diff --git a/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch b/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch new file mode 100644 index 0000000..9df483c --- /dev/null +++ b/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch @@ -0,0 +1,69 @@ +From 6167f5815aefa78a70517c8e2acbdd7b9c9be27d Mon Sep 17 00:00:00 2001 +Message-ID: <6167f5815aefa78a70517c8e2acbdd7b9c9be27d.1703003067.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 14:20:07 +0000 +Subject: [PATCH] escape url passed to gstreamer +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158894 +Tested-by: Jenkins +Reviewed-by: Michael Stahl +(cherry picked from commit f41dcadf6492a6ffd32696d50f818e44355b9ad9) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159583 + +erAck: backported to 7.1.8.1 + +--- + avmedia/source/gstreamer/gstframegrabber.cxx | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0001-escape-url-passed-to-gstreamer.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0001-escape-url-passed-to-gstreamer.patch" + +diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx b/avmedia/source/gstreamer/gstframegrabber.cxx +index ece799d87530..25170a296e66 100644 +--- a/avmedia/source/gstreamer/gstframegrabber.cxx ++++ b/avmedia/source/gstreamer/gstframegrabber.cxx +@@ -51,11 +51,9 @@ void FrameGrabber::disposePipeline() + FrameGrabber::FrameGrabber( const OUString &rURL ) : + FrameGrabber_BASE() + { +- gchar *pPipelineStr; +- pPipelineStr = g_strdup_printf( +- "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink " +- "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"", +- OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() ); ++ const char pPipelineStr[] = ++ "uridecodebin name=source ! videoconvert ! videoscale ! appsink " ++ "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\""; + + GError *pError = nullptr; + mpPipeline = gst_parse_launch( pPipelineStr, &pError ); +@@ -66,6 +64,12 @@ FrameGrabber::FrameGrabber( const OUString &rURL ) : + } + + if( mpPipeline ) { ++ ++ if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline), "source")) ++ g_object_set(pUriDecode, "uri", OUStringToOString(rURL, RTL_TEXTENCODING_UTF8).getStr(), nullptr); ++ else ++ g_warning("Missing 'source' element in gstreamer pipeline"); ++ + // pre-roll + switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) { + case GST_STATE_CHANGE_FAILURE: + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch b/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch new file mode 100644 index 0000000..22947a9 --- /dev/null +++ b/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch @@ -0,0 +1,93 @@ +From 37d73a1ab94b43e03866d5a910cb58331543b8c3 Mon Sep 17 00:00:00 2001 +Message-ID: <37d73a1ab94b43e03866d5a910cb58331543b8c3.1703086247.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 17:14:26 +0000 +Subject: [PATCH] add some protocols that don't make sense as floating frame + targets +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +Change-Id: Id900a5eef248731d1184c1df501a2cf7a2de7eb9 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158910 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 11ebdfef16501c6d35c3e3d0d62507f706557c71) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158900 +Reviewed-by: Michael Stahl +(cherry picked from commit bab433911bdecb344f7ea94dbd00690241a08c54) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159582 + +erAck: backported to 7.1.8.1 + +--- + include/tools/urlobj.hxx | 5 +++++ + sfx2/source/doc/iframe.cxx | 5 ++++- + tools/source/fsys/urlobj.cxx | 8 ++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch" + +diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx +index 9d6820ddf241..dfd658722826 100644 +--- a/include/tools/urlobj.hxx ++++ b/include/tools/urlobj.hxx +@@ -915,6 +915,11 @@ public: + + void changeScheme(INetProtocol eTargetScheme); + ++ // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot, ++ // vnd.sun.star.script, etc. All the types of URLs which shouldn't ++ // be accepted from an outside controlled source ++ bool IsExoticProtocol() const; ++ + private: + // General Structure: + +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index 150218b436e9..b81ce82fd32e 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -168,8 +168,11 @@ sal_Bool SAL_CALL IFrameObject::load( + xTrans->parseStrict( aTargetURL ); + + INetURLObject aURLObject(aTargetURL.Complete); +- if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script")) ++ if (aURLObject.IsExoticProtocol()) ++ { ++ //SAL_WARN("sfx", "IFrameObject::load ignoring: " << aTargetURL.Complete); + return false; ++ } + + uno::Reference xParentFrame = xFrame->getCreator(); + SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index 764bb28ef623..2a9f7bc3d7dc 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4829,4 +4829,12 @@ OUString INetURLObject::CutExtension() + ? aTheExtension : OUString(); + } + ++bool INetURLObject::IsExoticProtocol() const ++{ ++ return m_eScheme == INetProtocol::Slot || ++ m_eScheme == INetProtocol::Macro || ++ m_eScheme == INetProtocol::Uno || ++ isSchemeEqualTo(u"vnd.sun.star.script"); ++} ++ + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch b/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch new file mode 100644 index 0000000..e7aca7f --- /dev/null +++ b/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch @@ -0,0 +1,87 @@ +From 99b453dfac5ed44a02c6e1a51b871ee50709a405 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Sat, 4 Nov 2023 19:57:51 +0000 +Subject: [PATCH] warn about exotic protocols as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I50dcf4f36cd20d75f5ad3876353143268740a50f +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151834 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 1305f70cff8a81a58a5a6d9c96c5bb032005389e) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159034 +Reviewed-by: Eike Rathke +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159881 +Reviewed-by: Miklos Vajna +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159911 +Reviewed-by: Michael Stahl + +erAck: backported to 6.4.7.2 + +--- + sw/source/filter/html/htmlplug.cxx | 2 +- + sw/source/filter/xml/xmltexti.cxx | 2 +- + tools/source/fsys/urlobj.cxx | 3 ++- + xmloff/source/draw/ximpshap.cxx | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx +index eb70704..112975f 100644 +--- a/sw/source/filter/html/htmlplug.cxx ++++ b/sw/source/filter/html/htmlplug.cxx +@@ -1089,7 +1089,7 @@ void SwHTMLParser::InsertFloatingFrame() + + OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); + +- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(sHRef).IsExoticProtocol()) + NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) ); +diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx +index 72a14b9..e015575 100644 +--- a/sw/source/filter/xml/xmltexti.cxx ++++ b/sw/source/filter/xml/xmltexti.cxx +@@ -856,7 +856,7 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra + OUString sHRef = URIHelper::SmartRel2Abs( + INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ); + +- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(sHRef).IsExoticProtocol()) + GetXMLImport().NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index ab6e885..1ef2b7e 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4776,7 +4776,8 @@ bool INetURLObject::IsExoticProtocol() const + return m_eScheme == INetProtocol::Slot || + m_eScheme == INetProtocol::Macro || + m_eScheme == INetProtocol::Uno || +- isSchemeEqualTo(u"vnd.sun.star.script"); ++ isSchemeEqualTo(u"vnd.sun.star.script") || ++ isSchemeEqualTo(u"service"); + } + + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ +diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx +index bd5f30a..b58da79 100644 +--- a/xmloff/source/draw/ximpshap.cxx ++++ b/xmloff/source/draw/ximpshap.cxx +@@ -3269,7 +3269,7 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs + + if( !maHref.isEmpty() ) + { +- if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(maHref).IsExoticProtocol()) + GetImport().NotifyMacroEventRead(); + + xProps->setPropertyValue("FrameURL", Any(maHref) ); +-- +2.43.0 + diff --git a/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch b/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch new file mode 100644 index 0000000..bd7487b --- /dev/null +++ b/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch @@ -0,0 +1,225 @@ +From ae89e7b8ae1e781c1a9d8ca2c5d4aeca656932f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 17:26:25 +0000 +Subject: [PATCH] default to ignoring libreoffice special-purpose protocols in + calc hyperlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ib9f62be3acc05f24ca234dec0fec21e24579e9de +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158911 +Tested-by: Jenkins +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit b6062623b4d69c79e90e9365ac7c5e7f11986793) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159045 +Reviewed-by: Eike Rathke +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159882 +Tested-by: Miklos Vajna +Reviewed-by: Miklos Vajna +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159912 +Reviewed-by: Michael Stahl + +erAck: backported to 6.4.7.2 + +--- + dbaccess/source/core/dataaccess/ModelImpl.cxx | 3 +- + include/sfx2/docmacromode.hxx | 5 ++- + include/sfx2/objsh.hxx | 3 ++ + sc/source/core/data/global.cxx | 33 ++++++++++++++++++- + sfx2/source/doc/docmacromode.cxx | 8 +++-- + sfx2/source/doc/objmisc.cxx | 8 ++++- + sfx2/source/doc/objxtor.cxx | 1 + + sfx2/source/inc/objshimp.hxx | 3 +- + 8 files changed, 57 insertions(+), 7 deletions(-) + +diff --git a/dbaccess/source/core/dataaccess/ModelImpl.cxx b/dbaccess/source/core/dataaccess/ModelImpl.cxx +index 1f11f36..ce4dbae 100644 +--- a/dbaccess/source/core/dataaccess/ModelImpl.cxx ++++ b/dbaccess/source/core/dataaccess/ModelImpl.cxx +@@ -1140,7 +1140,8 @@ bool ODatabaseModelImpl::checkMacrosOnLoading() + { + Reference< XInteractionHandler > xInteraction; + xInteraction = m_aMediaDescriptor.getOrDefault( "InteractionHandler", xInteraction ); +- return m_aMacroMode.checkMacrosOnLoading( xInteraction ); ++ const bool bHasMacros = m_aMacroMode.hasMacros(); ++ return m_aMacroMode.checkMacrosOnLoading(xInteraction, bHasMacros); + } + + void ODatabaseModelImpl::resetMacroExecutionMode() +diff --git a/include/sfx2/docmacromode.hxx b/include/sfx2/docmacromode.hxx +index a15bbbe..98b7d3a 100644 +--- a/include/sfx2/docmacromode.hxx ++++ b/include/sfx2/docmacromode.hxx +@@ -260,6 +260,8 @@ namespace sfx2 + */ + static bool storageHasMacros( const css::uno::Reference< css::embed::XStorage >& _rxStorage ); + ++ bool hasMacros() const; ++ + static bool containerHasBasicMacros( const css::uno::Reference< css::script::XLibraryContainer >& xContainter ); + /** checks the macro execution mode while loading the document. + +@@ -286,7 +288,8 @@ namespace sfx2 + */ + bool + checkMacrosOnLoading( +- const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction ++ const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction, ++ bool bHasMacros + ); + + private: +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index 2a56ebe..43df460 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -418,6 +418,9 @@ public: + void SetMacroCallsSeenWhileLoading(); + bool GetMacroCallsSeenWhileLoading() const; + ++ // true if the document had macros (or similar) on load to trigger warning user ++ bool GetHadCheckedMacrosOnLoad() const; ++ + const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const; + bool SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo ); + +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index 050fd82..92d50c4 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -26,7 +26,9 @@ + #include + #include + #include ++#include + #include ++#include + #include + #include + #include +@@ -789,7 +791,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + + OUString aUrlName( rURL ); + SfxViewFrame* pFrame = nullptr; +- const SfxObjectShell* pObjShell = nullptr; ++ SfxObjectShell* pObjShell = nullptr; + OUString aReferName; + if ( pScActiveViewShell ) + { +@@ -823,6 +825,35 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + ++ if (INetURLObject(aUrlName).IsExoticProtocol()) ++ { ++ // Default to ignoring exotic protocols ++ bool bAllow = false; ++ if (pObjShell) ++ { ++ // If the document had macros when loaded then follow the allowed macro-mode ++ if (pObjShell->GetHadCheckedMacrosOnLoad()) ++ bAllow = pObjShell->AdjustMacroMode(); ++ else // otherwise ask the user, defaulting to cancel ++ { ++ assert(pFrame && "if we have pObjShell we have pFrame"); ++ //Reuse URITools::onOpenURI warning string ++ std::unique_ptr xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(), ++ VclMessageType::Warning, VclButtonsType::YesNo, ++ SfxResId(STR_DANGEROUS_TO_OPEN))); ++ xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", ++ INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous))); ++ xQueryBox->set_default_response(RET_NO); ++ bAllow = xQueryBox->run() == RET_YES; ++ } ++ } ++ if (!bAllow) ++ { ++ SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName); ++ return; ++ } ++ } ++ + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); + SfxStringItem aTarget( SID_TARGETNAME, rTarget ); + if ( nScClickMouseModifier & KEY_SHIFT ) // control-click -> into new window +diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx +index 492bd0a..7f1fb2b 100644 +--- a/sfx2/source/doc/docmacromode.cxx ++++ b/sfx2/source/doc/docmacromode.cxx +@@ -391,8 +391,12 @@ namespace sfx2 + return bHasMacros; + } + ++ bool DocumentMacroMode::hasMacros() const ++ { ++ return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading(); ++ } + +- bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction ) ++ bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasMacros ) + { + bool bAllow = false; + if ( SvtSecurityOptions().IsMacroDisabled() ) +@@ -402,7 +406,7 @@ namespace sfx2 + } + else + { +- if (m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading()) ++ if (bHasMacros) + { + bAllow = adjustMacroMode( rxInteraction ); + } +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 6819404..fac75dd 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -953,9 +953,15 @@ void SfxObjectShell::CheckSecurityOnLoading_Impl() + CheckEncryption_Impl( xInteraction ); + + // check macro security +- pImpl->aMacroMode.checkMacrosOnLoading( xInteraction ); ++ const bool bHasMacros = pImpl->aMacroMode.hasMacros(); ++ pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasMacros ); ++ pImpl->m_bHadCheckedMacrosOnLoad = bHasMacros; + } + ++bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const ++{ ++ return pImpl->m_bHadCheckedMacrosOnLoad; ++} + + void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler ) + { +diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx +index 510c35d..a707bb7 100644 +--- a/sfx2/source/doc/objxtor.cxx ++++ b/sfx2/source/doc/objxtor.cxx +@@ -237,6 +237,7 @@ SfxObjectShell_Impl::SfxObjectShell_Impl( SfxObjectShell& _rDocShell ) + ,m_bAllowShareControlFileClean( true ) + ,m_bConfigOptionsChecked( false ) + ,m_bMacroCallsSeenWhileLoading( false ) ++ ,m_bHadCheckedMacrosOnLoad( false ) + ,lErr(ERRCODE_NONE) + ,nEventId ( SfxEventHintId::NONE ) + ,nLoadedFlags ( SfxLoadedFlags::ALL ) +diff --git a/sfx2/source/inc/objshimp.hxx b/sfx2/source/inc/objshimp.hxx +index 3d7b0b6..4afdd70 100644 +--- a/sfx2/source/inc/objshimp.hxx ++++ b/sfx2/source/inc/objshimp.hxx +@@ -91,7 +91,8 @@ struct SfxObjectShell_Impl : public ::sfx2::IMacroDocumentAccess + m_bSharedXMLFlag:1, // whether the document should be edited in shared mode + m_bAllowShareControlFileClean:1, // whether the flag should be stored in xml file + m_bConfigOptionsChecked:1, // whether or not the user options are checked after the Options dialog is closed. +- m_bMacroCallsSeenWhileLoading:1; // whether or not the user options are checked after the Options dialog is closed. ++ m_bMacroCallsSeenWhileLoading:1, // whether or not macro calls were seen when loading document. ++ m_bHadCheckedMacrosOnLoad:1; // if document contained macros (or calls) when loaded + + IndexBitSet aBitSet; + ErrCode lErr; +-- +2.43.0 + diff --git a/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch b/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch new file mode 100644 index 0000000..b454135 --- /dev/null +++ b/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch @@ -0,0 +1,281 @@ +From 6a69b533227ae22d97824317f14dfa6991959101 Mon Sep 17 00:00:00 2001 +Message-ID: <6a69b533227ae22d97824317f14dfa6991959101.1703086328.git.erack@redhat.com> +In-Reply-To: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +References: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 15 Nov 2023 11:39:24 +0000 +Subject: [PATCH 3/4] reuse AllowedLinkProtocolFromDocument in writer +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +reorg calc hyperlink check to reuse elsewhere + +Change-Id: I20ae3c5df15502c3a0a366fb4a2924c06ffac3d0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159487 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit e6a7537762e19fde446441edd10d301f9b37ce75) + +reuse AllowedLinkProtocolFromDocument in writer + +Change-Id: Iacf5e313fc6ca5f7d69ca6986a036f0e1ab1f2a0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159488 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 32535dfa82200b54296838b52285c054fbe5e51d) + +combine these hyperlink dispatchers into one call + +Change-Id: Icb7822e811013de648ccf2fbb23a5f0be9e29bb0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159489 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 0df175ccc6ea542bc5801f631ff72bed187042eb) + +we can have just one LoadURL for writer + +Change-Id: Ia0162ee1c275292fcf200bad4662e4c2c6b7b972 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159557 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 521ca9cf6acbae96cf95d9740859c9682212013d) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159858 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit e32b8601dbd63cf01497889601d6c9c1241106d6) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159883 +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159913 +Reviewed-by: Michael Stahl +Reviewed-by: Eike Rathke +--- + include/sfx2/objsh.hxx | 7 +++-- + sc/source/core/data/global.cxx | 32 ++--------------------- + sfx2/source/doc/objmisc.cxx | 27 ++++++++++++++++++++ + sw/source/uibase/shells/drwtxtex.cxx | 8 ++---- + sw/source/uibase/wrtsh/wrtsh2.cxx | 38 ++++++++++++++++++---------- + 5 files changed, 60 insertions(+), 52 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch" + +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index fde0dba3d7c9..79f22c978dcb 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -200,6 +200,9 @@ private: + + SAL_DLLPRIVATE bool SaveTo_Impl(SfxMedium &rMedium, const SfxItemSet* pSet ); + ++ // true if the document had macros (or similar) on load to trigger warning user ++ SAL_DLLPRIVATE bool GetHadCheckedMacrosOnLoad() const; ++ + protected: + SfxObjectShell(SfxObjectCreateMode); + SfxObjectShell(SfxModelFlags); // see sfxmodelfactory.hxx +@@ -427,8 +430,8 @@ public: + void SetMacroCallsSeenWhileLoading(); + bool GetMacroCallsSeenWhileLoading() const; + +- // true if the document had macros (or similar) on load to trigger warning user +- bool GetHadCheckedMacrosOnLoad() const; ++ // true if this type of link, from a document, is allowed by the user to be passed to uno:OpenDoc ++ static bool AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent); + + const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const; + bool SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo ); +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index 92caea1ea459..27c5a51a46c1 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -29,9 +29,7 @@ + #include + #include + #include +-#include + #include +-#include + #include + #include + #include +@@ -856,34 +854,8 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + +- if (INetURLObject(aUrlName).IsExoticProtocol()) +- { +- // Default to ignoring exotic protocols +- bool bAllow = false; +- if (pObjShell) +- { +- // If the document had macros when loaded then follow the allowed macro-mode +- if (pObjShell->GetHadCheckedMacrosOnLoad()) +- bAllow = pObjShell->AdjustMacroMode(); +- else // otherwise ask the user, defaulting to cancel +- { +- assert(pFrame && "if we have pObjShell we have pFrame"); +- //Reuse URITools::onOpenURI warning string +- std::unique_ptr xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(), +- VclMessageType::Warning, VclButtonsType::YesNo, +- SfxResId(STR_DANGEROUS_TO_OPEN))); +- xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", +- INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous))); +- xQueryBox->set_default_response(RET_NO); +- bAllow = xQueryBox->run() == RET_YES; +- } +- } +- if (!bAllow) +- { +- SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName); +- return; +- } +- } ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr)) ++ return; + + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); + SfxStringItem aTarget( SID_TARGETNAME, rTarget ); +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index ddf95eeafe5e..8c76c3f0f4d6 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -962,6 +962,33 @@ bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const + return pImpl->m_bHadCheckedMacrosOnLoad; + } + ++bool SfxObjectShell::AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent) ++{ ++ if (!INetURLObject(rUrl).IsExoticProtocol()) ++ return true; ++ // Default to ignoring exotic protocols ++ bool bAllow = false; ++ if (pObjShell) ++ { ++ // If the document had macros when loaded then follow the allowed macro-mode ++ if (pObjShell->GetHadCheckedMacrosOnLoad()) ++ bAllow = pObjShell->AdjustMacroMode(); ++ else // otherwise ask the user, defaulting to cancel ++ { ++ //Reuse URITools::onOpenURI warning string ++ std::unique_ptr xQueryBox(Application::CreateMessageDialog(pDialogParent, ++ VclMessageType::Warning, VclButtonsType::YesNo, ++ SfxResId(STR_DANGEROUS_TO_OPEN))); ++ xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", ++ INetURLObject::decode(rUrl, INetURLObject::DecodeMechanism::Unambiguous))); ++ xQueryBox->set_default_response(RET_NO); ++ bAllow = xQueryBox->run() == RET_YES; ++ } ++ } ++ SAL_WARN_IF(!bAllow, "sfx.appl", "SfxObjectShell::AllowedLinkProtocolFromDocument ignoring: " << rUrl); ++ return bAllow; ++} ++ + void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler ) + { + OUString aVersion; +diff --git a/sw/source/uibase/shells/drwtxtex.cxx b/sw/source/uibase/shells/drwtxtex.cxx +index c84ee7bd9af4..c51f501841ad 100644 +--- a/sw/source/uibase/shells/drwtxtex.cxx ++++ b/sw/source/uibase/shells/drwtxtex.cxx +@@ -533,12 +533,8 @@ void SwDrawTextShell::Execute( SfxRequest &rReq ) + const SvxFieldData* pField = pOLV->GetFieldAtCursor(); + if (const SvxURLField* pURLField = dynamic_cast(pField)) + { +- SfxStringItem aUrl(SID_FILE_NAME, pURLField->GetURL()); +- SfxStringItem aTarget(SID_TARGETNAME, pURLField->GetTargetFrame()); +- SfxBoolItem aNewView(SID_OPEN_NEW_VIEW, false); +- SfxBoolItem aBrowsing(SID_BROWSE, true); +- GetView().GetViewFrame()->GetDispatcher()->ExecuteList( +- SID_OPENDOC, SfxCallMode::SYNCHRON, { &aUrl, &aTarget, &aNewView, &aBrowsing }); ++ ::LoadURL(GetShell(), pURLField->GetURL(), LoadUrlFlags::NONE, ++ pURLField->GetTargetFrame()); + } + } + break; +diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx +index 1995e7133c4a..d781823e82ec 100644 +--- a/sw/source/uibase/wrtsh/wrtsh2.cxx ++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx +@@ -501,30 +501,24 @@ bool SwWrtShell::ClickToINetGrf( const Point& rDocPt, LoadUrlFlags nFilter ) + return bRet; + } + +-void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, +- const OUString& rTargetFrameName ) ++static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter, ++ const OUString& rTargetFrameName) + { +- OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" ); +- if( rURL.isEmpty() ) +- return ; ++ SwDocShell* pDShell = rView.GetDocShell(); ++ OSL_ENSURE( pDShell, "No DocShell?!"); ++ SfxViewFrame* pViewFrame = rView.GetViewFrame(); + +- // The shell could be 0 also!!!!! +- if ( dynamic_cast( &rVSh) == nullptr ) ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld())) + return; + + // We are doing tiledRendering, let the client handles the URL loading, + // unless we are jumping to a TOC mark. + if (comphelper::LibreOfficeKit::isActive() && !rURL.startsWith("#")) + { +- rVSh.GetSfxViewShell()->libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr()); ++ rView.libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr()); + return; + } + +- //A CursorShell is always a WrtShell +- SwWrtShell &rSh = static_cast(rVSh); +- +- SwDocShell* pDShell = rSh.GetView().GetDocShell(); +- OSL_ENSURE( pDShell, "No DocShell?!"); + OUString sTargetFrame(rTargetFrameName); + if (sTargetFrame.isEmpty() && pDShell) + { +@@ -539,7 +533,6 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, + OUString sReferer; + if( pDShell && pDShell->GetMedium() ) + sReferer = pDShell->GetMedium()->GetName(); +- SfxViewFrame* pViewFrame = rSh.GetView().GetViewFrame(); + SfxFrameItem aView( SID_DOCFRAME, pViewFrame ); + SfxStringItem aName( SID_FILE_NAME, rURL ); + SfxStringItem aTargetFrameName( SID_TARGETNAME, sTargetFrame ); +@@ -565,6 +558,23 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, + SfxCallMode::ASYNCHRON|SfxCallMode::RECORD ); + } + ++void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, ++ const OUString& rTargetFrameName ) ++{ ++ OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" ); ++ if( rURL.isEmpty() ) ++ return ; ++ ++ // The shell could be 0 also!!!!! ++ if ( dynamic_cast( &rVSh) == nullptr ) ++ return; ++ ++ //A CursorShell is always a WrtShell ++ SwWrtShell &rSh = static_cast(rVSh); ++ ++ ::LoadURL(rSh.GetView(), rURL, nFilter, rTargetFrameName); ++} ++ + void SwWrtShell::NavigatorPaste( const NaviContentBookmark& rBkmk, + const sal_uInt16 nAction ) + { + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch b/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch new file mode 100644 index 0000000..f7564d9 --- /dev/null +++ b/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch @@ -0,0 +1,87 @@ +From 62ba88176c10469588e4bbb73cbf33889df08dbc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 22 Nov 2023 21:14:41 +0000 +Subject: [PATCH] reuse AllowedLinkProtocolFromDocument in impress/draw +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I73ca4f087946a45dbf92d69a0dc1e769de9b5690 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159843 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit f0942eed2eb328b04856f20613f5226d66b66a20) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159759 +Reviewed-by: Michael Stahl +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159884 +Reviewed-by: Miklos Vajna +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159914 +Reviewed-by: Eike Rathke + +erAck: backported to 6.4.7.2 + +--- + sd/source/ui/app/sdmod1.cxx | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/sd/source/ui/app/sdmod1.cxx b/sd/source/ui/app/sdmod1.cxx +index 3d84ddb..8d42653 100644 +--- a/sd/source/ui/app/sdmod1.cxx ++++ b/sd/source/ui/app/sdmod1.cxx +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -193,26 +194,32 @@ void SdModule::Execute(SfxRequest& rReq) + { + bool bIntercept = false; + ::sd::DrawDocShell* pDocShell = dynamic_cast< ::sd::DrawDocShell *>( SfxObjectShell::Current() ); +- if (pDocShell) ++ ::sd::ViewShell* pViewShell = pDocShell ? pDocShell->GetViewShell() : nullptr; ++ if (pViewShell) + { +- ::sd::ViewShell* pViewShell = pDocShell->GetViewShell(); +- if (pViewShell) ++ if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) ) + { +- if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) ) ++ // Prevent documents from opening while the slide ++ // show is running, except when this request comes ++ // from a shape interaction. ++ if (rReq.GetArgs() == nullptr) + { +- // Prevent documents from opening while the slide +- // show is running, except when this request comes +- // from a shape interaction. +- if (rReq.GetArgs() == nullptr) +- { +- bIntercept = true; +- } ++ bIntercept = true; + } + } + } + + if (!bIntercept) + { ++ if (const SfxStringItem* pURLItem = rReq.GetArg(SID_FILE_NAME)) ++ { ++ if (!pViewShell || !SfxObjectShell::AllowedLinkProtocolFromDocument(pURLItem->GetValue(), ++ pViewShell->GetObjectShell(), ++ pViewShell->GetFrameWeld())) ++ { ++ return; ++ } ++ } + SfxGetpApp()->ExecuteSlot(rReq, SfxGetpApp()->GetInterface()); + } + else +-- +2.43.0 + diff --git a/SOURCES/0006-CVE-2023-6186-backporting.patch b/SOURCES/0006-CVE-2023-6186-backporting.patch new file mode 100644 index 0000000..ca5ab77 --- /dev/null +++ b/SOURCES/0006-CVE-2023-6186-backporting.patch @@ -0,0 +1,65 @@ +From a255a9c69d35df27e92349ea5bb9cb8d6c46d97f Mon Sep 17 00:00:00 2001 +From: rpmbuild +Date: Fri, 8 Mar 2024 17:51:24 +0100 +Subject: [PATCH] CVE-2023-6186 backporting + +Add dialog text string STR_DANGEROUS_TO_OPEN +as per upstream commit 70009098fd70df021048c540d1796c928554b494 + +SfxViewFrame doesn't have GetFrameWeld() yet, get from Window. +--- + include/sfx2/strings.hrc | 1 + + sc/source/core/data/global.cxx | 4 +++- + sw/source/uibase/wrtsh/wrtsh2.cxx | 2 +- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc +index 1db36e7..29950ba 100644 +--- a/include/sfx2/strings.hrc ++++ b/include/sfx2/strings.hrc +@@ -103,6 +103,7 @@ + #define STR_GB NC_("STR_GB", "GB") + #define STR_QUERY_LASTVERSION NC_("STR_QUERY_LASTVERSION", "Cancel all changes?") + #define STR_NO_WEBBROWSER_FOUND NC_("STR_NO_WEBBROWSER_FOUND", "Opening \"$(ARG1)\" failed with error code $(ARG2) and message: \"$(ARG3)\"\nMaybe no web browser could be found on your system. In that case, please check your Desktop Preferences or install a web browser (for example, Firefox) in the default location requested during the browser installation.") ++#define STR_DANGEROUS_TO_OPEN NC_("STR_DANGEROUS_TO_OPEN", "It might be dangerous to open \"$(ARG1)\".\nDo you really want to open it?") + #define STR_NO_ABS_URI_REF NC_("STR_NO_ABS_URI_REF", "\"$(ARG1)\" is not an absolute URL that can be passed to an external application to open it.") + #define STR_GID_INTERN NC_("STR_GID_INTERN", "Internal") + #define STR_GID_APPLICATION NC_("STR_GID_APPLICATION", "Application") +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index b16be6b..3295a38 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -37,6 +37,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -823,7 +825,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + +- if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr)) ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetWindow().GetFrameWeld() : nullptr)) + return; + + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); +diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx +index 41f427a..543644d 100644 +--- a/sw/source/uibase/wrtsh/wrtsh2.cxx ++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx +@@ -495,7 +495,7 @@ static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter, + OSL_ENSURE( pDShell, "No DocShell?!"); + SfxViewFrame* pViewFrame = rView.GetViewFrame(); + +- if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld())) ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetWindow().GetFrameWeld())) + return; + + // We are doing tiledRendering, let the client handles the URL loading, +-- +2.43.0 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 44a5f81..edb18ce 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -54,7 +54,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.2 -Release: 15%{?libo_prerelease}%{?dist} +Release: 16%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -293,6 +293,13 @@ Patch49: 0001-set-Referer-on-loading-IFrames.patch Patch50: 0002-put-floating-frames-under-managed-links-control.patch Patch51: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch Patch52: 0001-disable-script-dump.patch +Patch53: 0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch +Patch54: 0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch +Patch55: 0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch +Patch56: 0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch +Patch57: 0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch +Patch58: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch +Patch59: 0006-CVE-2023-6186-backporting.patch %if 0%{?rhel} # not upstreamed @@ -1051,7 +1058,11 @@ sed -i -e /CppunitTest_sal_osl/d sal/Module_sal.mk sed -i -e /CppunitTest_dbaccess_hsqlbinary_import/d dbaccess/Module_dbaccess.mk sed -i -e /CppunitTest_vcl_svm_test/d vcl/Module_vcl.mk sed -i -e /CustomTarget_uno_test/d testtools/Module_testtools.mk +sed -i -e /CppunitTest_sw_htmlexport/d sw/Module_sw.mk %endif +# Broken with system nss. See also upstream commit ac519af951541b7313a4c98e1bee463bf47356be +sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_ODT);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx +sed -i -e '/^\s*CPPUNIT_TEST(testInsertCertificate_PEM_DOCX);/d' desktop/qa/desktop_lib/test_desktop_lib.cxx git commit -q -a -m 'temporarily disable failing tests' @@ -2295,6 +2306,10 @@ done %{_includedir}/LibreOfficeKit %changelog +* Mon Mar 11 2024 Eike Rathke - 1:6.4.7.2-16 +- Fix CVE-2023-6185 escape url passed to gstreamer +- Fix CVE-2023-6186 check link target protocols + * Mon Jun 19 2023 Stephan Bergmann - 1:6.4.7.2-15 - Resolves: rhbz#2210191 CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing