diff --git a/SOURCES/0001-Make-Noto-Color-Emoji-font-work-on-Linux.patch b/SOURCES/0001-Make-Noto-Color-Emoji-font-work-on-Linux.patch new file mode 100644 index 0000000..dce5dea --- /dev/null +++ b/SOURCES/0001-Make-Noto-Color-Emoji-font-work-on-Linux.patch @@ -0,0 +1,374 @@ +From 96012f88aac95147ae1fd4834cea5c5bb184d52b Mon Sep 17 00:00:00 2001 +From: Khaled Hosny +Date: Tue, 27 Aug 2019 15:19:15 +0200 +Subject: [PATCH] Make Noto Color Emoji font work on Linux +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Noto Color Emoji is a bitmap color font, Cairo knows how to scale such +fonts and FontConfig will identify them as scalable but not outline +fonts, so change the FontConfig checks to checks for scalability. + +Make sft.cxx:doOpenTTFont() accept non-outline fonts, the text will not +show in PDF but that is not worse than the status quo. + +Reviewed-on: https://gerrit.libreoffice.org/78218 +Tested-by: Jenkins +Reviewed-by: Khaled Hosny +(cherry picked from commit dcf7792da2aa2a1ef774a124f7b21f68fff0fd15) + +Change-Id: I756c718296d2c43e3165cd2f07b11bbb981318d3 + +Related: rhbz#1648281 improve fontconfig fallback for emojis + +disregard text language for emoji and tag with und-zsye to +get fontconfig to give us the default emoji font + +Change-Id: I8f94b0c41dea3204c9db77b96ad8f0d98bae2239 + +ctrl+shift+e emoji ibus engine problems converting UCS-4 positions to UTF-16 + +e.g. ctrl+shift+e type rabbit then space in writer and the len of underline +is 2 which should encompass the displayed e + 2 UTF-16 units + +Change-Id: I424db7dd6cbcc5845922ac17208fed643e672dbd + +rework IM underline impl wrt mix of UTF-8/16/32 units + +e.g. ctrl+shift+e type boy then space twice in writer. The UTF-32 units +are 0x65 0x1f466 0x1f3fb. The underline should encompass the whole range, +prior to this the trailing Emoji Modifier Fitzpatrick was separated from +the boy base emoji by an incomplete underline + +Reviewed-on: https://gerrit.libreoffice.org/78878 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +(cherry picked from commit 5e4d564e27d062a48fd04cb7263b769819dd3a50) + +Change-Id: I2e846e8eeedf96f341ed7f50d504883768e9eff0 +--- + vcl/source/font/fontmetric.cxx | 4 +- + vcl/source/fontsubset/sft.cxx | 5 +- + vcl/unx/generic/fontmanager/fontconfig.cxx | 60 +++++++++-------- + .../generic/glyphs/freetype_glyphcache.cxx | 6 +- + vcl/unx/gtk3/gtk3gtkframe.cxx | 64 +++++++++++++------ + 5 files changed, 87 insertions(+), 52 deletions(-) + +diff --git a/vcl/source/font/fontmetric.cxx b/vcl/source/font/fontmetric.cxx +index cd0b9f8557e9..816525c8773e 100644 +--- a/vcl/source/font/fontmetric.cxx ++++ b/vcl/source/font/fontmetric.cxx +@@ -462,8 +462,8 @@ void ImplFontMetricData::ImplCalcLineSpacing(const std::vector& rHheaDa + if (mnAscent || mnDescent) + mnIntLeading = mnAscent + mnDescent - mnHeight; + +- SAL_INFO("vcl.gdi.fontmetric", +- "fsSelection: " << rInfo.fsSelection ++ SAL_INFO("vcl.gdi.fontmetric", GetFamilyName() ++ << ": fsSelection: " << rInfo.fsSelection + << ", typoAscender: " << rInfo.typoAscender + << ", typoDescender: " << rInfo.typoDescender + << ", typoLineGap: " << rInfo.typoLineGap +diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx +index 365b9401b95e..04921294ab21 100644 +--- a/vcl/source/fontsubset/sft.cxx ++++ b/vcl/source/fontsubset/sft.cxx +@@ -1666,7 +1666,10 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t ) + /* TODO: implement to get subsetting */ + assert(t->goffsets != nullptr); + } else { +- return SF_TTFORMAT; ++ // Bitmap font, accept for now. ++ t->goffsets = static_cast(calloc(1+t->nglyphs, sizeof(sal_uInt32))); ++ /* TODO: implement to get subsetting */ ++ assert(t->goffsets != nullptr); + } + + table = getTable(t, O_hhea); +diff --git a/vcl/unx/generic/fontmanager/fontconfig.cxx b/vcl/unx/generic/fontmanager/fontconfig.cxx +index 2c16e040cdab..33c50d082912 100644 +--- a/vcl/unx/generic/fontmanager/fontconfig.cxx ++++ b/vcl/unx/generic/fontmanager/fontconfig.cxx +@@ -67,7 +67,7 @@ namespace + + class FontCfgWrapper + { +- FcFontSet* m_pOutlineSet; ++ FcFontSet* m_pFontSet; + + void addFontSet( FcSetName ); + +@@ -95,19 +95,15 @@ private: + }; + + FontCfgWrapper::FontCfgWrapper() +- : +- m_pOutlineSet( nullptr ), +- m_pLanguageTag( nullptr ) ++ : m_pFontSet(nullptr) ++ , m_pLanguageTag(nullptr) + { + FcInit(); + } + + void FontCfgWrapper::addFontSet( FcSetName eSetName ) + { +- /* +- add only acceptable outlined fonts to our config, +- for future fontconfig use +- */ ++ // Add only acceptable fonts to our config, for future fontconfig use. + FcFontSet* pOrig = FcConfigGetFonts( FcConfigGetCurrent(), eSetName ); + if( !pOrig ) + return; +@@ -116,10 +112,12 @@ void FontCfgWrapper::addFontSet( FcSetName eSetName ) + for( int i = 0; i < pOrig->nfont; ++i ) + { + FcPattern* pPattern = pOrig->fonts[i]; +- // #i115131# ignore non-outline fonts +- FcBool bOutline = FcFalse; +- FcResult eOutRes = FcPatternGetBool( pPattern, FC_OUTLINE, 0, &bOutline ); +- if( (eOutRes != FcResultMatch) || (bOutline == FcFalse) ) ++ // #i115131# ignore non-scalable fonts ++ // Scalable fonts are usually outline fonts, but some bitmaps fonts ++ // (like Noto Color Emoji) are also scalable. ++ FcBool bScalable = FcFalse; ++ FcResult eScalableRes = FcPatternGetBool(pPattern, FC_SCALABLE, 0, &bScalable); ++ if ((eScalableRes != FcResultMatch) || (bScalable == FcFalse)) + continue; + + // Ignore Type 1 fonts, too. +@@ -129,7 +127,7 @@ void FontCfgWrapper::addFontSet( FcSetName eSetName ) + continue; + + FcPatternReference( pPattern ); +- FcFontSetAdd( m_pOutlineSet, pPattern ); ++ FcFontSetAdd( m_pFontSet, pPattern ); + } + + // TODO?: FcFontSetDestroy( pOrig ); +@@ -220,16 +218,16 @@ namespace + + FcFontSet* FontCfgWrapper::getFontSet() + { +- if( !m_pOutlineSet ) ++ if( !m_pFontSet ) + { +- m_pOutlineSet = FcFontSetCreate(); ++ m_pFontSet = FcFontSetCreate(); + addFontSet( FcSetSystem ); + addFontSet( FcSetApplication ); + +- ::std::sort(m_pOutlineSet->fonts,m_pOutlineSet->fonts+m_pOutlineSet->nfont,SortFont()); ++ ::std::sort(m_pFontSet->fonts,m_pFontSet->fonts+m_pFontSet->nfont,SortFont()); + } + +- return m_pOutlineSet; ++ return m_pFontSet; + } + + FontCfgWrapper::~FontCfgWrapper() +@@ -376,10 +374,10 @@ void FontCfgWrapper::clear() + { + m_aFontNameToLocalized.clear(); + m_aLocalizedToCanonical.clear(); +- if( m_pOutlineSet ) ++ if( m_pFontSet ) + { +- FcFontSetDestroy( m_pOutlineSet ); +- m_pOutlineSet = nullptr; ++ FcFontSetDestroy( m_pFontSet ); ++ m_pFontSet = nullptr; + } + delete m_pLanguageTag; + m_pLanguageTag = nullptr; +@@ -499,7 +497,7 @@ void PrintFontManager::countFontconfigFonts( std::unordered_map& o + int width = 0; + int spacing = 0; + int nCollectionEntry = -1; +- FcBool outline = false; ++ FcBool scalable = false; + + FcResult eFileRes = FcPatternGetString(pFSet->fonts[i], FC_FILE, 0, &file); + FcResult eFamilyRes = rWrapper.LocalizedElementFromPattern( pFSet->fonts[i], &family, FC_FAMILY, FC_FAMILYLANG ); +@@ -510,11 +508,11 @@ void PrintFontManager::countFontconfigFonts( std::unordered_map& o + FcResult eWeightRes = FcPatternGetInteger(pFSet->fonts[i], FC_WEIGHT, 0, &weight); + FcResult eWidthRes = FcPatternGetInteger(pFSet->fonts[i], FC_WIDTH, 0, &width); + FcResult eSpacRes = FcPatternGetInteger(pFSet->fonts[i], FC_SPACING, 0, &spacing); +- FcResult eOutRes = FcPatternGetBool(pFSet->fonts[i], FC_OUTLINE, 0, &outline); ++ FcResult eScalableRes = FcPatternGetBool(pFSet->fonts[i], FC_SCALABLE, 0, &scalable); + FcResult eIndexRes = FcPatternGetInteger(pFSet->fonts[i], FC_INDEX, 0, &nCollectionEntry); + FcResult eFormatRes = FcPatternGetString(pFSet->fonts[i], FC_FONTFORMAT, 0, &format); + +- if( eFileRes != FcResultMatch || eFamilyRes != FcResultMatch || eOutRes != FcResultMatch ) ++ if( eFileRes != FcResultMatch || eFamilyRes != FcResultMatch || eScalableRes != FcResultMatch ) + continue; + + #if (OSL_DEBUG_LEVEL > 2) +@@ -528,14 +526,15 @@ void PrintFontManager::countFontconfigFonts( std::unordered_map& o + , eWeightRes == FcResultMatch ? width : -1 + , eSpacRes == FcResultMatch ? spacing : -1 + , eOutRes == FcResultMatch ? outline : -1 ++ , eScalableRes == FcResultMatch ? scalable : -1 + , eFormatRes == FcResultMatch ? (const char*)format : "" + ); + #endif + +-// OSL_ASSERT(eOutRes != FcResultMatch || outline); ++// OSL_ASSERT(eScalableRes != FcResultMatch || scalable); + +- // only outline fonts are usable to psprint anyway +- if( eOutRes == FcResultMatch && ! outline ) ++ // only scalable fonts are usable to psprint anyway ++ if( eScalableRes == FcResultMatch && ! scalable ) + continue; + + if (isPreviouslyDuplicateOrObsoleted(pFSet, i)) +@@ -807,6 +806,11 @@ namespace + #endif + } + ++ bool isEmoji(sal_uInt32 nCurrentChar) ++ { ++ return u_hasBinaryProperty(nCurrentChar, UCHAR_EMOJI); ++ } ++ + //returns true if the given code-point couldn't possibly be in rLangTag. + bool isImpossibleCodePointForLang(const LanguageTag &rLangTag, sal_uInt32 currentChar) + { +@@ -855,6 +859,8 @@ namespace + + OUString getExemplarLangTagForCodePoint(sal_uInt32 currentChar) + { ++ if (isEmoji(currentChar)) ++ return "und-zsye"; + int32_t script = u_getIntPropertyValue(currentChar, UCHAR_SCRIPT); + UScriptCode eScript = static_cast(script); + OStringBuffer aBuf(unicode::getExemplarLanguageForUScriptCode(eScript)); +@@ -981,7 +987,7 @@ void PrintFontManager::Substitute( FontSelectPattern &rPattern, OUString& rMissi + FcCharSetAddChar( codePoints, nCode ); + //if the codepoint is impossible for this lang tag, then clear it + //and autodetect something useful +- if (!aLangAttrib.isEmpty() && isImpossibleCodePointForLang(aLangTag, nCode)) ++ if (!aLangAttrib.isEmpty() && (isImpossibleCodePointForLang(aLangTag, nCode) || isEmoji(nCode))) + aLangAttrib.clear(); + //#i105784#/rhbz#527719 improve selection of fallback font + if (aLangAttrib.isEmpty()) +diff --git a/vcl/unx/generic/glyphs/freetype_glyphcache.cxx b/vcl/unx/generic/glyphs/freetype_glyphcache.cxx +index 5a55ee47bff3..0b03f428c3fa 100644 +--- a/vcl/unx/generic/glyphs/freetype_glyphcache.cxx ++++ b/vcl/unx/generic/glyphs/freetype_glyphcache.cxx +@@ -409,9 +409,9 @@ FreetypeFont::FreetypeFont( const FontSelectPattern& rFSD, FreetypeFontInfo* pFI + + FT_New_Size( maFaceFT, &maSizeFT ); + FT_Activate_Size( maSizeFT ); +- FT_Error rc = FT_Set_Pixel_Sizes( maFaceFT, mnWidth, rFSD.mnHeight ); +- if( rc != FT_Err_Ok ) +- return; ++ /* This might fail for color bitmap fonts, but that is fine since we will ++ * not need any glyph data from FreeType in this case */ ++ /*FT_Error rc = */ FT_Set_Pixel_Sizes( maFaceFT, mnWidth, rFSD.mnHeight ); + + FT_Select_Charmap(maFaceFT, FT_ENCODING_UNICODE); + +diff --git a/vcl/unx/gtk3/gtk3gtkframe.cxx b/vcl/unx/gtk3/gtk3gtkframe.cxx +index 4ee63a98da95..2f80d03f542b 100644 +--- a/vcl/unx/gtk3/gtk3gtkframe.cxx ++++ b/vcl/unx/gtk3/gtk3gtkframe.cxx +@@ -4031,34 +4031,59 @@ void GtkSalFrame::IMHandler::signalIMPreeditChanged( GtkIMContext*, gpointer im_ + pThis->m_bPreeditJustChanged = true; + + bool bEndPreedit = (!pText || !*pText) && pThis->m_aInputEvent.mpTextAttr != nullptr; +- pThis->m_aInputEvent.maText = pText ? OUString( pText, strlen(pText), RTL_TEXTENCODING_UTF8 ) : OUString(); +- pThis->m_aInputEvent.mnCursorPos = nCursorPos; +- pThis->m_aInputEvent.mnCursorFlags = 0; ++ gint nUtf8Len = pText ? strlen(pText) : 0; ++ pThis->m_aInputEvent.maText = pText ? OUString(pText, nUtf8Len, RTL_TEXTENCODING_UTF8) : OUString(); ++ const OUString& rText = pThis->m_aInputEvent.maText; + +- pThis->m_aInputFlags = std::vector( std::max( 1, (int)pThis->m_aInputEvent.maText.getLength() ), ExtTextInputAttr::NONE ); ++ std::vector aUtf16Offsets; ++ for (sal_Int32 nUtf16Offset = 0; nUtf16Offset < rText.getLength(); rText.iterateCodePoints(&nUtf16Offset)) ++ aUtf16Offsets.push_back(nUtf16Offset); ++ ++ sal_Int32 nUtf32Len = aUtf16Offsets.size(); ++ aUtf16Offsets.push_back(rText.getLength()); ++ ++ // sanitize the CurPos which is in utf-32 ++ if (nCursorPos < 0) ++ nCursorPos = 0; ++ else if (nCursorPos > nUtf32Len) ++ nCursorPos = nUtf32Len; ++ ++ pThis->m_aInputEvent.mnCursorPos = aUtf16Offsets[nCursorPos]; ++ pThis->m_aInputEvent.mnCursorFlags = 0; ++ ++ pThis->m_aInputFlags = std::vector( std::max( 1, static_cast(rText.getLength()) ), ExtTextInputAttr::NONE ); + + PangoAttrIterator *iter = pango_attr_list_get_iterator(pAttrs); + do + { + GSList *attr_list = nullptr; + GSList *tmp_list = nullptr; +- gint start, end; ++ gint nUtf8Start, nUtf8End; + ExtTextInputAttr sal_attr = ExtTextInputAttr::NONE; + +- pango_attr_iterator_range (iter, &start, &end); +- if (start == G_MAXINT || end == G_MAXINT) +- { +- auto len = pText ? g_utf8_strlen(pText, -1) : 0; +- if (end == G_MAXINT) +- end = len; +- if (start == G_MAXINT) +- start = len; +- } +- if (end == start) ++ // docs say... "Get the range of the current segment ... the stored ++ // return values are signed, not unsigned like the values in ++ // PangoAttribute", which implies that the units are otherwise the same ++ // as that of PangoAttribute whose docs state these units are "in ++ // bytes" ++ // so this is the utf8 range ++ pango_attr_iterator_range(iter, &nUtf8Start, &nUtf8End); ++ ++ // sanitize the utf8 range ++ nUtf8Start = std::min(nUtf8Start, nUtf8Len); ++ nUtf8End = std::min(nUtf8End, nUtf8Len); ++ if (nUtf8Start >= nUtf8End) + continue; + +- start = g_utf8_pointer_to_offset (pText, pText + start); +- end = g_utf8_pointer_to_offset (pText, pText + end); ++ // get the utf32 range ++ sal_Int32 nUtf32Start = g_utf8_pointer_to_offset(pText, pText + nUtf8Start); ++ sal_Int32 nUtf32End = g_utf8_pointer_to_offset(pText, pText + nUtf8End); ++ ++ // sanitize the utf32 range ++ nUtf32Start = std::min(nUtf32Start, nUtf32Len); ++ nUtf32End = std::min(nUtf32End, nUtf32Len); ++ if (nUtf32Start >= nUtf32End) ++ continue; + + tmp_list = attr_list = pango_attr_iterator_get_attrs (iter); + while (tmp_list) +@@ -4088,11 +4113,12 @@ void GtkSalFrame::IMHandler::signalIMPreeditChanged( GtkIMContext*, gpointer im_ + g_slist_free (attr_list); + + // Set the sal attributes on our text +- for (int i = start; i < end; ++i) ++ // rhbz#1648281 apply over our utf-16 range derived from the input utf-32 range ++ for (sal_Int32 i = aUtf16Offsets[nUtf32Start]; i < aUtf16Offsets[nUtf32End]; ++i) + { + SAL_WARN_IF(i >= static_cast(pThis->m_aInputFlags.size()), + "vcl.gtk3", "pango attrib out of range. Broken range: " +- << start << "," << end << " Legal range: 0," ++ << aUtf16Offsets[nUtf32Start] << "," << aUtf16Offsets[nUtf32End] << " Legal range: 0," + << pThis->m_aInputFlags.size()); + if (i >= static_cast(pThis->m_aInputFlags.size())) + continue; +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9848.patch b/SOURCES/CVE-2019-9848.patch new file mode 100644 index 0000000..59ec30a --- /dev/null +++ b/SOURCES/CVE-2019-9848.patch @@ -0,0 +1,47 @@ +From 3dd024a28a98a9d4b4efc3c7ec6acaa94d2b25fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 7 Jun 2019 14:04:07 +0100 +Subject: [PATCH] explictly exclude LibreLogo from XScript usage + +Change-Id: I567647f0e2f8b82e4ef2995c673abe82f4564228 +Reviewed-on: https://gerrit.libreoffice.org/73708 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +--- + sfx2/source/doc/objmisc.cxx | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index e245800f2fec..beea5170e44d 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1340,6 +1340,16 @@ namespace + } + } + ++namespace { ++ ++// don't allow LibreLogo to be used with our mouseover/etc dom-alike events ++bool UnTrustedScript(const OUString& rScriptURL) ++{ ++ return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); ++} ++ ++} ++ + ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, + const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller ) + { +@@ -1352,6 +1362,9 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon + if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) + return ERRCODE_IO_ACCESSDENIED; + ++ if ( UnTrustedScript(_rScriptURL) ) ++ return ERRCODE_IO_ACCESSDENIED; ++ + bool bCaughtException = false; + Any aException; + try +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9849.patch b/SOURCES/CVE-2019-9849.patch new file mode 100644 index 0000000..befaf0b --- /dev/null +++ b/SOURCES/CVE-2019-9849.patch @@ -0,0 +1,165 @@ +From 952553d3998a1d6fbb0d197f81b769438a48a372 Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Fri, 7 Jun 2019 09:28:12 +0200 +Subject: [PATCH] More uses of referer URL with SvxBrushItem + +Reviewed-on: https://gerrit.libreoffice.org/73643 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit b518882de8213ef71a8003f95fbdf7689069c06d) +Conflicts: + sw/source/core/text/porfld.cxx + sw/source/core/unocore/unosett.cxx + +Change-Id: I04b524784df4ef453d8b1feec13b62f183a17e23 +Reviewed-on: https://gerrit.libreoffice.org/73860 +Tested-by: Jenkins +Reviewed-by: Miklos Vajna +--- + sw/inc/unosett.hxx | 2 +- + sw/source/core/text/porfld.cxx | 4 ++-- + sw/source/core/text/porfld.hxx | 1 + + sw/source/core/text/txtfld.cxx | 12 +++++++++++- + sw/source/core/unocore/unosett.cxx | 15 ++++++++++++--- + .../uibase/config/StoredChapterNumbering.cxx | 2 +- + 6 files changed, 28 insertions(+), 8 deletions(-) + +diff --git a/sw/inc/unosett.hxx b/sw/inc/unosett.hxx +index 295eb06..185b5bc 100644 +--- a/sw/inc/unosett.hxx ++++ b/sw/inc/unosett.hxx +@@ -210,7 +210,7 @@ public: + + static css::uno::Sequence GetPropertiesForNumFormat( + const SwNumFormat& rFormat, OUString const& rCharFormatName, +- OUString const* pHeadingStyleName); ++ OUString const* pHeadingStyleName, OUString const & referer); + static void SetPropertiesToNumFormat( + SwNumFormat & aFormat, + OUString & rCharStyleName, +diff --git a/sw/source/core/text/porfld.cxx b/sw/source/core/text/porfld.cxx +index 7771658..b29cee3 100644 +--- a/sw/source/core/text/porfld.cxx ++++ b/sw/source/core/text/porfld.cxx +@@ -755,7 +755,7 @@ SwBulletPortion::SwBulletPortion( const sal_Unicode cBullet, + + SwGrfNumPortion::SwGrfNumPortion( + const OUString& rGraphicFollowedBy, +- const SvxBrushItem* pGrfBrush, ++ const SvxBrushItem* pGrfBrush, OUString const & referer, + const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize, + const bool bLft, const bool bCntr, const sal_uInt16 nMinDst, + const bool bLabelAlignmentPosAndSpaceModeActive ) : +@@ -769,7 +769,7 @@ SwGrfNumPortion::SwGrfNumPortion( + if( pGrfBrush ) + { + *pBrush = *pGrfBrush; +- const Graphic* pGraph = pGrfBrush->GetGraphic(); ++ const Graphic* pGraph = pGrfBrush->GetGraphic(referer); + if( pGraph ) + SetAnimated( pGraph->IsAnimated() ); + else +diff --git a/sw/source/core/text/porfld.hxx b/sw/source/core/text/porfld.hxx +index 38fc089..4ecf25e 100644 +--- a/sw/source/core/text/porfld.hxx ++++ b/sw/source/core/text/porfld.hxx +@@ -168,6 +168,7 @@ class SwGrfNumPortion : public SwNumberPortion + public: + SwGrfNumPortion( const OUString& rGraphicFollowedBy, + const SvxBrushItem* pGrfBrush, ++ OUString const & referer, + const SwFormatVertOrient* pGrfOrient, + const Size& rGrfSize, + const bool bLeft, +diff --git a/sw/source/core/text/txtfld.cxx b/sw/source/core/text/txtfld.cxx +index 6b2b938..14e3968 100644 +--- a/sw/source/core/text/txtfld.cxx ++++ b/sw/source/core/text/txtfld.cxx +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + #include + + static bool lcl_IsInBody( SwFrame const *pFrame ) +@@ -478,8 +479,17 @@ SwNumberPortion *SwTextFormatter::NewNumberPortion( SwTextFormatInfo &rInf ) con + + if( SVX_NUM_BITMAP == rNumFormat.GetNumberingType() ) + { ++ OUString referer; ++ if (auto const sh1 = rInf.GetVsh()) { ++ if (auto const doc = sh1->GetDoc()) { ++ auto const sh2 = doc->GetPersist(); ++ if (sh2 != nullptr && sh2->HasName()) { ++ referer = sh2->GetMedium()->GetName(); ++ } ++ } ++ } + pRet = new SwGrfNumPortion( pTextNd->GetLabelFollowedBy(), +- rNumFormat.GetBrush(), ++ rNumFormat.GetBrush(), referer, + rNumFormat.GetGraphicOrientation(), + rNumFormat.GetGraphicSize(), + bLeft, bCenter, nMinDist, +diff --git a/sw/source/core/unocore/unosett.cxx b/sw/source/core/unocore/unosett.cxx +index f7376b9..44cd118 100644 +--- a/sw/source/core/unocore/unosett.cxx ++++ b/sw/source/core/unocore/unosett.cxx +@@ -55,6 +55,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1316,13 +1317,21 @@ uno::Sequence SwXNumberingRules::GetNumberingRuleByIndex( + SwStyleNameMapper::FillProgName(sValue, aUString, SwGetPoolIdFromName::TxtColl); + } + +- return GetPropertiesForNumFormat(rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr); ++ OUString referer; ++ if (pDoc != nullptr) { ++ auto const sh = pDoc->GetPersist(); ++ if (sh != nullptr && sh->HasName()) { ++ referer = sh->GetMedium()->GetName(); ++ } ++ } ++ return GetPropertiesForNumFormat( ++ rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr, referer); + + } + + uno::Sequence SwXNumberingRules::GetPropertiesForNumFormat( + const SwNumFormat& rFormat, OUString const& rCharFormatName, +- OUString const*const pHeadingStyleName) ++ OUString const*const pHeadingStyleName, OUString const & referer) + { + bool bChapterNum = pHeadingStyleName != nullptr; + +@@ -1454,7 +1463,7 @@ uno::Sequence SwXNumberingRules::GetPropertiesForNumFormat + //graphicbitmap + const Graphic* pGraphic = nullptr; + if(pBrush ) +- pGraphic = pBrush->GetGraphic(); ++ pGraphic = pBrush->GetGraphic(referer); + if(pGraphic) + { + uno::Reference xBmp = VCLUnoHelper::CreateBitmap( pGraphic->GetBitmapEx() ); +diff --git a/sw/source/uibase/config/StoredChapterNumbering.cxx b/sw/source/uibase/config/StoredChapterNumbering.cxx +index c575863..b972ec5 100644 +--- a/sw/source/uibase/config/StoredChapterNumbering.cxx ++++ b/sw/source/uibase/config/StoredChapterNumbering.cxx +@@ -129,7 +129,7 @@ public: + OUString dummy; // pass in empty HeadingStyleName - can't import anyway + uno::Sequence const ret( + SwXNumberingRules::GetPropertiesForNumFormat( +- *pNumFormat, *pCharStyleName, &dummy)); ++ *pNumFormat, *pCharStyleName, &dummy, "")); + return uno::makeAny(ret); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2019-9850.patch b/SOURCES/CVE-2019-9850.patch new file mode 100644 index 0000000..71209d6 --- /dev/null +++ b/SOURCES/CVE-2019-9850.patch @@ -0,0 +1,68 @@ +From 143eedd298113bb20c2807baa49a4c83c2cef70b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 26 Jul 2019 13:25:31 +0100 +Subject: [PATCH 1/3] decode url escape codes and check each path segment + +Change-Id: Ie8f7cef912e8dacbc2a0bca73534a7a242a53ca1 +Reviewed-on: https://gerrit.libreoffice.org/76378 +Reviewed-by: Stephan Bergmann +Tested-by: Jenkins +(cherry picked from commit 7942929685fafb0f9c82feb8da7279e5103c87f0) +Reviewed-on: https://gerrit.libreoffice.org/76451 +Reviewed-by: Thorsten Behrens +Tested-by: Thorsten Behrens +--- + sfx2/source/doc/objmisc.cxx | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 8594e9522e48..7e9288524b34 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -41,6 +41,8 @@ + #include + #include + #include ++#include ++#include + #include + + #include +@@ -1351,7 +1353,33 @@ namespace { + // don't allow LibreLogo to be used with our mouseover/etc dom-alike events + bool UnTrustedScript(const OUString& rScriptURL) + { +- return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); ++ if (!rScriptURL.startsWith("vnd.sun.star.script:")) ++ return false; ++ ++ // ensure URL Escape Codes are decoded ++ css::uno::Reference uri( ++ css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())->parse(rScriptURL)); ++ css::uno::Reference sfUri(uri, css::uno::UNO_QUERY); ++ ++ if (!sfUri.is()) ++ return false; ++ ++ // pyuno encodes path separator as | ++ OUString sScript = sfUri->getName().replace('|', '/'); ++ ++ // check if any path portion matches LibreLogo and ban it if it does ++ sal_Int32 nIndex = 0; ++ do ++ { ++ OUString aToken = sScript.getToken(0, '/', nIndex); ++ if (aToken.startsWithIgnoreAsciiCase("LibreLogo")) ++ { ++ return true; ++ } ++ } ++ while (nIndex >= 0); ++ ++ return false; + } + + } +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9851.patch b/SOURCES/CVE-2019-9851.patch new file mode 100644 index 0000000..82736c7 --- /dev/null +++ b/SOURCES/CVE-2019-9851.patch @@ -0,0 +1,99 @@ +From 292fe2f32df0e9096e63383eb45924eceb2179db Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Tue, 23 Jul 2019 15:31:05 +0100 +Subject: [PATCH 2/3] expand LibreLogo check to global events +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-on: https://gerrit.libreoffice.org/76189 +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +(cherry picked from commit 4a66c7eda6ccde26a42c4e31725248c59940255d) + +Change-Id: I7f436983ba0eb4b76b02d08ee52626e54b103d5f +Reviewed-on: https://gerrit.libreoffice.org/76305 +Reviewed-by: Thorsten Behrens +Tested-by: Thorsten Behrens +--- + include/sfx2/objsh.hxx | 2 ++ + sfx2/source/doc/objmisc.cxx | 6 +----- + sfx2/source/notify/eventsupplier.cxx | 18 ++++++++++++------ + 3 files changed, 15 insertions(+), 11 deletions(-) + +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index d04758567c80..ed09fc6e2acb 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -404,6 +404,8 @@ public: + */ + bool AdjustMacroMode(); + ++ static bool UnTrustedScript(const OUString& rScriptURL); ++ + SvKeyValueIterator* GetHeaderAttributes(); + void ClearHeaderAttributesForSourceViewHack(); + void SetHeaderAttributesForSourceViewHack(); +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 7e9288524b34..9b82742302ab 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1348,10 +1348,8 @@ namespace + } + } + +-namespace { +- + // don't allow LibreLogo to be used with our mouseover/etc dom-alike events +-bool UnTrustedScript(const OUString& rScriptURL) ++bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL) + { + if (!rScriptURL.startsWith("vnd.sun.star.script:")) + return false; +@@ -1382,8 +1380,6 @@ bool UnTrustedScript(const OUString& rScriptURL) + return false; + } + +-} +- + ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, + const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller ) + { +diff --git a/sfx2/source/notify/eventsupplier.cxx b/sfx2/source/notify/eventsupplier.cxx +index 78667a1d8036..2656e9c213ec 100644 +--- a/sfx2/source/notify/eventsupplier.cxx ++++ b/sfx2/source/notify/eventsupplier.cxx +@@ -207,18 +207,24 @@ void SfxEvents_Impl::Execute( uno::Any const & aEventData, const document::Docum + else if (aType == "Service" || + aType == "Script") + { +- if ( !aScript.isEmpty() ) ++ bool bAllowed = false; ++ util::URL aURL; ++ if (!aScript.isEmpty()) + { +- SfxViewFrame* pView = pDoc ? +- SfxViewFrame::GetFirst( pDoc ) : +- SfxViewFrame::Current(); +- + uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( ::comphelper::getProcessComponentContext() ) ); + +- util::URL aURL; + aURL.Complete = aScript; + xTrans->parseStrict( aURL ); + ++ bAllowed = !SfxObjectShell::UnTrustedScript(aURL.Complete); ++ } ++ ++ if (bAllowed) ++ { ++ SfxViewFrame* pView = pDoc ? ++ SfxViewFrame::GetFirst( pDoc ) : ++ SfxViewFrame::Current(); ++ + uno::Reference + < frame::XDispatchProvider > xProv; + +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9852.patch b/SOURCES/CVE-2019-9852.patch new file mode 100644 index 0000000..2333556 --- /dev/null +++ b/SOURCES/CVE-2019-9852.patch @@ -0,0 +1,39 @@ +From 3a827091172b9ce3982323b838ed55d896d585d4 Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Sat, 3 Aug 2019 16:37:48 +0100 +Subject: [PATCH 3/3] keep name percent-encoded +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I470c4b24192c3e3c9b556a9bbb3b084359e0033b +Reviewed-on: https://gerrit.libreoffice.org/77006 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +(cherry picked from commit 315c51731384230194af26b86a976bf5d06c9dcc) +Reviewed-on: https://gerrit.libreoffice.org/77090 +Reviewed-by: Thorsten Behrens +Tested-by: Thorsten Behrens +--- + scripting/source/pyprov/pythonscript.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py +index f1b2bfc75ee3..64e1337d642e 100644 +--- a/scripting/source/pyprov/pythonscript.py ++++ b/scripting/source/pyprov/pythonscript.py +@@ -219,7 +219,9 @@ class MyUriHelper: + + # path to the .py file + "$functionname, arguments, etc + xStorageUri = self.m_uriRefFac.parse(scriptURI) +- sStorageUri = xStorageUri.getName().replace( "|", "/" ); ++ # getName will apply url-decoding to the name, so encode back ++ sStorageUri = xStorageUri.getName().replace("%", "%25") ++ sStorageUri = sStorageUri.replace( "|", "/" ) + + # path to the .py file, relative to the base + sFileUri = sStorageUri[0:sStorageUri.find("$")] +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9853.patch b/SOURCES/CVE-2019-9853.patch new file mode 100644 index 0000000..58a6975 --- /dev/null +++ b/SOURCES/CVE-2019-9853.patch @@ -0,0 +1,89 @@ +From 8f98c29cea1e46e5a2bcde10039840145776f56b Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Tue, 6 Aug 2019 13:29:22 +0200 +Subject: [PATCH] Properly obtain location +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I9fb0d883a3623394343cd54ef61e5610544198c8 +Reviewed-on: https://gerrit.libreoffice.org/77019 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit a9cde2557242a0c343d99533f3ee032599c66f42) +Reviewed-on: https://gerrit.libreoffice.org/77024 +Reviewed-by: Caolán McNamara +Reviewed-by: Michael Stahl +Reviewed-by: Christian Lohmaier +Tested-by: Christian Lohmaier +--- + .../source/protocolhandler/scripthandler.cxx | 9 ++++++-- + sfx2/source/doc/objmisc.cxx | 21 +++++++++++-------- + 2 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/scripting/source/protocolhandler/scripthandler.cxx b/scripting/source/protocolhandler/scripthandler.cxx +index f8ad8c7fd63d..332d4833a6f2 100644 +--- a/scripting/source/protocolhandler/scripthandler.cxx ++++ b/scripting/source/protocolhandler/scripthandler.cxx +@@ -49,6 +49,7 @@ + + #include + #include ++#include + #include + + #include +@@ -135,8 +136,12 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification( + { + try + { +- bool bIsDocumentScript = ( aURL.Complete.indexOf( "document" ) !=-1 ); +- // TODO: isn't this somewhat strange? This should be a test for a location=document parameter, shouldn't it? ++ css::uno::Reference urifac( ++ css::uri::UriReferenceFactory::create(m_xContext)); ++ css::uno::Reference uri( ++ urifac->parse(aURL.Complete), css::uno::UNO_QUERY_THROW); ++ auto const loc = uri->getParameter("location"); ++ bool bIsDocumentScript = loc == "document"; + + if ( bIsDocumentScript ) + { +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 9869f76606bf..08f4d8c21297 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1380,19 +1380,22 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon + SAL_INFO("sfx", "in CallXScript" ); + ErrCode nErr = ERRCODE_NONE; + +- bool bIsDocumentScript = ( _rScriptURL.indexOf( "location=document" ) >= 0 ); +- // TODO: we should parse the URL, and check whether there is a parameter with this name. +- // Otherwise, we might find too much. +- if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) +- return ERRCODE_IO_ACCESSDENIED; +- +- if ( UnTrustedScript(_rScriptURL) ) +- return ERRCODE_IO_ACCESSDENIED; +- + bool bCaughtException = false; + Any aException; + try + { ++ css::uno::Reference urifac( ++ css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())); ++ css::uno::Reference uri( ++ urifac->parse(_rScriptURL), css::uno::UNO_QUERY_THROW); ++ auto const loc = uri->getParameter("location"); ++ bool bIsDocumentScript = loc == "document"; ++ if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) ++ return ERRCODE_IO_ACCESSDENIED; ++ ++ if ( UnTrustedScript(_rScriptURL) ) ++ return ERRCODE_IO_ACCESSDENIED; ++ + // obtain/create a script provider + Reference< provider::XScriptProvider > xScriptProvider; + Reference< provider::XScriptProviderSupplier > xSPS( _rxScriptContext, UNO_QUERY ); +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9854.patch b/SOURCES/CVE-2019-9854.patch new file mode 100644 index 0000000..0d7d3c4 --- /dev/null +++ b/SOURCES/CVE-2019-9854.patch @@ -0,0 +1,86 @@ +From f107a8c90168124462ddd00db015810081d4be2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 12 Aug 2019 20:32:54 +0100 +Subject: [PATCH 1/2] construct final url from parsed output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ifd733625a439685ad307603eb2b00bf463eb9ca9 +Reviewed-on: https://gerrit.libreoffice.org/77373 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit 87959e5deea6d33cd35dbb3b8423056f9566710e) +Reviewed-on: https://gerrit.libreoffice.org/77377 +(cherry picked from commit c03acb9b8a97254cfcf7c45ef920b93b7f1dd344) + +an absolute uri is invalid input + +Change-Id: I392be4282be8ed67e3451b28d2c9f22acd4c87fc +Reviewed-on: https://gerrit.libreoffice.org/77564 +Reviewed-by: Stephan Bergmann +Tested-by: Stephan Bergmann +(cherry picked from commit 3c076e54f736980e208f5c27ecf179aa90aea103) +Reviewed-on: https://gerrit.libreoffice.org/77572 +Tested-by: Jenkins +(cherry picked from commit 5445f7ffd09e891b220dabb19cd013bcf591fc08) + +Improve check for absolute URI + +Change-Id: I4dee44832107f72f8f3fb68554428dc1e646c346 +Reviewed-on: https://gerrit.libreoffice.org/77706 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit c79efeb66f7951305d0334bc288aee1c571a8728) +Reviewed-on: https://gerrit.libreoffice.org/77724 +Reviewed-by: Caolán McNamara +Tested-by: Caolán McNamara +(cherry picked from commit 52f7aa318722bd17c77ee5c4fa8307936e7b53af) +--- + scripting/source/pyprov/pythonscript.py | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py +index 64e1337d642e..acb6184bf437 100644 +--- a/scripting/source/pyprov/pythonscript.py ++++ b/scripting/source/pyprov/pythonscript.py +@@ -224,13 +224,24 @@ class MyUriHelper: + sStorageUri = sStorageUri.replace( "|", "/" ) + + # path to the .py file, relative to the base +- sFileUri = sStorageUri[0:sStorageUri.find("$")] ++ funcNameStart = sStorageUri.find("$") ++ if funcNameStart != -1: ++ sFileUri = sStorageUri[0:funcNameStart] ++ sFuncName = sStorageUri[funcNameStart+1:] ++ else: ++ sFileUri = sStorageUri ++ + xFileUri = self.m_uriRefFac.parse(sFileUri) + if not xFileUri: + message = "pythonscript: invalid relative uri '" + sFileUri+ "'" + log.debug( message ) + raise RuntimeException( message ) + ++ if not xFileUri.hasRelativePath(): ++ message = "pythonscript: an absolute uri is invalid '" + sFileUri+ "'" ++ log.debug( message ) ++ raise RuntimeException( message ) ++ + # absolute path to the .py file + xAbsScriptUri = self.m_uriRefFac.makeAbsolute(xBaseUri, xFileUri, True, RETAIN) + sAbsScriptUri = xAbsScriptUri.getUriReference() +@@ -241,7 +252,9 @@ class MyUriHelper: + log.debug( message ) + raise RuntimeException( message ) + +- ret = sBaseUri + sStorageUri ++ ret = sAbsScriptUri ++ if funcNameStart != -1: ++ ret = ret + "$" + sFuncName + log.debug( "converting scriptURI="+scriptURI + " to storageURI=" + ret ) + return ret + except UnoException as e: +-- +2.21.0 + diff --git a/SOURCES/CVE-2019-9855.patch b/SOURCES/CVE-2019-9855.patch new file mode 100644 index 0000000..75f64eb --- /dev/null +++ b/SOURCES/CVE-2019-9855.patch @@ -0,0 +1,33 @@ +From 1686c4273b8e0b8218853669e50d4bf405525dde Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Mon, 26 Aug 2019 10:18:09 +0200 +Subject: [PATCH 2/2] Improve check + +Change-Id: I8280a81eef2ced0ff0ace51ea9f094421abafe13 +Reviewed-on: https://gerrit.libreoffice.org/78108 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit 761e6dd25782420bf06e4a2ff3205a79b6cbb136) +Reviewed-on: https://gerrit.libreoffice.org/78129 +Reviewed-by: Michael Stahl +(cherry picked from commit ffad51e9e625a22f1efab3da7886baf4134b444f) +--- + sfx2/source/doc/objmisc.cxx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 9b82742302ab..4f2a05909a74 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -1370,7 +1370,7 @@ bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL) + do + { + OUString aToken = sScript.getToken(0, '/', nIndex); +- if (aToken.startsWithIgnoreAsciiCase("LibreLogo")) ++ if (aToken.startsWithIgnoreAsciiCase("LibreLogo") || aToken.indexOf('~') != -1) + { + return true; + } +-- +2.21.0 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 658404e..5b60a8e 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -64,7 +64,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 19%{?libo_prerelease}%{?dist} +Release: 20%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -298,6 +298,15 @@ Patch22: 0001-tdf-121203-DOCX-import-fix-loss-of-free-form-text-in.patch Patch23: 0001-keep-pyuno-script-processing-below-base-uri.patch Patch24: 0001-rhbz-1691287-tdf-53029-ui-prompt-for-printer-authent.patch Patch25: 0001-Resolves-rhbz-1715109-add-All-files-to-the-graphic-i.patch +Patch26: CVE-2019-9848.patch +Patch27: CVE-2019-9849.patch +Patch28: CVE-2019-9850.patch +Patch29: CVE-2019-9851.patch +Patch30: CVE-2019-9852.patch +Patch31: CVE-2019-9853.patch +Patch32: CVE-2019-9854.patch +Patch33: CVE-2019-9855.patch +Patch34: 0001-Make-Noto-Color-Emoji-font-work-on-Linux.patch %if 0%{?rhel} # not upstreamed @@ -2330,6 +2339,10 @@ done %{_includedir}/LibreOfficeKit %changelog +* Mon Oct 14 2019 Caolán McNamara - 1:6.0.6.1-20 +- Resolves: rhbz#1743958 CVE-2019-9849, etc. +- Resolves: rhbz#1648281 Junk character gets added when some emojis are inserted + * Mon Aug 19 2019 Caolán McNamara - 1:6.0.6.1-19 - Related: rhbz#1691287 escape backslashes etc in username