diff --git a/SOURCES/0001-keep-pyuno-script-processing-below-base-uri.patch b/SOURCES/0001-keep-pyuno-script-processing-below-base-uri.patch new file mode 100644 index 0000000..3cfce72 --- /dev/null +++ b/SOURCES/0001-keep-pyuno-script-processing-below-base-uri.patch @@ -0,0 +1,70 @@ +From 14c85889616de301e3a214c49fff2e6da3327d1f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 18 Oct 2018 20:39:23 +0100 +Subject: [PATCH] keep pyuno script processing below base uri +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Icc13fb7193fb1e7c50e0df286161a10b4ed636c7 +Reviewed-on: https://gerrit.libreoffice.org/61970 +Reviewed-by: Stephan Bergmann +Reviewed-by: Thorsten Behrens +Reviewed-by: Michael Stahl +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +--- + scripting/source/pyprov/pythonscript.py | 30 +++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py +index 4803d0bebc23..f5aa2173333a 100644 +--- a/scripting/source/pyprov/pythonscript.py ++++ b/scripting/source/pyprov/pythonscript.py +@@ -25,6 +25,7 @@ import imp + import time + import ast + import platform ++from com.sun.star.uri.RelativeUriExcessParentSegments import RETAIN + + try: + unicode +@@ -212,8 +213,33 @@ class MyUriHelper: + + def scriptURI2StorageUri( self, scriptURI ): + try: +- myUri = self.m_uriRefFac.parse(scriptURI) +- ret = self.m_baseUri + "/" + myUri.getName().replace( "|", "/" ) ++ # base path to the python script location ++ sBaseUri = self.m_baseUri + "/" ++ xBaseUri = self.m_uriRefFac.parse(sBaseUri) ++ ++ # path to the .py file + "$functionname, arguments, etc ++ xStorageUri = self.m_uriRefFac.parse(scriptURI) ++ sStorageUri = xStorageUri.getName().replace( "|", "/" ); ++ ++ # path to the .py file, relative to the base ++ sFileUri = sStorageUri[0:sStorageUri.find("$")] ++ xFileUri = self.m_uriRefFac.parse(sFileUri) ++ if not xFileUri: ++ message = "pythonscript: invalid relative uri '" + sFileUri+ "'" ++ log.debug( message ) ++ raise RuntimeException( message ) ++ ++ # absolute path to the .py file ++ xAbsScriptUri = self.m_uriRefFac.makeAbsolute(xBaseUri, xFileUri, True, RETAIN) ++ sAbsScriptUri = xAbsScriptUri.getUriReference() ++ ++ # ensure py file is under the base path ++ if not sAbsScriptUri.startswith(sBaseUri): ++ message = "pythonscript: storage uri '" + sAbsScriptUri + "' not in base uri '" + self.m_baseUri + "'" ++ log.debug( message ) ++ raise RuntimeException( message ) ++ ++ ret = sBaseUri + sStorageUri + log.debug( "converting scriptURI="+scriptURI + " to storageURI=" + ret ) + return ret + except UnoException as e: +-- +2.20.1 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 6e5ebc9..8176a24 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -57,7 +57,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 19%{?libo_prerelease}%{?dist} +Release: 21%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -280,6 +280,7 @@ Patch50: 0001-tdf-106577-cairo_mask-pattern-affects-more-surface-t.patch Patch51: 0001-Related-tdf-106577-extend-damage-rect-a-little-for-T.patch Patch52: 0001-Resolves-rhbz-1614419-crash-in-pptx-nss-usage-under-.patch Patch53: 0001-rhbz-1614419-use-workaround-for-PK11_ImportSymKey-fa.patch +Patch54: 0001-keep-pyuno-script-processing-below-base-uri.patch %if 0%{?rhel} # not upstreamed @@ -719,8 +720,6 @@ A plug-in for LibreOffice that enables integration into the KDE desktop environm %package -n libreofficekit Summary: A library providing access to LibreOffice functionality -Requires: %{name}-core%{?_isa} = %{epoch}:%{version}-%{release} -Requires: %{name}-filters%{?_isa} = %{epoch}:%{version}-%{release} License: MPLv2.0 %description -n libreofficekit @@ -2350,6 +2349,12 @@ done %{_includedir}/LibreOfficeKit %changelog +* Thu Feb 21 2019 Caolán McNamara - 1:5.3.6.1-21 +- Resolves: rhbz#1066844 drop libreofficekit requires + +* Mon Feb 04 2019 Caolán McNamara - 1:5.3.6.1-20 +- Resolves: rhbz#1672003 CVE-2018-16858 + * Fri Aug 10 2018 Caolán McNamara - 1:5.3.6.1-19 - Resolves: rhbz#1614419 detect PK11_ImportSymKey failure under FIPS