Djam/libreoffice
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/libreoffice.git synced 2025-02-23 18:43:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix CVE-2019-9848, CVE-2019-9849

Browse source
This commit is contained in:
Mikhail Novosyolov 2019-07-31 02:21:50 +03:00
parent 4656c63abe
commit e0aaad04dd
3 changed files with 181 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
CVE-2019-9848.patch Normal file
View file

@ -0,0 +1,36 @@
Description: Explictly exclude LibreLogo from XScript usage
Author: Caolán McNamara <caolanm@redhat.com>
Upstream Commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=cb0024e3668979dfdef44db5aa15ddfaf035e695
Bug: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index a5e62da8c..02d79c356 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1347,6 +1347,16 @@ namespace
}
}
+namespace {
+
+// don't allow LibreLogo to be used with our mouseover/etc dom-alike events
+bool UnTrustedScript(const OUString& rScriptURL)
+{
+ return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo");
+}
+
+}
+
ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL,
const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller )
{
@@ -1359,6 +1369,9 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon
if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
return ERRCODE_IO_ACCESSDENIED;
+ if ( UnTrustedScript(_rScriptURL) )
+ return ERRCODE_IO_ACCESSDENIED;
+
bool bCaughtException = false;
Any aException;
try

141
CVE-2019-9849.patch Normal file
View file

@ -0,0 +1,141 @@
Description: More uses of referer URL with SvxBrushItem
Author: Stephan Bergmann <sbergman@redhat.com>
Upstream Commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=b518882de8213ef71a8003f95fbdf7689069c06d
Bug: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849/
diff --git a/sw/inc/unosett.hxx b/sw/inc/unosett.hxx
index 295eb06fe..185b5bcb4 100644
--- a/sw/inc/unosett.hxx
+++ b/sw/inc/unosett.hxx
@@ -210,7 +210,7 @@ public:
static css::uno::Sequence<css::beans::PropertyValue> GetPropertiesForNumFormat(
const SwNumFormat& rFormat, OUString const& rCharFormatName,
- OUString const* pHeadingStyleName);
+ OUString const* pHeadingStyleName, OUString const & referer);
static void SetPropertiesToNumFormat(
SwNumFormat & aFormat,
OUString & rCharStyleName,
diff --git a/sw/source/core/text/porfld.cxx b/sw/source/core/text/porfld.cxx
index 777165819..b29cee3b5 100644
--- a/sw/source/core/text/porfld.cxx
+++ b/sw/source/core/text/porfld.cxx
@@ -755,7 +755,7 @@ SwBulletPortion::SwBulletPortion( const sal_Unicode cBullet,
SwGrfNumPortion::SwGrfNumPortion(
const OUString& rGraphicFollowedBy,
- const SvxBrushItem* pGrfBrush,
+ const SvxBrushItem* pGrfBrush, OUString const & referer,
const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize,
const bool bLft, const bool bCntr, const sal_uInt16 nMinDst,
const bool bLabelAlignmentPosAndSpaceModeActive ) :
@@ -769,7 +769,7 @@ SwGrfNumPortion::SwGrfNumPortion(
if( pGrfBrush )
{
*pBrush = *pGrfBrush;
- const Graphic* pGraph = pGrfBrush->GetGraphic();
+ const Graphic* pGraph = pGrfBrush->GetGraphic(referer);
if( pGraph )
SetAnimated( pGraph->IsAnimated() );
else
diff --git a/sw/source/core/text/porfld.hxx b/sw/source/core/text/porfld.hxx
index 38fc08993..4ecf25e7d 100644
--- a/sw/source/core/text/porfld.hxx
+++ b/sw/source/core/text/porfld.hxx
@@ -168,6 +168,7 @@ class SwGrfNumPortion : public SwNumberPortion
public:
SwGrfNumPortion( const OUString& rGraphicFollowedBy,
const SvxBrushItem* pGrfBrush,
+ OUString const & referer,
const SwFormatVertOrient* pGrfOrient,
const Size& rGrfSize,
const bool bLeft,
diff --git a/sw/source/core/text/txtfld.cxx b/sw/source/core/text/txtfld.cxx
index 6b2b93886..14e396869 100644
--- a/sw/source/core/text/txtfld.cxx
+++ b/sw/source/core/text/txtfld.cxx
@@ -52,6 +52,7 @@
#include <flddat.hxx>
#include <fmtautofmt.hxx>
#include <IDocumentSettingAccess.hxx>
+#include <sfx2/docfile.hxx>
#include <svl/itemiter.hxx>
static bool lcl_IsInBody( SwFrame const *pFrame )
@@ -478,8 +479,17 @@ SwNumberPortion *SwTextFormatter::NewNumberPortion( SwTextFormatInfo &rInf ) con
if( SVX_NUM_BITMAP == rNumFormat.GetNumberingType() )
{
+ OUString referer;
+ if (auto const sh1 = rInf.GetVsh()) {
+ if (auto const doc = sh1->GetDoc()) {
+ auto const sh2 = doc->GetPersist();
+ if (sh2 != nullptr && sh2->HasName()) {
+ referer = sh2->GetMedium()->GetName();
+ }
+ }
+ }
pRet = new SwGrfNumPortion( pTextNd->GetLabelFollowedBy(),
- rNumFormat.GetBrush(),
+ rNumFormat.GetBrush(), referer,
rNumFormat.GetGraphicOrientation(),
rNumFormat.GetGraphicSize(),
bLeft, bCenter, nMinDist,
diff --git a/sw/source/core/unocore/unosett.cxx b/sw/source/core/unocore/unosett.cxx
index f7376b936..218afbdd9 100644
--- a/sw/source/core/unocore/unosett.cxx
+++ b/sw/source/core/unocore/unosett.cxx
@@ -57,6 +57,7 @@
#include <vcl/font.hxx>
#include <editeng/flstitem.hxx>
#include <vcl/metric.hxx>
+#include <sfx2/docfile.hxx>
#include <svtools/ctrltool.hxx>
#include <vcl/svapp.hxx>
#include <toolkit/helper/vclunohelper.hxx>
@@ -1316,13 +1317,21 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetNumberingRuleByIndex(
SwStyleNameMapper::FillProgName(sValue, aUString, SwGetPoolIdFromName::TxtColl);
}
- return GetPropertiesForNumFormat(rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr);
+ OUString referer;
+ if (pDoc != nullptr) {
+ auto const sh = pDoc->GetPersist();
+ if (sh != nullptr && sh->HasName()) {
+ referer = sh->GetMedium()->GetName();
+ }
+ }
+ return GetPropertiesForNumFormat(
+ rFormat, CharStyleName, pDocShell ? & aUString : nullptr, referer);
}
uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat(
const SwNumFormat& rFormat, OUString const& rCharFormatName,
- OUString const*const pHeadingStyleName)
+ OUString const*const pHeadingStyleName, OUString const & referer)
{
bool bChapterNum = pHeadingStyleName != nullptr;
@@ -1454,7 +1463,7 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat
//graphicbitmap
const Graphic* pGraphic = nullptr;
if(pBrush )
- pGraphic = pBrush->GetGraphic();
+ pGraphic = pBrush->GetGraphic(referer);
if(pGraphic)
{
uno::Reference<awt::XBitmap> xBmp = VCLUnoHelper::CreateBitmap( pGraphic->GetBitmapEx() );
diff --git a/sw/source/uibase/config/StoredChapterNumbering.cxx b/sw/source/uibase/config/StoredChapterNumbering.cxx
index c575863f0..b972ec5ed 100644
--- a/sw/source/uibase/config/StoredChapterNumbering.cxx
+++ b/sw/source/uibase/config/StoredChapterNumbering.cxx
@@ -129,7 +129,7 @@ public:
OUString dummy; // pass in empty HeadingStyleName - can't import anyway
uno::Sequence<beans::PropertyValue> const ret(
SwXNumberingRules::GetPropertiesForNumFormat(
- *pNumFormat, *pCharStyleName, &dummy));
+ *pNumFormat, *pCharStyleName, &dummy, ""));
return uno::makeAny(ret);
}

5
libreoffice.spec
View file

@ -42,7 +42,7 @@ Summary: Office suite
Name: libreoffice
Epoch: 1
Version: 6.0.7
Release: 2
Release: 3
License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic
Group: Office
Url: http://www.libreoffice.org
@ -98,6 +98,9 @@ Patch104: libreoffice-5.1.2.2-desktop-startcenter-nomate.patch
# Use breeze icons theme as fallback instead of tango
Patch105: libreoffice-5.4.3.1-breeze-fallback-theme.patch
Patch110: CVE-2019-9848.patch
Patch111: CVE-2019-9849.patch
BuildRequires: bison
BuildRequires: bsh
%if %{with ccache}