rpms/libreoffice
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#2208510 CVE-2023-1183 libreoffice: Arbitrary File Write

Browse Source
This commit is contained in:
Stephan Bergmann 2023-06-20 13:48:07 +02:00
parent 2300ca9110
commit 1f362be408
2 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
0001-disable-script-dump.patch Normal file
View File

@ -0,0 +1,99 @@
From 78111bfd799914b4a39a9f3022f5028234c609bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Mon, 13 Feb 2023 13:56:10 +0000
Subject: [PATCH] disable script dump
Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146986
Tested-by: Jenkins
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147051
Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147256
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
(cherry picked from commit c948c8d3bb1433cde46319f3bb81693912371aea)
---
.../source/drivers/hsqldb/HDriver.cxx | 31 +++++++++++++++++++
external/hsqldb/UnpackedTarball_hsqldb.mk | 1 +
.../hsqldb/patches/disable-dump-script.patch | 14 +++++++++
3 files changed, 46 insertions(+)
create mode 100644 external/hsqldb/patches/disable-dump-script.patch
diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx b/connectivity/source/drivers/hsqldb/HDriver.cxx
index 6ff0f539407b..eee39911a255 100644
--- a/connectivity/source/drivers/hsqldb/HDriver.cxx
+++ b/connectivity/source/drivers/hsqldb/HDriver.cxx
@@ -290,6 +290,37 @@ namespace connectivity
} // if ( xStream.is() )
::comphelper::disposeComponent(xStream);
}
+
+ // disallow any database/script files that contain a "SCRIPT[.*]" entry (this is belt and braces
+ // in that bundled hsqldb 1.8.0 is patched to also reject them)
+ //
+ // hsqldb 2.6.0 release notes have: added system role SCRIPT_OPS for export / import of database structure and data
+ // which seems to provide a builtin way to do this with contemporary hsqldb
+ const OUString sScript( "script" );
+ if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
+ {
+ Reference<XStream > xStream = xStorage->openStreamElement(sScript, ElementModes::READ);
+ if (xStream.is())
+ {
+ std::unique_ptr<SvStream> pStream(::utl::UcbStreamHelper::CreateStream(xStream));
+ if (pStream)
+ {
+ OString sLine;
+ while (pStream->ReadLine(sLine))
+ {
+ OString sText = sLine.trim();
+ if (sText.startsWithIgnoreAsciiCase("SCRIPT"))
+ {
+ ::connectivity::SharedResources aResources;
+ sMessage = aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$", sSystemPath);
+ break;
+ }
+ }
+ }
+ } // if ( xStream.is() )
+ ::comphelper::disposeComponent(xStream);
+ }
+
}
catch(Exception&)
{
diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk b/external/hsqldb/UnpackedTarball_hsqldb.mk
index cbba770f19a0..ed262cccf4ca 100644
--- a/external/hsqldb/UnpackedTarball_hsqldb.mk
+++ b/external/hsqldb/UnpackedTarball_hsqldb.mk
@@ -29,6 +29,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
external/hsqldb/patches/jdbc-4.1.patch \
external/hsqldb/patches/multipleResultSets.patch \
) \
+ external/hsqldb/patches/disable-dump-script.patch \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/hsqldb/patches/disable-dump-script.patch b/external/hsqldb/patches/disable-dump-script.patch
new file mode 100644
index 000000000000..401dd38abc9a
--- /dev/null
+++ b/external/hsqldb/patches/disable-dump-script.patch
@@ -0,0 +1,14 @@
+--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 11:08:11.297243034 +0000
++++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 13:49:17.973089433 +0000
+@@ -403,6 +403,11 @@
+ throw Trace.error(Trace.INVALID_IDENTIFIER);
+ }
+
++ // added condition to avoid execution of spurious command in .script or .log file
++ if (session.isProcessingScript() || session.isProcessingLog()) {
++ return new Result(ResultConstants.UPDATECOUNT);
++ }
++
+ dsw = new ScriptWriterText(database, token, true, true, true);
+
+ dsw.writeAll();
--
2.41.0

4
libreoffice.spec
View File

@ -288,6 +288,7 @@ Patch32: 0003-Always-push-a-result-even-if-it-s-only-an-error.patch
Patch33: 0001-set-Referer-on-loading-IFrames.patch Patch33: 0001-set-Referer-on-loading-IFrames.patch
Patch34: 0002-put-floating-frames-under-managed-links-control.patch Patch34: 0002-put-floating-frames-under-managed-links-control.patch
Patch35: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch Patch35: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch
Patch36: 0001-disable-script-dump.patch
# not upstreamed # not upstreamed
Patch500: 0001-disable-libe-book-support.patch Patch500: 0001-disable-libe-book-support.patch
@ -2284,11 +2285,12 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || :
%{_includedir}/LibreOfficeKit %{_includedir}/LibreOfficeKit
%changelog %changelog
* Tue Jun 20 2023 Stephan Bergmann <sbergman@redhat.com> - 1:7.1.8.1-11 UNBUILT * Tue Jun 20 2023 Stephan Bergmann <sbergman@redhat.com> - 1:7.1.8.1-11
- Resolves: rhbz#2210193 CVE-2023-0950 Array Index UnderFlow in Calc Formula - Resolves: rhbz#2210193 CVE-2023-0950 Array Index UnderFlow in Calc Formula
Parsing Parsing
- Resolves: rhbz#2210197 CVE-2023-2255 libreoffice: Remote documents loaded - Resolves: rhbz#2210197 CVE-2023-2255 libreoffice: Remote documents loaded
without prompt via IFrame without prompt via IFrame
- Resolves: rhbz#2208510 CVE-2023-1183 libreoffice: Arbitrary File Write
* Tue May 16 2023 Stephan Bergmann <sbergman@redhat.com> - 1:7.1.8.1-10 * Tue May 16 2023 Stephan Bergmann <sbergman@redhat.com> - 1:7.1.8.1-10
- Fix erroneous libreoffice-ure dependencies - Fix erroneous libreoffice-ure dependencies