain location +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I9fb0d883a3623394343cd54ef61e5610544198c8 +Reviewed-on: https://gerrit.libreoffice.org/77019 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit a9cde2557242a0c343d99533f3ee032599c66f42) +Reviewed-on: https://gerrit.libreoffice.org/77024 +Reviewed-by: Caolán McNamara +Reviewed-by: Michael Stahl +Reviewed-by: Christian Lohmaier +Tested-by: Christian Lohmaier +--- + .../source/protocolhandler/scripthandler.cxx | 9 ++++++-- + sfx2/source/doc/objmisc.cxx | 21 +++++++++++-------- + 2 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/scripting/source/protocolhandler/scripthandler.cxx b/scripting/source/protocolhandler/scripthandler.cxx +index cd82b19..1bc577b 100644 +--- a/scripting/source/protocolhandler/scripthandler.cxx ++++ b/scripting/source/protocolhandler/scripthandler.cxx +@@ -51,6 +51,7 @@ + #include "com/sun/star/uri/XUriReference.hpp" + #include "com/sun/star/uri/UriReferenceFactory.hpp" + #include "com/sun/star/uri/XVndSunStarScriptUrl.hpp" ++#include + + #include + +@@ -146,8 +147,12 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification( + { + try + { +- bool bIsDocumentScript = ( aURL.Complete.indexOf( "document" ) !=-1 ); +- // TODO: isn't this somewhat strange? This should be a test for a location=document parameter, shouldn't it? ++ css::uno::Reference urifac( ++ css::uri::UriReferenceFactory::create(m_xContext)); ++ css::uno::Reference uri( ++ urifac->parse(aURL.Complete), css::uno::UNO_QUERY_THROW); ++ auto const loc = uri->getParameter("location"); ++ bool bIsDocumentScript = loc == "document"; + + if ( bIsDocumentScript ) + { +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 24d131a..87580cb 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1462,19 +1462,22 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon + OSL_TRACE( "in CallXScript" ); + ErrCode nErr = ERRCODE_NONE; + +- bool bIsDocumentScript = ( _rScriptURL.indexOf( "location=document" ) >= 0 ); +- // TODO: we should parse the URL, and check whether there is a parameter with this name. +- // Otherwise, we might find too much. +- if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) +- return ERRCODE_IO_ACCESSDENIED; +- +- if ( UnTrustedScript(_rScriptURL) ) +- return ERRCODE_IO_ACCESSDENIED; +- + bool bCaughtException = false; + Any aException; + try + { ++ css::uno::Reference urifac( ++ css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())); ++ css::uno::Reference uri( ++ urifac->parse(_rScriptURL), css::uno::UNO_QUERY_THROW); ++ auto const loc = uri->getParameter("location"); ++ bool bIsDocumentScript = loc == "document"; ++ if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) ++ return ERRCODE_IO_ACCESSDENIED; ++ ++ if ( UnTrustedScript(_rScriptURL) ) ++ return ERRCODE_IO_ACCESSDENIED; ++ + // obtain/create a script provider + Reference< provider::XScriptProvider > xScriptProvider; + Reference< provider::XScriptProviderSupplier > xSPS( _rxScriptContext, UNO_QUERY ); +-- +2.20.1 + diff --git a/SOURCES/CVE-2019-9854.patch b/SOURCES/CVE-2019-9854.patch new file mode 100644 index 0000000..0d7d3c4 --- /dev/null +++ b/SOURCES/CVE-2019-9854.patch @@ -0,0 +1,86 @@ +From f107a8c90168124462ddd00db015810081d4be2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 12 Aug 2019 20:32:54 +0100 +Subject: [PATCH 1/2] construct final url from parsed output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ifd733625a439685ad307603eb2b00bf463eb9ca9 +Reviewed-on: https://gerrit.libreoffice.org/77373 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit 87959e5deea6d33cd35dbb3b8423056f9566710e) +Reviewed-on: https://gerrit.libreoffice.org/77377 +(cherry picked from commit c03acb9b8a97254cfcf7c45ef920b93b7f1dd344) + +an absolute uri is invalid input + +Change-Id: I392be4282be8ed67e3451b28d2c9f22acd4c87fc +Reviewed-on: https://gerrit.libreoffice.org/77564 +Reviewed-by: Stephan Bergmann +Tested-by: Stephan Bergmann +(cherry picked from commit 3c076e54f736980e208f5c27ecf179aa90aea103) +Reviewed-on: https://gerrit.libreoffice.org/77572 +Tested-by: Jenkins +(cherry picked from commit 5445f7ffd09e891b220dabb19cd013bcf591fc08) + +Improve check for absolute URI + +Change-Id: I4dee44832107f72f8f3fb68554428dc1e646c346 +Reviewed-on: https://gerrit.libreoffice.org/77706 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit c79efeb66f7951305d0334bc288aee1c571a8728) +Reviewed-on: https://gerrit.libreoffice.org/77724 +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +(cherry picked from commit 52f7aa318722bd17c77ee5c4fa8307936e7b53af) +--- + scripting/source/pyprov/pythonscript.py | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py +index 64e1337d642e..acb6184bf437 100644 +--- a/scripting/source/pyprov/pythonscript.py ++++ b/scripting/source/pyprov/pythonscript.py +@@ -224,13 +224,24 @@ class MyUriHelper: + sStorageUri = sStorageUri.replace( "|", "/" ) + + # path to the .py file, relative to the base +- sFileUri = sStorageUri[0:sStorageUri.find("$")] ++ funcNameStart = sStorageUri.find("$") ++ if funcNameStart != -1: ++ sFileUri = sStorageUri[0:funcNameStart] ++ sFuncName = sStorageUri[funcNameStart+1:] ++ else: ++ sFileUri = sStorageUri ++ + xFileUri = self.m_uriRefFac.parse(sFileUri) + if not xFileUri: + message = "pythonscript: invalid relative uri '" + sFileUri+ "'" + log.debug( message ) + raise RuntimeException( message ) + ++ if not xFileUri.hasRelativePath(): ++ message = "pythonscript: an absolute uri is invalid '" + sFileUri+ "'" ++ log.debug( message ) ++ raise RuntimeException( message ) ++ + # absolute path to the .py file + xAbsScriptUri = self.m_uriRefFac.makeAbsolute(xBaseUri, xFileUri, True, RETAIN) + sAbsScriptUri = xAbsScriptUri.getUriReference() +@@ -241,7 +252,9 @@ class MyUriHelper: + log.debug( message ) + raise RuntimeException( message ) + +- ret = sBaseUri + sStorageUri ++ ret = sAbsScriptUri ++ if funcNameStart != -1: ++ ret = ret + "$" + sFuncName + log.debug( "converting scriptURI="+scriptURI + " to storageURI=" + ret ) + return ret + except UnoException as e: +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9855.patch b/SOURCES/CVE-2019-9855.patch new file mode 100644 index 0000000..75f64eb --- /dev/null +++ b/SOURCES/CVE-2019-9855.patch @@ -0,0 +1,33 @@ +From 1686c4273b8e0b8218853669e50d4bf405525dde Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Mon, 26 Aug 2019 10:18:09 +0200 +Subject: [PATCH 2/2] Improve check + +Change-Id: I8280a81eef2ced0ff0ace51ea9f094421abafe13 +Reviewed-on: https://gerrit.libreoffice.org/78108 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit 761e6dd25782420bf06e4a2ff3205a79b6cbb136) +Reviewed-on: https://gerrit.libreoffice.org/78129 +Reviewed-by: Michael Stahl +(cherry picked from commit ffad51e9e625a22f1efab3da7886baf4134b444f) +--- + sfx2/source/doc/objmisc.cxx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 9b82742302ab..4f2a05909a74 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1370,7 +1370,7 @@ bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL) + do + { + OUString aToken = sScript.getToken(0, '/', nIndex); +- if (aToken.startsWithIgnoreAsciiCase("LibreLogo")) ++ if (aToken.startsWithIgnoreAsciiCase("LibreLogo") || aToken.indexOf('~') != -1) + { + return true; + } +-- +2.21.0 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 8176a24..142bac6 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -57,7 +57,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 21%{?libo_prerelease}%{?dist} +Release: 24%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -281,6 +281,15 @@ Patch51: 0001-Related-tdf-106577-extend-damage-rect-a-little-for-T.patch Patch52: 0001-Resolves-rhbz-1614419-crash-in-pptx-nss-usage-under-.patch Patch53: 0001-rhbz-1614419-use-workaround-for-PK11_ImportSymKey-fa.patch Patch54: 0001-keep-pyuno-script-processing-below-base-uri.patch +Patch55: CVE-2019-9848.patch +Patch56: CVE-2019-9849.patch +Patch57: CVE-2019-9850.patch +Patch58: CVE-2019-9851.patch +Patch59: CVE-2019-9852.patch +Patch60: CVE-2019-9853.patch +Patch61: CVE-2019-9854.patch +Patch62: CVE-2019-9855.patch +Patch63: 0001-rhbz-1728763-bg-of-blocks-is-black.patch %if 0%{?rhel} # not upstreamed @@ -1490,12 +1499,6 @@ for jar in %{buildroot}%{baseinstdir}/program/classes/*.jar; do esac done -%check -unset WITH_LANG -# work around flawed accessibility check -export JFW_PLUGIN_DO_NOT_CHECK_ACCESSIBILITY="1" -export OOO_TEST_SOFFICE=path:%{buildroot}%{baseinstdir}/program/soffice -# timeout -k 2m 2h make smoketest.subsequentcheck # we don't need this anymore rm -f %{buildroot}%{baseinstdir}/program/classes/smoketest.jar @@ -2349,6 +2352,16 @@ done %{_includedir}/LibreOfficeKit %changelog +* Tue Oct 29 2019 Caolán McNamara - 1:5.3.6.1-24 +- Resolves: rhbz#1728763 bg of blocks is black + +* Mon Sep 09 2019 Caolán McNamara - 1:5.3.6.1-23 +- Resolves: rhbz#1601372 libreoffice fails to build with --nocheck + +* Fri Sep 06 2019 Caolán McNamara - 1:5.3.6.1-22 +- Resolves: rhbz#1743962 CVE-2019-9848 +- Resolves: rhbz#1743954 CVE-2019-9849 + * Thu Feb 21 2019 Caolán McNamara - 1:5.3.6.1-21 - Resolves: rhbz#1066844 drop libreofficekit requires