From 1f362be4086cd5152c898da7babaf573a11df700 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Tue, 20 Jun 2023 13:48:07 +0200 Subject: [PATCH] Resolves: rhbz#2208510 CVE-2023-1183 libreoffice: Arbitrary File Write --- 0001-disable-script-dump.patch | 99 ++++++++++++++++++++++++++++++++++ libreoffice.spec | 4 +- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 0001-disable-script-dump.patch diff --git a/0001-disable-script-dump.patch b/0001-disable-script-dump.patch new file mode 100644 index 0000000..80a5eb9 --- /dev/null +++ b/0001-disable-script-dump.patch @@ -0,0 +1,99 @@ +From 78111bfd799914b4a39a9f3022f5028234c609bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 13 Feb 2023 13:56:10 +0000 +Subject: [PATCH] disable script dump + +Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146986 +Tested-by: Jenkins +Reviewed-by: Thorsten Behrens +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147051 +Tested-by: Thorsten Behrens +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147256 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Andras Timar +(cherry picked from commit c948c8d3bb1433cde46319f3bb81693912371aea) +--- + .../source/drivers/hsqldb/HDriver.cxx | 31 +++++++++++++++++++ + external/hsqldb/UnpackedTarball_hsqldb.mk | 1 + + .../hsqldb/patches/disable-dump-script.patch | 14 +++++++++ + 3 files changed, 46 insertions(+) + create mode 100644 external/hsqldb/patches/disable-dump-script.patch + +diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx b/connectivity/source/drivers/hsqldb/HDriver.cxx +index 6ff0f539407b..eee39911a255 100644 +--- a/connectivity/source/drivers/hsqldb/HDriver.cxx ++++ b/connectivity/source/drivers/hsqldb/HDriver.cxx +@@ -290,6 +290,37 @@ namespace connectivity + } // if ( xStream.is() ) + ::comphelper::disposeComponent(xStream); + } ++ ++ // disallow any database/script files that contain a "SCRIPT[.*]" entry (this is belt and braces ++ // in that bundled hsqldb 1.8.0 is patched to also reject them) ++ // ++ // hsqldb 2.6.0 release notes have: added system role SCRIPT_OPS for export / import of database structure and data ++ // which seems to provide a builtin way to do this with contemporary hsqldb ++ const OUString sScript( "script" ); ++ if (!bIsNewDatabase && xStorage->isStreamElement(sScript)) ++ { ++ Reference xStream = xStorage->openStreamElement(sScript, ElementModes::READ); ++ if (xStream.is()) ++ { ++ std::unique_ptr pStream(::utl::UcbStreamHelper::CreateStream(xStream)); ++ if (pStream) ++ { ++ OString sLine; ++ while (pStream->ReadLine(sLine)) ++ { ++ OString sText = sLine.trim(); ++ if (sText.startsWithIgnoreAsciiCase("SCRIPT")) ++ { ++ ::connectivity::SharedResources aResources; ++ sMessage = aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$", sSystemPath); ++ break; ++ } ++ } ++ } ++ } // if ( xStream.is() ) ++ ::comphelper::disposeComponent(xStream); ++ } ++ + } + catch(Exception&) + { +diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk b/external/hsqldb/UnpackedTarball_hsqldb.mk +index cbba770f19a0..ed262cccf4ca 100644 +--- a/external/hsqldb/UnpackedTarball_hsqldb.mk ++++ b/external/hsqldb/UnpackedTarball_hsqldb.mk +@@ -29,6 +29,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\ + external/hsqldb/patches/jdbc-4.1.patch \ + external/hsqldb/patches/multipleResultSets.patch \ + ) \ ++ external/hsqldb/patches/disable-dump-script.patch \ + )) + + # vim: set noet sw=4 ts=4: +diff --git a/external/hsqldb/patches/disable-dump-script.patch b/external/hsqldb/patches/disable-dump-script.patch +new file mode 100644 +index 000000000000..401dd38abc9a +--- /dev/null ++++ b/external/hsqldb/patches/disable-dump-script.patch +@@ -0,0 +1,14 @@ ++--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 11:08:11.297243034 +0000 +++++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 13:49:17.973089433 +0000 ++@@ -403,6 +403,11 @@ ++ throw Trace.error(Trace.INVALID_IDENTIFIER); ++ } ++ +++ // added condition to avoid execution of spurious command in .script or .log file +++ if (session.isProcessingScript() || session.isProcessingLog()) { +++ return new Result(ResultConstants.UPDATECOUNT); +++ } +++ ++ dsw = new ScriptWriterText(database, token, true, true, true); ++ ++ dsw.writeAll(); +-- +2.41.0 + diff --git a/libreoffice.spec b/libreoffice.spec index 35599ed..7ba13b1 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -288,6 +288,7 @@ Patch32: 0003-Always-push-a-result-even-if-it-s-only-an-error.patch Patch33: 0001-set-Referer-on-loading-IFrames.patch Patch34: 0002-put-floating-frames-under-managed-links-control.patch Patch35: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch +Patch36: 0001-disable-script-dump.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch @@ -2284,11 +2285,12 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog -* Tue Jun 20 2023 Stephan Bergmann - 1:7.1.8.1-11 UNBUILT +* Tue Jun 20 2023 Stephan Bergmann - 1:7.1.8.1-11 - Resolves: rhbz#2210193 CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing - Resolves: rhbz#2210197 CVE-2023-2255 libreoffice: Remote documents loaded without prompt via IFrame +- Resolves: rhbz#2208510 CVE-2023-1183 libreoffice: Arbitrary File Write * Tue May 16 2023 Stephan Bergmann - 1:7.1.8.1-10 - Fix erroneous libreoffice-ure dependencies