From 938de2979d80d0c5ffeb83a96bac0c2926ceae38 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 20 Aug 2024 12:20:16 +0000 Subject: [PATCH] Import from CS git --- .gitignore | 8 - .libreoffice.metadata | 8 - SOURCES/0001-CVE-2022-38745.patch | 93 ++ ...-6185-escape-url-passed-to-gstreamer.patch | 69 ++ ...ls-that-don-t-make-sense-as-floating.patch | 93 ++ ...-2024-3044-add-notify-for-script-use.patch | 29 + ...o-trust-not-validated-macro-signatur.patch | 81 ++ ...parameter-count-for-OR-AND-and-1-par.patch | 80 ++ SOURCES/0001-disable-script-dump.patch | 99 ++ .../0001-set-Referer-on-loading-IFrames.patch | 93 ++ ...-warn-about-exotic-protocols-as-well.patch | 87 ++ ...ty-belt-before-fishing-in-muddy-wate.patch | 82 ++ ...g-frames-under-managed-links-control.patch | 907 ++++++++++++++++++ ...-a-result-even-if-it-s-only-an-error.patch | 50 + ...ing-libreoffice-special-purpose-prot.patch | 225 +++++ ...me-script-macro-support-isn-t-needed.patch | 54 ++ ...edLinkProtocolFromDocument-in-writer.patch | 281 ++++++ ...kProtocolFromDocument-in-impress-dra.patch | 87 ++ SOURCES/0006-CVE-2023-6186-backporting.patch | 65 ++ ...CAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc | 51 + SOURCES/libreoffice-base-symbolic.svg | 27 + SOURCES/libreoffice-calc-symbolic.svg | 27 + SOURCES/libreoffice-draw-symbolic.svg | 26 + SOURCES/libreoffice-impress-symbolic.svg | 25 + SOURCES/libreoffice-main-symbolic.svg | 24 + SOURCES/libreoffice-math-symbolic.svg | 25 + SOURCES/libreoffice-writer-symbolic.svg | 28 + SPECS/libreoffice.spec | 44 +- 28 files changed, 2751 insertions(+), 17 deletions(-) create mode 100644 SOURCES/0001-CVE-2022-38745.patch create mode 100644 SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch create mode 100644 SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch create mode 100644 SOURCES/0001-CVE-2024-3044-add-notify-for-script-use.patch create mode 100644 SOURCES/0001-CVE-2024-6472-remove-ability-to-trust-not-validated-macro-signatur.patch create mode 100644 SOURCES/0001-Obtain-actual-0-parameter-count-for-OR-AND-and-1-par.patch create mode 100644 SOURCES/0001-disable-script-dump.patch create mode 100644 SOURCES/0001-set-Referer-on-loading-IFrames.patch create mode 100644 SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch create mode 100644 SOURCES/0002-Stack-check-safety-belt-before-fishing-in-muddy-wate.patch create mode 100644 SOURCES/0002-put-floating-frames-under-managed-links-control.patch create mode 100644 SOURCES/0003-Always-push-a-result-even-if-it-s-only-an-error.patch create mode 100644 SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch create mode 100644 SOURCES/0003-assume-IFrame-script-macro-support-isn-t-needed.patch create mode 100644 SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch create mode 100644 SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch create mode 100644 SOURCES/0006-CVE-2023-6186-backporting.patch create mode 100644 SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc create mode 100644 SOURCES/libreoffice-base-symbolic.svg create mode 100644 SOURCES/libreoffice-calc-symbolic.svg create mode 100644 SOURCES/libreoffice-draw-symbolic.svg create mode 100644 SOURCES/libreoffice-impress-symbolic.svg create mode 100644 SOURCES/libreoffice-main-symbolic.svg create mode 100644 SOURCES/libreoffice-math-symbolic.svg create mode 100644 SOURCES/libreoffice-writer-symbolic.svg diff --git a/.gitignore b/.gitignore index 07521f7..6c83dfd 100644 --- a/.gitignore +++ b/.gitignore @@ -2,14 +2,6 @@ SOURCES/17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip SOURCES/185d60944ea767075d27247c3162b3bc-unowinreg.dll SOURCES/884ed41809687c3e168fc7c19b16585149ff058eca79acbf3ee784f6630704cc-opens___.ttf SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip -SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc SOURCES/libreoffice-6.4.7.2.tar.xz -SOURCES/libreoffice-base-symbolic.svg -SOURCES/libreoffice-calc-symbolic.svg -SOURCES/libreoffice-draw-symbolic.svg SOURCES/libreoffice-help-6.4.7.2.tar.xz -SOURCES/libreoffice-impress-symbolic.svg -SOURCES/libreoffice-main-symbolic.svg -SOURCES/libreoffice-math-symbolic.svg SOURCES/libreoffice-translations-6.4.7.2.tar.xz -SOURCES/libreoffice-writer-symbolic.svg diff --git a/.libreoffice.metadata b/.libreoffice.metadata index 21d524c..1ecf977 100644 --- a/.libreoffice.metadata +++ b/.libreoffice.metadata @@ -2,14 +2,6 @@ 0619ed3a89644bef318df67db12045b2b590585b SOURCES/185d60944ea767075d27247c3162b3bc-unowinreg.dll d336802a36ed2c87dd243e7c2f1d0542dace5cca SOURCES/884ed41809687c3e168fc7c19b16585149ff058eca79acbf3ee784f6630704cc-opens___.ttf 2d49e11b0b711970f494294dc3698f05eb294853 SOURCES/a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip -7b5fd93d787fbc6d9c2d4025d543730ee8dc4559 SOURCES/gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc b29d8cdb3db8d6b317e1cb9117b020d7e676e601 SOURCES/libreoffice-6.4.7.2.tar.xz -54fc749ba924f9ca4e0391caaf579ab344302038 SOURCES/libreoffice-base-symbolic.svg -9de544172d736d59589767000c1f657034a5d53d SOURCES/libreoffice-calc-symbolic.svg -0f6dc4726da0920869354fbe4b2924f9ac569b4a SOURCES/libreoffice-draw-symbolic.svg ca7e087ef62f30c033db84ceb0f6a4021f53653e SOURCES/libreoffice-help-6.4.7.2.tar.xz -8c74dd667c660cc643c4d715dd50491ba92146d5 SOURCES/libreoffice-impress-symbolic.svg -c77acd04a7647b09745f9424ab0f65d52dfcd397 SOURCES/libreoffice-main-symbolic.svg -3857a55644148eb25ed1a594bd00d1262761fb39 SOURCES/libreoffice-math-symbolic.svg 0f74fd6286e71ff2b7c7bc01f41c8972e354d81c SOURCES/libreoffice-translations-6.4.7.2.tar.xz -d4f0674ad46a832120db956cc01a27fdc2060458 SOURCES/libreoffice-writer-symbolic.svg diff --git a/SOURCES/0001-CVE-2022-38745.patch b/SOURCES/0001-CVE-2022-38745.patch new file mode 100644 index 0000000..2f8d64d --- /dev/null +++ b/SOURCES/0001-CVE-2022-38745.patch @@ -0,0 +1,93 @@ +From 36c5c16b7846ff31f403913ad5cdddf8b22fda43 Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Mon, 21 Feb 2022 11:55:21 +0100 +Subject: [PATCH] Avoid unnecessary empty -Djava.class.path= + +Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +--- + .../plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 +++++++++++++--- + jvmfwk/source/framework.cxx | 8 ++++++-- + jvmfwk/source/fwkbase.cxx | 3 +++ + 3 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx +index 4760ab6..ea133ea 100644 +--- a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx ++++ b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx +@@ -687,17 +687,22 @@ javaPluginError jfw_plugin_startJavaVirtualMachine( + // all versions below 1.5.1 + options.emplace_back("abort", reinterpret_cast(abort_handler)); + bool hasStackSize = false; ++#ifdef UNX ++ // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2) ++ // in the class path in order to have applet support: ++ OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion); ++#endif + for (int i = 0; i < cOptions; i++) + { + OString opt(arOptions[i].optionString); + #ifdef UNX +- // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2) +- // in the class path in order to have applet support: + if (opt.startsWith("-Djava.class.path=")) + { +- OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion); + if (!sAddPath.isEmpty()) ++ { + opt += OStringChar(SAL_PATHSEPARATOR) + sAddPath; ++ sAddPath.clear(); ++ } + } + #endif + if (opt == "-Xint") { +@@ -742,6 +747,11 @@ javaPluginError jfw_plugin_startJavaVirtualMachine( + } + #endif + } ++#ifdef UNX ++ if (!sAddPath.isEmpty()) { ++ options.emplace_back("-Djava.class.path=" + sAddPath, nullptr); ++ } ++#endif + + std::unique_ptr sarOptions(new JavaVMOption[options.size()]); + for (std::vector