From e0aaad04ddf57f2cd6d77bd23154b41c659a93eb Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Wed, 31 Jul 2019 02:21:50 +0300 Subject: [PATCH] Fix CVE-2019-9848, CVE-2019-9849 --- CVE-2019-9848.patch | 36 +++++++++++ CVE-2019-9849.patch | 141 ++++++++++++++++++++++++++++++++++++++++++++ libreoffice.spec | 5 +- 3 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-9848.patch create mode 100644 CVE-2019-9849.patch diff --git a/CVE-2019-9848.patch b/CVE-2019-9848.patch new file mode 100644 index 0000000..960c5c4 --- /dev/null +++ b/CVE-2019-9848.patch @@ -0,0 +1,36 @@ +Description: Explictly exclude LibreLogo from XScript usage +Author: Caolán McNamara +Upstream Commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=cb0024e3668979dfdef44db5aa15ddfaf035e695 +Bug: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/ + +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index a5e62da8c..02d79c356 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1347,6 +1347,16 @@ namespace + } + } + ++namespace { ++ ++// don't allow LibreLogo to be used with our mouseover/etc dom-alike events ++bool UnTrustedScript(const OUString& rScriptURL) ++{ ++ return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); ++} ++ ++} ++ + ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, + const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller ) + { +@@ -1359,6 +1369,9 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon + if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) + return ERRCODE_IO_ACCESSDENIED; + ++ if ( UnTrustedScript(_rScriptURL) ) ++ return ERRCODE_IO_ACCESSDENIED; ++ + bool bCaughtException = false; + Any aException; + try diff --git a/CVE-2019-9849.patch b/CVE-2019-9849.patch new file mode 100644 index 0000000..2221cae --- /dev/null +++ b/CVE-2019-9849.patch @@ -0,0 +1,141 @@ +Description: More uses of referer URL with SvxBrushItem +Author: Stephan Bergmann +Upstream Commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=b518882de8213ef71a8003f95fbdf7689069c06d +Bug: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849/ + +diff --git a/sw/inc/unosett.hxx b/sw/inc/unosett.hxx +index 295eb06fe..185b5bcb4 100644 +--- a/sw/inc/unosett.hxx ++++ b/sw/inc/unosett.hxx +@@ -210,7 +210,7 @@ public: + + static css::uno::Sequence GetPropertiesForNumFormat( + const SwNumFormat& rFormat, OUString const& rCharFormatName, +- OUString const* pHeadingStyleName); ++ OUString const* pHeadingStyleName, OUString const & referer); + static void SetPropertiesToNumFormat( + SwNumFormat & aFormat, + OUString & rCharStyleName, +diff --git a/sw/source/core/text/porfld.cxx b/sw/source/core/text/porfld.cxx +index 777165819..b29cee3b5 100644 +--- a/sw/source/core/text/porfld.cxx ++++ b/sw/source/core/text/porfld.cxx +@@ -755,7 +755,7 @@ SwBulletPortion::SwBulletPortion( const sal_Unicode cBullet, + + SwGrfNumPortion::SwGrfNumPortion( + const OUString& rGraphicFollowedBy, +- const SvxBrushItem* pGrfBrush, ++ const SvxBrushItem* pGrfBrush, OUString const & referer, + const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize, + const bool bLft, const bool bCntr, const sal_uInt16 nMinDst, + const bool bLabelAlignmentPosAndSpaceModeActive ) : +@@ -769,7 +769,7 @@ SwGrfNumPortion::SwGrfNumPortion( + if( pGrfBrush ) + { + *pBrush = *pGrfBrush; +- const Graphic* pGraph = pGrfBrush->GetGraphic(); ++ const Graphic* pGraph = pGrfBrush->GetGraphic(referer); + if( pGraph ) + SetAnimated( pGraph->IsAnimated() ); + else +diff --git a/sw/source/core/text/porfld.hxx b/sw/source/core/text/porfld.hxx +index 38fc08993..4ecf25e7d 100644 +--- a/sw/source/core/text/porfld.hxx ++++ b/sw/source/core/text/porfld.hxx +@@ -168,6 +168,7 @@ class SwGrfNumPortion : public SwNumberPortion + public: + SwGrfNumPortion( const OUString& rGraphicFollowedBy, + const SvxBrushItem* pGrfBrush, ++ OUString const & referer, + const SwFormatVertOrient* pGrfOrient, + const Size& rGrfSize, + const bool bLeft, +diff --git a/sw/source/core/text/txtfld.cxx b/sw/source/core/text/txtfld.cxx +index 6b2b93886..14e396869 100644 +--- a/sw/source/core/text/txtfld.cxx ++++ b/sw/source/core/text/txtfld.cxx +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + #include + + static bool lcl_IsInBody( SwFrame const *pFrame ) +@@ -478,8 +479,17 @@ SwNumberPortion *SwTextFormatter::NewNumberPortion( SwTextFormatInfo &rInf ) con + + if( SVX_NUM_BITMAP == rNumFormat.GetNumberingType() ) + { ++ OUString referer; ++ if (auto const sh1 = rInf.GetVsh()) { ++ if (auto const doc = sh1->GetDoc()) { ++ auto const sh2 = doc->GetPersist(); ++ if (sh2 != nullptr && sh2->HasName()) { ++ referer = sh2->GetMedium()->GetName(); ++ } ++ } ++ } + pRet = new SwGrfNumPortion( pTextNd->GetLabelFollowedBy(), +- rNumFormat.GetBrush(), ++ rNumFormat.GetBrush(), referer, + rNumFormat.GetGraphicOrientation(), + rNumFormat.GetGraphicSize(), + bLeft, bCenter, nMinDist, +diff --git a/sw/source/core/unocore/unosett.cxx b/sw/source/core/unocore/unosett.cxx +index f7376b936..218afbdd9 100644 +--- a/sw/source/core/unocore/unosett.cxx ++++ b/sw/source/core/unocore/unosett.cxx +@@ -57,6 +57,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1316,13 +1317,21 @@ uno::Sequence SwXNumberingRules::GetNumberingRuleByIndex( + SwStyleNameMapper::FillProgName(sValue, aUString, SwGetPoolIdFromName::TxtColl); + } + +- return GetPropertiesForNumFormat(rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr); ++ OUString referer; ++ if (pDoc != nullptr) { ++ auto const sh = pDoc->GetPersist(); ++ if (sh != nullptr && sh->HasName()) { ++ referer = sh->GetMedium()->GetName(); ++ } ++ } ++ return GetPropertiesForNumFormat( ++ rFormat, CharStyleName, pDocShell ? & aUString : nullptr, referer); + + } + + uno::Sequence SwXNumberingRules::GetPropertiesForNumFormat( + const SwNumFormat& rFormat, OUString const& rCharFormatName, +- OUString const*const pHeadingStyleName) ++ OUString const*const pHeadingStyleName, OUString const & referer) + { + bool bChapterNum = pHeadingStyleName != nullptr; + +@@ -1454,7 +1463,7 @@ uno::Sequence SwXNumberingRules::GetPropertiesForNumFormat + //graphicbitmap + const Graphic* pGraphic = nullptr; + if(pBrush ) +- pGraphic = pBrush->GetGraphic(); ++ pGraphic = pBrush->GetGraphic(referer); + if(pGraphic) + { + uno::Reference xBmp = VCLUnoHelper::CreateBitmap( pGraphic->GetBitmapEx() ); +diff --git a/sw/source/uibase/config/StoredChapterNumbering.cxx b/sw/source/uibase/config/StoredChapterNumbering.cxx +index c575863f0..b972ec5ed 100644 +--- a/sw/source/uibase/config/StoredChapterNumbering.cxx ++++ b/sw/source/uibase/config/StoredChapterNumbering.cxx +@@ -129,7 +129,7 @@ public: + OUString dummy; // pass in empty HeadingStyleName - can't import anyway + uno::Sequence const ret( + SwXNumberingRules::GetPropertiesForNumFormat( +- *pNumFormat, *pCharStyleName, &dummy)); ++ *pNumFormat, *pCharStyleName, &dummy, "")); + return uno::makeAny(ret); + } + diff --git a/libreoffice.spec b/libreoffice.spec index d5b6614..61bc8ad 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -42,7 +42,7 @@ Summary: Office suite Name: libreoffice Epoch: 1 Version: 6.0.7 -Release: 2 +Release: 3 License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic Group: Office Url: http://www.libreoffice.org @@ -98,6 +98,9 @@ Patch104: libreoffice-5.1.2.2-desktop-startcenter-nomate.patch # Use breeze icons theme as fallback instead of tango Patch105: libreoffice-5.4.3.1-breeze-fallback-theme.patch +Patch110: CVE-2019-9848.patch +Patch111: CVE-2019-9849.patch + BuildRequires: bison BuildRequires: bsh %if %{with ccache}