From 8293a300d5bcc681c23189ef402a1b3be8ad3ce0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Tue, 22 Feb 2022 11:37:43 +0000 Subject: [PATCH] Resolves: rhbz#2056412 merge in fedoa 34 changes --- 0001-CVE-2021-25636.patch | 69 +++++++++++++++++++ ...pl-copy-ctor-doesn-t-exactly-copy-Ed.patch | 53 ++++++++++++++ libreoffice.spec | 7 +- 3 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 0001-CVE-2021-25636.patch create mode 100644 0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch diff --git a/0001-CVE-2021-25636.patch b/0001-CVE-2021-25636.patch new file mode 100644 index 0000000..9ec1f6a --- /dev/null +++ b/0001-CVE-2021-25636.patch @@ -0,0 +1,69 @@ +From 26c9da40d44f1469df97398362667c74553be7d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 20 Dec 2021 17:05:44 +0000 +Subject: [PATCH] only use X509Data + +Change-Id: I52e6588f5fac04bb26d77c1f3af470db73e41f72 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127193 +Tested-by: Jenkins +Reviewed-by: Miklos Vajna +(cherry picked from commit be446d81e07b5499152efeca6ca23034e51ea5ff) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127178 +Reviewed-by: Adolfo Jayme Barrientos +(cherry picked from commit b0404f80577de9ff69e58390c6f6ef949fdb0139) +--- + .../source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx | 6 ++++++ + xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx +index c699c950f351..9f816479f9dd 100644 +--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx ++++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx +@@ -22,6 +22,8 @@ + #include + #include + ++#include ++ + #include + #include + +@@ -233,6 +235,10 @@ SAL_CALL XMLSignature_MSCryptImpl::validate( + // We do certificate verification ourselves. + pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; + ++ // limit possible key data to valid X509 certificates only, no KeyValues ++ if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecMSCngKeyDataX509GetKlass()) < 0) ++ throw RuntimeException("failed to limit allowed key data"); ++ + //Verify signature + //The documentation says that the signature is only valid if the return value is 0 (that is, not < 0) + //AND pDsigCtx->status == xmlSecDSigStatusSucceeded. That is, we must not make any assumptions, if +diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx +index b41d754f7407..975c17272dc7 100644 +--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx ++++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx +@@ -20,6 +20,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -247,6 +249,10 @@ SAL_CALL XMLSignature_NssImpl::validate( + // We do certificate verification ourselves. + pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; + ++ // limit possible key data to valid X509 certificates only, no KeyValues ++ if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecNssKeyDataX509GetKlass()) < 0) ++ throw RuntimeException("failed to limit allowed key data"); ++ + //Verify signature + int rs = xmlSecDSigCtxVerify( pDsigCtx.get() , pNode ); + +-- +2.35.1 + diff --git a/0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch b/0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch new file mode 100644 index 0000000..c4b0fff --- /dev/null +++ b/0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch @@ -0,0 +1,53 @@ +From 3925cf39742ebee935498b14571f13f3e8b64b49 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Sat, 19 Feb 2022 20:43:33 +0000 +Subject: [PATCH] EditTextObjectImpl copy ctor doesn't exactly copy + EditTextObjectImpl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +and this is apparently relied on, so eliding the copy gives unexpected +results. + +EditTextObjectImpl::Clone returns a copy of *this, but the +EditTextObjectImpl copy ctor explicitly does not copy the "PortionInfo" +member, so in: + +commit fb8973f31f111229be5184f4e4223e963ced2c7b +Author: Caolán McNamara +Date: Sat Oct 10 19:21:38 2020 +0100 + + ofz#23492 the only user of this ctor throws away the original of the clone + + so we can take ownership of the original instead + +where the copy was optimized away we want from a state where there was a +new EditTextObjectImpl with an empty PortionInfo member to one where the +PortionInfo of the EditTextObjectImpl was retained. + +So explicitly clear this unwanted info. + +It's very hard to make rational judgements about code if a copy behaves +differently than the orignal :-( + +Change-Id: I642d60841d6bdccbf830f8a2ccdbd9f542a8aa18 +--- + editeng/source/outliner/outliner.cxx | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/editeng/source/outliner/outliner.cxx b/editeng/source/outliner/outliner.cxx +index 9c474131352c..d48e4a542723 100644 +--- a/editeng/source/outliner/outliner.cxx ++++ b/editeng/source/outliner/outliner.cxx +@@ -383,6 +383,7 @@ std::unique_ptr Outliner::CreateParaObject( sal_Int32 nStart + aParagraphDataVector[nPara-nStartPara] = *GetParagraph(nPara); + } + ++ xText->ClearPortionInfo(); // tdf#147166 the PortionInfo is unwanted here + std::unique_ptr pPObj(new OutlinerParaObject(std::move(xText), aParagraphDataVector, bIsEditDoc)); + pPObj->SetOutlinerMode(GetMode()); + +-- +2.35.1 + diff --git a/libreoffice.spec b/libreoffice.spec index 9505646..2c3c1e4 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -57,7 +57,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 5%{?libo_prerelease}%{?dist} +Release: 6%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -271,6 +271,8 @@ Patch15: 0001-Resolves-tdf-140250-don-t-share-adjustments-between-.patch Patch16: 0001-fix-comparison-when-searching-cache.patch Patch17: 0001-tdf-121546-sw-don-t-use-undo-array-s-m_pOutlineNodes.patch Patch18: 0001-annocheck-warning-about-missing-.note.gnu.property-s.patch +Patch19: 0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch +Patch20: 0001-CVE-2021-25636.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch @@ -2267,6 +2269,9 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog +* Tue Feb 22 2022 Caolán McNamara - 1:7.1.8.1-6 +- Resolves: rhbz#2056412 merge in fedoa 34 changes + * Thu Feb 10 2022 Caolán McNamara - 1:7.1.8.1-5 - Related: rhbz#2042817 bump n-v-r