rpms/libreoffice
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libreoffice-6.0.6.1-20.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 05:33:44 -04:00 committed by Andrew Lukoshko
parent 296c969e44
commit 0a249eb73f
10 changed files with 1014 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

374
SOURCES/0001-Make-Noto-Color-Emoji-font-work-on-Linux.patch Normal file
View File

@ -0,0 +1,374 @@
From 96012f88aac95147ae1fd4834cea5c5bb184d52b Mon Sep 17 00:00:00 2001
From: Khaled Hosny <khaledhosny@eglug.org>
Date: Tue, 27 Aug 2019 15:19:15 +0200
Subject: [PATCH] Make Noto Color Emoji font work on Linux
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Noto Color Emoji is a bitmap color font, Cairo knows how to scale such
fonts and FontConfig will identify them as scalable but not outline
fonts, so change the FontConfig checks to checks for scalability.
Make sft.cxx:doOpenTTFont() accept non-outline fonts, the text will not
show in PDF but that is not worse than the status quo.
Reviewed-on: https://gerrit.libreoffice.org/78218
Tested-by: Jenkins
Reviewed-by: Khaled Hosny <khaledhosny@eglug.org>
(cherry picked from commit dcf7792da2aa2a1ef774a124f7b21f68fff0fd15)
Change-Id: I756c718296d2c43e3165cd2f07b11bbb981318d3
Related: rhbz#1648281 improve fontconfig fallback for emojis
disregard text language for emoji and tag with und-zsye to
get fontconfig to give us the default emoji font
Change-Id: I8f94b0c41dea3204c9db77b96ad8f0d98bae2239
ctrl+shift+e emoji ibus engine problems converting UCS-4 positions to UTF-16
e.g. ctrl+shift+e type rabbit then space in writer and the len of underline
is 2 which should encompass the displayed e + 2 UTF-16 units
Change-Id: I424db7dd6cbcc5845922ac17208fed643e672dbd
rework IM underline impl wrt mix of UTF-8/16/32 units
e.g. ctrl+shift+e type boy then space twice in writer. The UTF-32 units
are 0x65 0x1f466 0x1f3fb. The underline should encompass the whole range,
prior to this the trailing Emoji Modifier Fitzpatrick was separated from
the boy base emoji by an incomplete underline
Reviewed-on: https://gerrit.libreoffice.org/78878
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 5e4d564e27d062a48fd04cb7263b769819dd3a50)
Change-Id: I2e846e8eeedf96f341ed7f50d504883768e9eff0
---
vcl/source/font/fontmetric.cxx | 4 +-
vcl/source/fontsubset/sft.cxx | 5 +-
vcl/unx/generic/fontmanager/fontconfig.cxx | 60 +++++++++--------
.../generic/glyphs/freetype_glyphcache.cxx | 6 +-
vcl/unx/gtk3/gtk3gtkframe.cxx | 64 +++++++++++++------
5 files changed, 87 insertions(+), 52 deletions(-)
diff --git a/vcl/source/font/fontmetric.cxx b/vcl/source/font/fontmetric.cxx
index cd0b9f8557e9..816525c8773e 100644
--- a/vcl/source/font/fontmetric.cxx
+++ b/vcl/source/font/fontmetric.cxx
@@ -462,8 +462,8 @@ void ImplFontMetricData::ImplCalcLineSpacing(const std::vector<uint8_t>& rHheaDa
if (mnAscent || mnDescent)
mnIntLeading = mnAscent + mnDescent - mnHeight;
- SAL_INFO("vcl.gdi.fontmetric",
- "fsSelection: " << rInfo.fsSelection
+ SAL_INFO("vcl.gdi.fontmetric", GetFamilyName()
+ << ": fsSelection: " << rInfo.fsSelection
<< ", typoAscender: " << rInfo.typoAscender
<< ", typoDescender: " << rInfo.typoDescender
<< ", typoLineGap: " << rInfo.typoLineGap
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 365b9401b95e..04921294ab21 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1666,7 +1666,10 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
/* TODO: implement to get subsetting */
assert(t->goffsets != nullptr);
} else {
- return SF_TTFORMAT;
+ // Bitmap font, accept for now.
+ t->goffsets = static_cast<sal_uInt32 *>(calloc(1+t->nglyphs, sizeof(sal_uInt32)));
+ /* TODO: implement to get subsetting */
+ assert(t->goffsets != nullptr);
}
table = getTable(t, O_hhea);
diff --git a/vcl/unx/generic/fontmanager/fontconfig.cxx b/vcl/unx/generic/fontmanager/fontconfig.cxx
index 2c16e040cdab..33c50d082912 100644
--- a/vcl/unx/generic/fontmanager/fontconfig.cxx
+++ b/vcl/unx/generic/fontmanager/fontconfig.cxx
@@ -67,7 +67,7 @@ namespace
class FontCfgWrapper
{
- FcFontSet* m_pOutlineSet;
+ FcFontSet* m_pFontSet;
void addFontSet( FcSetName );
@@ -95,19 +95,15 @@ private:
};
FontCfgWrapper::FontCfgWrapper()
- :
- m_pOutlineSet( nullptr ),
- m_pLanguageTag( nullptr )
+ : m_pFontSet(nullptr)
+ , m_pLanguageTag(nullptr)
{
FcInit();
}
void FontCfgWrapper::addFontSet( FcSetName eSetName )
{
- /*
- add only acceptable outlined fonts to our config,
- for future fontconfig use
- */
+ // Add only acceptable fonts to our config, for future fontconfig use.
FcFontSet* pOrig = FcConfigGetFonts( FcConfigGetCurrent(), eSetName );
if( !pOrig )
return;
@@ -116,10 +112,12 @@ void FontCfgWrapper::addFontSet( FcSetName eSetName )
for( int i = 0; i < pOrig->nfont; ++i )
{
FcPattern* pPattern = pOrig->fonts[i];
- // #i115131# ignore non-outline fonts
- FcBool bOutline = FcFalse;
- FcResult eOutRes = FcPatternGetBool( pPattern, FC_OUTLINE, 0, &bOutline );
- if( (eOutRes != FcResultMatch) || (bOutline == FcFalse) )
+ // #i115131# ignore non-scalable fonts
+ // Scalable fonts are usually outline fonts, but some bitmaps fonts
+ // (like Noto Color Emoji) are also scalable.
+ FcBool bScalable = FcFalse;
+ FcResult eScalableRes = FcPatternGetBool(pPattern, FC_SCALABLE, 0, &bScalable);
+ if ((eScalableRes != FcResultMatch) || (bScalable == FcFalse))
continue;
// Ignore Type 1 fonts, too.
@@ -129,7 +127,7 @@ void FontCfgWrapper::addFontSet( FcSetName eSetName )
continue;
FcPatternReference( pPattern );
- FcFontSetAdd( m_pOutlineSet, pPattern );
+ FcFontSetAdd( m_pFontSet, pPattern );
}
// TODO?: FcFontSetDestroy( pOrig );
@@ -220,16 +218,16 @@ namespace
FcFontSet* FontCfgWrapper::getFontSet()
{
- if( !m_pOutlineSet )
+ if( !m_pFontSet )
{
- m_pOutlineSet = FcFontSetCreate();
+ m_pFontSet = FcFontSetCreate();
addFontSet( FcSetSystem );
addFontSet( FcSetApplication );
- ::std::sort(m_pOutlineSet->fonts,m_pOutlineSet->fonts+m_pOutlineSet->nfont,SortFont());
+ ::std::sort(m_pFontSet->fonts,m_pFontSet->fonts+m_pFontSet->nfont,SortFont());
}
- return m_pOutlineSet;
+ return m_pFontSet;
}
FontCfgWrapper::~FontCfgWrapper()
@@ -376,10 +374,10 @@ void FontCfgWrapper::clear()
{
m_aFontNameToLocalized.clear();
m_aLocalizedToCanonical.clear();
- if( m_pOutlineSet )
+ if( m_pFontSet )
{
- FcFontSetDestroy( m_pOutlineSet );
- m_pOutlineSet = nullptr;
+ FcFontSetDestroy( m_pFontSet );
+ m_pFontSet = nullptr;
}
delete m_pLanguageTag;
m_pLanguageTag = nullptr;
@@ -499,7 +497,7 @@ void PrintFontManager::countFontconfigFonts( std::unordered_map<OString, int>& o
int width = 0;
int spacing = 0;
int nCollectionEntry = -1;
- FcBool outline = false;
+ FcBool scalable = false;
FcResult eFileRes = FcPatternGetString(pFSet->fonts[i], FC_FILE, 0, &file);
FcResult eFamilyRes = rWrapper.LocalizedElementFromPattern( pFSet->fonts[i], &family, FC_FAMILY, FC_FAMILYLANG );
@@ -510,11 +508,11 @@ void PrintFontManager::countFontconfigFonts( std::unordered_map<OString, int>& o
FcResult eWeightRes = FcPatternGetInteger(pFSet->fonts[i], FC_WEIGHT, 0, &weight);
FcResult eWidthRes = FcPatternGetInteger(pFSet->fonts[i], FC_WIDTH, 0, &width);
FcResult eSpacRes = FcPatternGetInteger(pFSet->fonts[i], FC_SPACING, 0, &spacing);
- FcResult eOutRes = FcPatternGetBool(pFSet->fonts[i], FC_OUTLINE, 0, &outline);
+ FcResult eScalableRes = FcPatternGetBool(pFSet->fonts[i], FC_SCALABLE, 0, &scalable);
FcResult eIndexRes = FcPatternGetInteger(pFSet->fonts[i], FC_INDEX, 0, &nCollectionEntry);
FcResult eFormatRes = FcPatternGetString(pFSet->fonts[i], FC_FONTFORMAT, 0, &format);
- if( eFileRes != FcResultMatch || eFamilyRes != FcResultMatch || eOutRes != FcResultMatch )
+ if( eFileRes != FcResultMatch || eFamilyRes != FcResultMatch || eScalableRes != FcResultMatch )
continue;
#if (OSL_DEBUG_LEVEL > 2)
@@ -528,14 +526,15 @@ void PrintFontManager::countFontconfigFonts( std::unordered_map<OString, int>& o
, eWeightRes == FcResultMatch ? width : -1
, eSpacRes == FcResultMatch ? spacing : -1
, eOutRes == FcResultMatch ? outline : -1
+ , eScalableRes == FcResultMatch ? scalable : -1
, eFormatRes == FcResultMatch ? (const char*)format : "<unknown>"
);
#endif
-// OSL_ASSERT(eOutRes != FcResultMatch || outline);
+// OSL_ASSERT(eScalableRes != FcResultMatch || scalable);
- // only outline fonts are usable to psprint anyway
- if( eOutRes == FcResultMatch && ! outline )
+ // only scalable fonts are usable to psprint anyway
+ if( eScalableRes == FcResultMatch && ! scalable )
continue;
if (isPreviouslyDuplicateOrObsoleted(pFSet, i))
@@ -807,6 +806,11 @@ namespace
#endif
}
+ bool isEmoji(sal_uInt32 nCurrentChar)
+ {
+ return u_hasBinaryProperty(nCurrentChar, UCHAR_EMOJI);
+ }
+
//returns true if the given code-point couldn't possibly be in rLangTag.
bool isImpossibleCodePointForLang(const LanguageTag &rLangTag, sal_uInt32 currentChar)
{
@@ -855,6 +859,8 @@ namespace
OUString getExemplarLangTagForCodePoint(sal_uInt32 currentChar)
{
+ if (isEmoji(currentChar))
+ return "und-zsye";
int32_t script = u_getIntPropertyValue(currentChar, UCHAR_SCRIPT);
UScriptCode eScript = static_cast<UScriptCode>(script);
OStringBuffer aBuf(unicode::getExemplarLanguageForUScriptCode(eScript));
@@ -981,7 +987,7 @@ void PrintFontManager::Substitute( FontSelectPattern &rPattern, OUString& rMissi
FcCharSetAddChar( codePoints, nCode );
//if the codepoint is impossible for this lang tag, then clear it
//and autodetect something useful
- if (!aLangAttrib.isEmpty() && isImpossibleCodePointForLang(aLangTag, nCode))
+ if (!aLangAttrib.isEmpty() && (isImpossibleCodePointForLang(aLangTag, nCode) || isEmoji(nCode)))
aLangAttrib.clear();
//#i105784#/rhbz#527719 improve selection of fallback font
if (aLangAttrib.isEmpty())
diff --git a/vcl/unx/generic/glyphs/freetype_glyphcache.cxx b/vcl/unx/generic/glyphs/freetype_glyphcache.cxx
index 5a55ee47bff3..0b03f428c3fa 100644
--- a/vcl/unx/generic/glyphs/freetype_glyphcache.cxx
+++ b/vcl/unx/generic/glyphs/freetype_glyphcache.cxx
@@ -409,9 +409,9 @@ FreetypeFont::FreetypeFont( const FontSelectPattern& rFSD, FreetypeFontInfo* pFI
FT_New_Size( maFaceFT, &maSizeFT );
FT_Activate_Size( maSizeFT );
- FT_Error rc = FT_Set_Pixel_Sizes( maFaceFT, mnWidth, rFSD.mnHeight );
- if( rc != FT_Err_Ok )
- return;
+ /* This might fail for color bitmap fonts, but that is fine since we will
+ * not need any glyph data from FreeType in this case */
+ /*FT_Error rc = */ FT_Set_Pixel_Sizes( maFaceFT, mnWidth, rFSD.mnHeight );
FT_Select_Charmap(maFaceFT, FT_ENCODING_UNICODE);
diff --git a/vcl/unx/gtk3/gtk3gtkframe.cxx b/vcl/unx/gtk3/gtk3gtkframe.cxx
index 4ee63a98da95..2f80d03f542b 100644
--- a/vcl/unx/gtk3/gtk3gtkframe.cxx
+++ b/vcl/unx/gtk3/gtk3gtkframe.cxx
@@ -4031,34 +4031,59 @@ void GtkSalFrame::IMHandler::signalIMPreeditChanged( GtkIMContext*, gpointer im_
pThis->m_bPreeditJustChanged = true;
bool bEndPreedit = (!pText || !*pText) && pThis->m_aInputEvent.mpTextAttr != nullptr;
- pThis->m_aInputEvent.maText = pText ? OUString( pText, strlen(pText), RTL_TEXTENCODING_UTF8 ) : OUString();
- pThis->m_aInputEvent.mnCursorPos = nCursorPos;
- pThis->m_aInputEvent.mnCursorFlags = 0;
+ gint nUtf8Len = pText ? strlen(pText) : 0;
+ pThis->m_aInputEvent.maText = pText ? OUString(pText, nUtf8Len, RTL_TEXTENCODING_UTF8) : OUString();
+ const OUString& rText = pThis->m_aInputEvent.maText;
- pThis->m_aInputFlags = std::vector<ExtTextInputAttr>( std::max( 1, (int)pThis->m_aInputEvent.maText.getLength() ), ExtTextInputAttr::NONE );
+ std::vector<sal_Int32> aUtf16Offsets;
+ for (sal_Int32 nUtf16Offset = 0; nUtf16Offset < rText.getLength(); rText.iterateCodePoints(&nUtf16Offset))
+ aUtf16Offsets.push_back(nUtf16Offset);
+
+ sal_Int32 nUtf32Len = aUtf16Offsets.size();
+ aUtf16Offsets.push_back(rText.getLength());
+
+ // sanitize the CurPos which is in utf-32
+ if (nCursorPos < 0)
+ nCursorPos = 0;
+ else if (nCursorPos > nUtf32Len)
+ nCursorPos = nUtf32Len;
+
+ pThis->m_aInputEvent.mnCursorPos = aUtf16Offsets[nCursorPos];
+ pThis->m_aInputEvent.mnCursorFlags = 0;
+
+ pThis->m_aInputFlags = std::vector<ExtTextInputAttr>( std::max( 1, static_cast<int>(rText.getLength()) ), ExtTextInputAttr::NONE );
PangoAttrIterator *iter = pango_attr_list_get_iterator(pAttrs);
do
{
GSList *attr_list = nullptr;
GSList *tmp_list = nullptr;
- gint start, end;
+ gint nUtf8Start, nUtf8End;
ExtTextInputAttr sal_attr = ExtTextInputAttr::NONE;
- pango_attr_iterator_range (iter, &start, &end);
- if (start == G_MAXINT || end == G_MAXINT)
- {
- auto len = pText ? g_utf8_strlen(pText, -1) : 0;
- if (end == G_MAXINT)
- end = len;
- if (start == G_MAXINT)
- start = len;
- }
- if (end == start)
+ // docs say... "Get the range of the current segment ... the stored
+ // return values are signed, not unsigned like the values in
+ // PangoAttribute", which implies that the units are otherwise the same
+ // as that of PangoAttribute whose docs state these units are "in
+ // bytes"
+ // so this is the utf8 range
+ pango_attr_iterator_range(iter, &nUtf8Start, &nUtf8End);
+
+ // sanitize the utf8 range
+ nUtf8Start = std::min(nUtf8Start, nUtf8Len);
+ nUtf8End = std::min(nUtf8End, nUtf8Len);
+ if (nUtf8Start >= nUtf8End)
continue;
- start = g_utf8_pointer_to_offset (pText, pText + start);
- end = g_utf8_pointer_to_offset (pText, pText + end);
+ // get the utf32 range
+ sal_Int32 nUtf32Start = g_utf8_pointer_to_offset(pText, pText + nUtf8Start);
+ sal_Int32 nUtf32End = g_utf8_pointer_to_offset(pText, pText + nUtf8End);
+
+ // sanitize the utf32 range
+ nUtf32Start = std::min(nUtf32Start, nUtf32Len);
+ nUtf32End = std::min(nUtf32End, nUtf32Len);
+ if (nUtf32Start >= nUtf32End)
+ continue;
tmp_list = attr_list = pango_attr_iterator_get_attrs (iter);
while (tmp_list)
@@ -4088,11 +4113,12 @@ void GtkSalFrame::IMHandler::signalIMPreeditChanged( GtkIMContext*, gpointer im_
g_slist_free (attr_list);
// Set the sal attributes on our text
- for (int i = start; i < end; ++i)
+ // rhbz#1648281 apply over our utf-16 range derived from the input utf-32 range
+ for (sal_Int32 i = aUtf16Offsets[nUtf32Start]; i < aUtf16Offsets[nUtf32End]; ++i)
{
SAL_WARN_IF(i >= static_cast<int>(pThis->m_aInputFlags.size()),
"vcl.gtk3", "pango attrib out of range. Broken range: "
- << start << "," << end << " Legal range: 0,"
+ << aUtf16Offsets[nUtf32Start] << "," << aUtf16Offsets[nUtf32End] << " Legal range: 0,"
<< pThis->m_aInputFlags.size());
if (i >= static_cast<int>(pThis->m_aInputFlags.size()))
continue;
--
2.21.0

47
SOURCES/CVE-2019-9848.patch Normal file
View File

@ -0,0 +1,47 @@
From 3dd024a28a98a9d4b4efc3c7ec6acaa94d2b25fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Fri, 7 Jun 2019 14:04:07 +0100
Subject: [PATCH] explictly exclude LibreLogo from XScript usage
Change-Id: I567647f0e2f8b82e4ef2995c673abe82f4564228
Reviewed-on: https://gerrit.libreoffice.org/73708
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
---
sfx2/source/doc/objmisc.cxx | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index e245800f2fec..beea5170e44d 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1340,6 +1340,16 @@ namespace
}
}
+namespace {
+
+// don't allow LibreLogo to be used with our mouseover/etc dom-alike events
+bool UnTrustedScript(const OUString& rScriptURL)
+{
+ return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo");
+}
+
+}
+
ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL,
const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller )
{
@@ -1352,6 +1362,9 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon
if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
return ERRCODE_IO_ACCESSDENIED;
+ if ( UnTrustedScript(_rScriptURL) )
+ return ERRCODE_IO_ACCESSDENIED;
+
bool bCaughtException = false;
Any aException;
try
--
2.21.0

165
SOURCES/CVE-2019-9849.patch Normal file
View File

@ -0,0 +1,165 @@
From 952553d3998a1d6fbb0d197f81b769438a48a372 Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Fri, 7 Jun 2019 09:28:12 +0200
Subject: [PATCH] More uses of referer URL with SvxBrushItem
Reviewed-on: https://gerrit.libreoffice.org/73643
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit b518882de8213ef71a8003f95fbdf7689069c06d)
Conflicts:
sw/source/core/text/porfld.cxx
sw/source/core/unocore/unosett.cxx
Change-Id: I04b524784df4ef453d8b1feec13b62f183a17e23
Reviewed-on: https://gerrit.libreoffice.org/73860
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
---
sw/inc/unosett.hxx | 2 +-
sw/source/core/text/porfld.cxx | 4 ++--
sw/source/core/text/porfld.hxx | 1 +
sw/source/core/text/txtfld.cxx | 12 +++++++++++-
sw/source/core/unocore/unosett.cxx | 15 ++++++++++++---
.../uibase/config/StoredChapterNumbering.cxx | 2 +-
6 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/sw/inc/unosett.hxx b/sw/inc/unosett.hxx
index 295eb06..185b5bc 100644
--- a/sw/inc/unosett.hxx
+++ b/sw/inc/unosett.hxx
@@ -210,7 +210,7 @@ public:
static css::uno::Sequence<css::beans::PropertyValue> GetPropertiesForNumFormat(
const SwNumFormat& rFormat, OUString const& rCharFormatName,
- OUString const* pHeadingStyleName);
+ OUString const* pHeadingStyleName, OUString const & referer);
static void SetPropertiesToNumFormat(
SwNumFormat & aFormat,
OUString & rCharStyleName,
diff --git a/sw/source/core/text/porfld.cxx b/sw/source/core/text/porfld.cxx
index 7771658..b29cee3 100644
--- a/sw/source/core/text/porfld.cxx
+++ b/sw/source/core/text/porfld.cxx
@@ -755,7 +755,7 @@ SwBulletPortion::SwBulletPortion( const sal_Unicode cBullet,
SwGrfNumPortion::SwGrfNumPortion(
const OUString& rGraphicFollowedBy,
- const SvxBrushItem* pGrfBrush,
+ const SvxBrushItem* pGrfBrush, OUString const & referer,
const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize,
const bool bLft, const bool bCntr, const sal_uInt16 nMinDst,
const bool bLabelAlignmentPosAndSpaceModeActive ) :
@@ -769,7 +769,7 @@ SwGrfNumPortion::SwGrfNumPortion(
if( pGrfBrush )
{
*pBrush = *pGrfBrush;
- const Graphic* pGraph = pGrfBrush->GetGraphic();
+ const Graphic* pGraph = pGrfBrush->GetGraphic(referer);
if( pGraph )
SetAnimated( pGraph->IsAnimated() );
else
diff --git a/sw/source/core/text/porfld.hxx b/sw/source/core/text/porfld.hxx
index 38fc089..4ecf25e 100644
--- a/sw/source/core/text/porfld.hxx
+++ b/sw/source/core/text/porfld.hxx
@@ -168,6 +168,7 @@ class SwGrfNumPortion : public SwNumberPortion
public:
SwGrfNumPortion( const OUString& rGraphicFollowedBy,
const SvxBrushItem* pGrfBrush,
+ OUString const & referer,
const SwFormatVertOrient* pGrfOrient,
const Size& rGrfSize,
const bool bLeft,
diff --git a/sw/source/core/text/txtfld.cxx b/sw/source/core/text/txtfld.cxx
index 6b2b938..14e3968 100644
--- a/sw/source/core/text/txtfld.cxx
+++ b/sw/source/core/text/txtfld.cxx
@@ -52,6 +52,7 @@
#include <flddat.hxx>
#include <fmtautofmt.hxx>
#include <IDocumentSettingAccess.hxx>
+#include <sfx2/docfile.hxx>
#include <svl/itemiter.hxx>
static bool lcl_IsInBody( SwFrame const *pFrame )
@@ -478,8 +479,17 @@ SwNumberPortion *SwTextFormatter::NewNumberPortion( SwTextFormatInfo &rInf ) con
if( SVX_NUM_BITMAP == rNumFormat.GetNumberingType() )
{
+ OUString referer;
+ if (auto const sh1 = rInf.GetVsh()) {
+ if (auto const doc = sh1->GetDoc()) {
+ auto const sh2 = doc->GetPersist();
+ if (sh2 != nullptr && sh2->HasName()) {
+ referer = sh2->GetMedium()->GetName();
+ }
+ }
+ }
pRet = new SwGrfNumPortion( pTextNd->GetLabelFollowedBy(),
- rNumFormat.GetBrush(),
+ rNumFormat.GetBrush(), referer,
rNumFormat.GetGraphicOrientation(),
rNumFormat.GetGraphicSize(),
bLeft, bCenter, nMinDist,
diff --git a/sw/source/core/unocore/unosett.cxx b/sw/source/core/unocore/unosett.cxx
index f7376b9..44cd118 100644
--- a/sw/source/core/unocore/unosett.cxx
+++ b/sw/source/core/unocore/unosett.cxx
@@ -55,6 +55,7 @@
#include <o3tl/any.hxx>
#include <o3tl/enumarray.hxx>
#include <vcl/font.hxx>
+#include <sfx2/docfile.hxx>
#include <editeng/flstitem.hxx>
#include <vcl/metric.hxx>
#include <svtools/ctrltool.hxx>
@@ -1316,13 +1317,21 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetNumberingRuleByIndex(
SwStyleNameMapper::FillProgName(sValue, aUString, SwGetPoolIdFromName::TxtColl);
}
- return GetPropertiesForNumFormat(rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr);
+ OUString referer;
+ if (pDoc != nullptr) {
+ auto const sh = pDoc->GetPersist();
+ if (sh != nullptr && sh->HasName()) {
+ referer = sh->GetMedium()->GetName();
+ }
+ }
+ return GetPropertiesForNumFormat(
+ rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr, referer);
}
uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat(
const SwNumFormat& rFormat, OUString const& rCharFormatName,
- OUString const*const pHeadingStyleName)
+ OUString const*const pHeadingStyleName, OUString const & referer)
{
bool bChapterNum = pHeadingStyleName != nullptr;
@@ -1454,7 +1463,7 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat
//graphicbitmap
const Graphic* pGraphic = nullptr;
if(pBrush )
- pGraphic = pBrush->GetGraphic();
+ pGraphic = pBrush->GetGraphic(referer);
if(pGraphic)
{
uno::Reference<awt::XBitmap> xBmp = VCLUnoHelper::CreateBitmap( pGraphic->GetBitmapEx() );
diff --git a/sw/source/uibase/config/StoredChapterNumbering.cxx b/sw/source/uibase/config/StoredChapterNumbering.cxx
index c575863..b972ec5 100644
--- a/sw/source/uibase/config/StoredChapterNumbering.cxx
+++ b/sw/source/uibase/config/StoredChapterNumbering.cxx
@@ -129,7 +129,7 @@ public:
OUString dummy; // pass in empty HeadingStyleName - can't import anyway
uno::Sequence<beans::PropertyValue> const ret(
SwXNumberingRules::GetPropertiesForNumFormat(
- *pNumFormat, *pCharStyleName, &dummy));
+ *pNumFormat, *pCharStyleName, &dummy, ""));
return uno::makeAny(ret);
}
--
2.20.1

68
SOURCES/CVE-2019-9850.patch Normal file
View File

@ -0,0 +1,68 @@
From 143eedd298113bb20c2807baa49a4c83c2cef70b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Fri, 26 Jul 2019 13:25:31 +0100
Subject: [PATCH 1/3] decode url escape codes and check each path segment
Change-Id: Ie8f7cef912e8dacbc2a0bca73534a7a242a53ca1
Reviewed-on: https://gerrit.libreoffice.org/76378
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Tested-by: Jenkins
(cherry picked from commit 7942929685fafb0f9c82feb8da7279e5103c87f0)
Reviewed-on: https://gerrit.libreoffice.org/76451
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
---
sfx2/source/doc/objmisc.cxx | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index 8594e9522e48..7e9288524b34 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -41,6 +41,8 @@
#include <com/sun/star/script/provider/XScriptProvider.hpp>
#include <com/sun/star/script/provider/XScriptProviderSupplier.hpp>
#include <com/sun/star/ucb/SimpleFileAccess.hpp>
+#include <com/sun/star/uri/UriReferenceFactory.hpp>
+#include <com/sun/star/uri/XVndSunStarScriptUrlReference.hpp>
#include <com/sun/star/util/XModifiable.hpp>
#include <toolkit/helper/vclunohelper.hxx>
@@ -1351,7 +1353,33 @@ namespace {
// don't allow LibreLogo to be used with our mouseover/etc dom-alike events
bool UnTrustedScript(const OUString& rScriptURL)
{
- return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo");
+ if (!rScriptURL.startsWith("vnd.sun.star.script:"))
+ return false;
+
+ // ensure URL Escape Codes are decoded
+ css::uno::Reference<css::uri::XUriReference> uri(
+ css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())->parse(rScriptURL));
+ css::uno::Reference<css::uri::XVndSunStarScriptUrl> sfUri(uri, css::uno::UNO_QUERY);
+
+ if (!sfUri.is())
+ return false;
+
+ // pyuno encodes path separator as |
+ OUString sScript = sfUri->getName().replace('|', '/');
+
+ // check if any path portion matches LibreLogo and ban it if it does
+ sal_Int32 nIndex = 0;
+ do
+ {
+ OUString aToken = sScript.getToken(0, '/', nIndex);
+ if (aToken.startsWithIgnoreAsciiCase("LibreLogo"))
+ {
+ return true;
+ }
+ }
+ while (nIndex >= 0);
+
+ return false;
}
}
--
2.21.0

99
SOURCES/CVE-2019-9851.patch Normal file
View File

@ -0,0 +1,99 @@
From 292fe2f32df0e9096e63383eb45924eceb2179db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 23 Jul 2019 15:31:05 +0100
Subject: [PATCH 2/3] expand LibreLogo check to global events
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-on: https://gerrit.libreoffice.org/76189
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 4a66c7eda6ccde26a42c4e31725248c59940255d)
Change-Id: I7f436983ba0eb4b76b02d08ee52626e54b103d5f
Reviewed-on: https://gerrit.libreoffice.org/76305
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
---
include/sfx2/objsh.hxx | 2 ++
sfx2/source/doc/objmisc.cxx | 6 +-----
sfx2/source/notify/eventsupplier.cxx | 18 ++++++++++++------
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
index d04758567c80..ed09fc6e2acb 100644
--- a/include/sfx2/objsh.hxx
+++ b/include/sfx2/objsh.hxx
@@ -404,6 +404,8 @@ public:
*/
bool AdjustMacroMode();
+ static bool UnTrustedScript(const OUString& rScriptURL);
+
SvKeyValueIterator* GetHeaderAttributes();
void ClearHeaderAttributesForSourceViewHack();
void SetHeaderAttributesForSourceViewHack();
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index 7e9288524b34..9b82742302ab 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1348,10 +1348,8 @@ namespace
}
}
-namespace {
-
// don't allow LibreLogo to be used with our mouseover/etc dom-alike events
-bool UnTrustedScript(const OUString& rScriptURL)
+bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL)
{
if (!rScriptURL.startsWith("vnd.sun.star.script:"))
return false;
@@ -1382,8 +1380,6 @@ bool UnTrustedScript(const OUString& rScriptURL)
return false;
}
-}
-
ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL,
const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller )
{
diff --git a/sfx2/source/notify/eventsupplier.cxx b/sfx2/source/notify/eventsupplier.cxx
index 78667a1d8036..2656e9c213ec 100644
--- a/sfx2/source/notify/eventsupplier.cxx
+++ b/sfx2/source/notify/eventsupplier.cxx
@@ -207,18 +207,24 @@ void SfxEvents_Impl::Execute( uno::Any const & aEventData, const document::Docum
else if (aType == "Service" ||
aType == "Script")
{
- if ( !aScript.isEmpty() )
+ bool bAllowed = false;
+ util::URL aURL;
+ if (!aScript.isEmpty())
{
- SfxViewFrame* pView = pDoc ?
- SfxViewFrame::GetFirst( pDoc ) :
- SfxViewFrame::Current();
-
uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( ::comphelper::getProcessComponentContext() ) );
- util::URL aURL;
aURL.Complete = aScript;
xTrans->parseStrict( aURL );
+ bAllowed = !SfxObjectShell::UnTrustedScript(aURL.Complete);
+ }
+
+ if (bAllowed)
+ {
+ SfxViewFrame* pView = pDoc ?
+ SfxViewFrame::GetFirst( pDoc ) :
+ SfxViewFrame::Current();
+
uno::Reference
< frame::XDispatchProvider > xProv;
--
2.21.0

39
SOURCES/CVE-2019-9852.patch Normal file
View File

@ -0,0 +1,39 @@
From 3a827091172b9ce3982323b838ed55d896d585d4 Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Sat, 3 Aug 2019 16:37:48 +0100
Subject: [PATCH 3/3] keep name percent-encoded
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change-Id: I470c4b24192c3e3c9b556a9bbb3b084359e0033b
Reviewed-on: https://gerrit.libreoffice.org/77006
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 315c51731384230194af26b86a976bf5d06c9dcc)
Reviewed-on: https://gerrit.libreoffice.org/77090
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
---
scripting/source/pyprov/pythonscript.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py
index f1b2bfc75ee3..64e1337d642e 100644
--- a/scripting/source/pyprov/pythonscript.py
+++ b/scripting/source/pyprov/pythonscript.py
@@ -219,7 +219,9 @@ class MyUriHelper:
# path to the .py file + "$functionname, arguments, etc
xStorageUri = self.m_uriRefFac.parse(scriptURI)
- sStorageUri = xStorageUri.getName().replace( "|", "/" );
+ # getName will apply url-decoding to the name, so encode back
+ sStorageUri = xStorageUri.getName().replace("%", "%25")
+ sStorageUri = sStorageUri.replace( "|", "/" )
# path to the .py file, relative to the base
sFileUri = sStorageUri[0:sStorageUri.find("$")]
--
2.21.0

89
SOURCES/CVE-2019-9853.patch Normal file
View File

@ -0,0 +1,89 @@
From 8f98c29cea1e46e5a2bcde10039840145776f56b Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Tue, 6 Aug 2019 13:29:22 +0200
Subject: [PATCH] Properly obtain location
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change-Id: I9fb0d883a3623394343cd54ef61e5610544198c8
Reviewed-on: https://gerrit.libreoffice.org/77019
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit a9cde2557242a0c343d99533f3ee032599c66f42)
Reviewed-on: https://gerrit.libreoffice.org/77024
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
---
.../source/protocolhandler/scripthandler.cxx | 9 ++++++--
sfx2/source/doc/objmisc.cxx | 21 +++++++++++--------
2 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/scripting/source/protocolhandler/scripthandler.cxx b/scripting/source/protocolhandler/scripthandler.cxx
index f8ad8c7fd63d..332d4833a6f2 100644
--- a/scripting/source/protocolhandler/scripthandler.cxx
+++ b/scripting/source/protocolhandler/scripthandler.cxx
@@ -49,6 +49,7 @@
#include <com/sun/star/uno/XComponentContext.hpp>
#include <com/sun/star/uri/XUriReference.hpp>
+#include <com/sun/star/uri/XVndSunStarScriptUrlReference.hpp>
#include <com/sun/star/uri/UriReferenceFactory.hpp>
#include <memory>
@@ -135,8 +136,12 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification(
{
try
{
- bool bIsDocumentScript = ( aURL.Complete.indexOf( "document" ) !=-1 );
- // TODO: isn't this somewhat strange? This should be a test for a location=document parameter, shouldn't it?
+ css::uno::Reference<css::uri::XUriReferenceFactory> urifac(
+ css::uri::UriReferenceFactory::create(m_xContext));
+ css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri(
+ urifac->parse(aURL.Complete), css::uno::UNO_QUERY_THROW);
+ auto const loc = uri->getParameter("location");
+ bool bIsDocumentScript = loc == "document";
if ( bIsDocumentScript )
{
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index 9869f76606bf..08f4d8c21297 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1380,19 +1380,22 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon
SAL_INFO("sfx", "in CallXScript" );
ErrCode nErr = ERRCODE_NONE;
- bool bIsDocumentScript = ( _rScriptURL.indexOf( "location=document" ) >= 0 );
- // TODO: we should parse the URL, and check whether there is a parameter with this name.
- // Otherwise, we might find too much.
- if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
- return ERRCODE_IO_ACCESSDENIED;
-
- if ( UnTrustedScript(_rScriptURL) )
- return ERRCODE_IO_ACCESSDENIED;
-
bool bCaughtException = false;
Any aException;
try
{
+ css::uno::Reference<css::uri::XUriReferenceFactory> urifac(
+ css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext()));
+ css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri(
+ urifac->parse(_rScriptURL), css::uno::UNO_QUERY_THROW);
+ auto const loc = uri->getParameter("location");
+ bool bIsDocumentScript = loc == "document";
+ if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) )
+ return ERRCODE_IO_ACCESSDENIED;
+
+ if ( UnTrustedScript(_rScriptURL) )
+ return ERRCODE_IO_ACCESSDENIED;
+
// obtain/create a script provider
Reference< provider::XScriptProvider > xScriptProvider;
Reference< provider::XScriptProviderSupplier > xSPS( _rxScriptContext, UNO_QUERY );
--
2.21.0

86
SOURCES/CVE-2019-9854.patch Normal file
View File

@ -0,0 +1,86 @@
From f107a8c90168124462ddd00db015810081d4be2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Mon, 12 Aug 2019 20:32:54 +0100
Subject: [PATCH 1/2] construct final url from parsed output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change-Id: Ifd733625a439685ad307603eb2b00bf463eb9ca9
Reviewed-on: https://gerrit.libreoffice.org/77373
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 87959e5deea6d33cd35dbb3b8423056f9566710e)
Reviewed-on: https://gerrit.libreoffice.org/77377
(cherry picked from commit c03acb9b8a97254cfcf7c45ef920b93b7f1dd344)
an absolute uri is invalid input
Change-Id: I392be4282be8ed67e3451b28d2c9f22acd4c87fc
Reviewed-on: https://gerrit.libreoffice.org/77564
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Tested-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 3c076e54f736980e208f5c27ecf179aa90aea103)
Reviewed-on: https://gerrit.libreoffice.org/77572
Tested-by: Jenkins
(cherry picked from commit 5445f7ffd09e891b220dabb19cd013bcf591fc08)
Improve check for absolute URI
Change-Id: I4dee44832107f72f8f3fb68554428dc1e646c346
Reviewed-on: https://gerrit.libreoffice.org/77706
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit c79efeb66f7951305d0334bc288aee1c571a8728)
Reviewed-on: https://gerrit.libreoffice.org/77724
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 52f7aa318722bd17c77ee5c4fa8307936e7b53af)
---
scripting/source/pyprov/pythonscript.py | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py
index 64e1337d642e..acb6184bf437 100644
--- a/scripting/source/pyprov/pythonscript.py
+++ b/scripting/source/pyprov/pythonscript.py
@@ -224,13 +224,24 @@ class MyUriHelper:
sStorageUri = sStorageUri.replace( "|", "/" )
# path to the .py file, relative to the base
- sFileUri = sStorageUri[0:sStorageUri.find("$")]
+ funcNameStart = sStorageUri.find("$")
+ if funcNameStart != -1:
+ sFileUri = sStorageUri[0:funcNameStart]
+ sFuncName = sStorageUri[funcNameStart+1:]
+ else:
+ sFileUri = sStorageUri
+
xFileUri = self.m_uriRefFac.parse(sFileUri)
if not xFileUri:
message = "pythonscript: invalid relative uri '" + sFileUri+ "'"
log.debug( message )
raise RuntimeException( message )
+ if not xFileUri.hasRelativePath():
+ message = "pythonscript: an absolute uri is invalid '" + sFileUri+ "'"
+ log.debug( message )
+ raise RuntimeException( message )
+
# absolute path to the .py file
xAbsScriptUri = self.m_uriRefFac.makeAbsolute(xBaseUri, xFileUri, True, RETAIN)
sAbsScriptUri = xAbsScriptUri.getUriReference()
@@ -241,7 +252,9 @@ class MyUriHelper:
log.debug( message )
raise RuntimeException( message )
- ret = sBaseUri + sStorageUri
+ ret = sAbsScriptUri
+ if funcNameStart != -1:
+ ret = ret + "$" + sFuncName
log.debug( "converting scriptURI="+scriptURI + " to storageURI=" + ret )
return ret
except UnoException as e:
--
2.21.0

33
SOURCES/CVE-2019-9855.patch Normal file
View File

@ -0,0 +1,33 @@
From 1686c4273b8e0b8218853669e50d4bf405525dde Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Mon, 26 Aug 2019 10:18:09 +0200
Subject: [PATCH 2/2] Improve check
Change-Id: I8280a81eef2ced0ff0ace51ea9f094421abafe13
Reviewed-on: https://gerrit.libreoffice.org/78108
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 761e6dd25782420bf06e4a2ff3205a79b6cbb136)
Reviewed-on: https://gerrit.libreoffice.org/78129
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
(cherry picked from commit ffad51e9e625a22f1efab3da7886baf4134b444f)
---
sfx2/source/doc/objmisc.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx
index 9b82742302ab..4f2a05909a74 100644
--- a/sfx2/source/doc/objmisc.cxx
+++ b/sfx2/source/doc/objmisc.cxx
@@ -1370,7 +1370,7 @@ bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL)
do
{
OUString aToken = sScript.getToken(0, '/', nIndex);
- if (aToken.startsWithIgnoreAsciiCase("LibreLogo"))
+ if (aToken.startsWithIgnoreAsciiCase("LibreLogo") || aToken.indexOf('~') != -1)
{
return true;
}
--
2.21.0

15
SPECS/libreoffice.spec
View File

@ -64,7 +64,7 @@ Summary: Free Software Productivity Suite
Name: libreoffice
Epoch: 1
Version: %{libo_version}.1
Release: 19%{?libo_prerelease}%{?dist}
Release: 20%{?libo_prerelease}%{?dist}
License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
URL: http://www.libreoffice.org/
@ -298,6 +298,15 @@ Patch22: 0001-tdf-121203-DOCX-import-fix-loss-of-free-form-text-in.patch
Patch23: 0001-keep-pyuno-script-processing-below-base-uri.patch
Patch24: 0001-rhbz-1691287-tdf-53029-ui-prompt-for-printer-authent.patch
Patch25: 0001-Resolves-rhbz-1715109-add-All-files-to-the-graphic-i.patch
Patch26: CVE-2019-9848.patch
Patch27: CVE-2019-9849.patch
Patch28: CVE-2019-9850.patch
Patch29: CVE-2019-9851.patch
Patch30: CVE-2019-9852.patch
Patch31: CVE-2019-9853.patch
Patch32: CVE-2019-9854.patch
Patch33: CVE-2019-9855.patch
Patch34: 0001-Make-Noto-Color-Emoji-font-work-on-Linux.patch
%if 0%{?rhel}
# not upstreamed
@ -2330,6 +2339,10 @@ done
%{_includedir}/LibreOfficeKit
%changelog
* Mon Oct 14 2019 Caolán McNamara <caolanm@redhat.com> - 1:6.0.6.1-20
- Resolves: rhbz#1743958 CVE-2019-9849, etc.
- Resolves: rhbz#1648281 Junk character gets added when some emojis are inserted
* Mon Aug 19 2019 Caolán McNamara <caolanm@redhat.com> - 1:6.0.6.1-19
- Related: rhbz#1691287 escape backslashes etc in username