rpms/libreoffice
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#2182390 CVE-2022-38745 Empty entry in Java class path

Browse Source
This commit is contained in:
Caolán McNamara 2023-04-12 10:05:59 +01:00
parent cee5c5ddcf
commit 97992112e9
3 changed files with 98 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
0001-CVE-2022-38745.patch Normal file
View File

@ -0,0 +1,93 @@
From 36c5c16b7846ff31f403913ad5cdddf8b22fda43 Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Mon, 21 Feb 2022 11:55:21 +0100
Subject: [PATCH] Avoid unnecessary empty -Djava.class.path=
Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
---
.../plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 +++++++++++++---
jvmfwk/source/framework.cxx | 8 ++++++--
jvmfwk/source/fwkbase.cxx | 3 +++
3 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
index 4760ab6..ea133ea 100644
--- a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+++ b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
@@ -687,17 +687,22 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
// all versions below 1.5.1
options.emplace_back("abort", reinterpret_cast<void*>(abort_handler));
bool hasStackSize = false;
+#ifdef UNX
+ // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
+ // in the class path in order to have applet support:
+ OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
+#endif
for (int i = 0; i < cOptions; i++)
{
OString opt(arOptions[i].optionString);
#ifdef UNX
- // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
- // in the class path in order to have applet support:
if (opt.startsWith("-Djava.class.path="))
{
- OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
if (!sAddPath.isEmpty())
+ {
opt += OStringChar(SAL_PATHSEPARATOR) + sAddPath;
+ sAddPath.clear();
+ }
}
#endif
if (opt == "-Xint") {
@@ -742,6 +747,11 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
}
#endif
}
+#ifdef UNX
+ if (!sAddPath.isEmpty()) {
+ options.emplace_back("-Djava.class.path=" + sAddPath, nullptr);
+ }
+#endif
std::unique_ptr<JavaVMOption[]> sarOptions(new JavaVMOption[options.size()]);
for (std::vector<Option>::size_type i = 0; i != options.size(); ++i) {
diff --git a/jvmfwk/source/framework.cxx b/jvmfwk/source/framework.cxx
index 3212030..f532ebd 100644
--- a/jvmfwk/source/framework.cxx
+++ b/jvmfwk/source/framework.cxx
@@ -210,8 +210,12 @@ javaFrameworkError jfw_startVM(
//In direct mode the options are specified by bootstrap variables
//of the form UNO_JAVA_JFW_PARAMETER_1 .. UNO_JAVA_JFW_PARAMETER_n
vmParams = jfw::BootParams::getVMParameters();
- sUserClassPath =
- "-Djava.class.path=" + jfw::BootParams::getClasspath();
+ auto const cp = jfw::BootParams::getClasspath();
+ if (!cp.isEmpty())
+ {
+ sUserClassPath =
+ "-Djava.class.path=" + cp;
+ }
}
else
OSL_ASSERT(false);
diff --git a/jvmfwk/source/fwkbase.cxx b/jvmfwk/source/fwkbase.cxx
index ece4dd2..93c32a7 100644
--- a/jvmfwk/source/fwkbase.cxx
+++ b/jvmfwk/source/fwkbase.cxx
@@ -460,6 +460,9 @@ OString makeClassPathOption(OUString const & sUserClassPath)
sPaths = OUStringToOString(
sBufCP.makeStringAndClear(), osl_getThreadTextEncoding());
+ if (sPaths.isEmpty()) {
+ return "";
+ }
OString sOptionClassPath = "-Djava.class.path=" + sPaths;
return sOptionClassPath;
--
2.39.2

6
libreoffice.spec
View File

@ -54,7 +54,7 @@ Summary: Free Software Productivity Suite
Name: libreoffice Name: libreoffice
Epoch: 1 Epoch: 1
Version: %{libo_version}.2 Version: %{libo_version}.2
Release: 13%{?libo_prerelease}%{?dist} Release: 14%{?libo_prerelease}%{?dist}
License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
URL: http://www.libreoffice.org/ URL: http://www.libreoffice.org/
@ -285,6 +285,7 @@ Patch41: 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch
Patch42: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch Patch42: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch
Patch43: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch Patch43: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch
Patch44: 0001-CVE-2022-3140.patch Patch44: 0001-CVE-2022-3140.patch
Patch45: 0001-CVE-2022-38745.patch
%if 0%{?rhel} %if 0%{?rhel}
# not upstreamed # not upstreamed
@ -2287,6 +2288,9 @@ done
%{_includedir}/LibreOfficeKit %{_includedir}/LibreOfficeKit
%changelog %changelog
* Wed Apr 12 2023 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-14
- Resolves: rhbz#2182390 CVE-2022-38745 Empty entry in Java class path
* Mon Nov 21 2022 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-13 * Mon Nov 21 2022 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-13
- Resolves: rhbz#2031681 Failure saving to smb share - Resolves: rhbz#2031681 Failure saving to smb share

1
sources
View File

@ -2,7 +2,6 @@ SHA512 (17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip) = a231eba4a1baca11766
SHA512 (185d60944ea767075d27247c3162b3bc-unowinreg.dll) = 854b8ae29b57b40ba6bb6ff66e723a0e8dad053fcc2849f0ad763cd8a31352f4aeba9636fd4e3f0f2a0cd985a6f49b4261b9ace68d6be821ed42cfa7a73eb13c SHA512 (185d60944ea767075d27247c3162b3bc-unowinreg.dll) = 854b8ae29b57b40ba6bb6ff66e723a0e8dad053fcc2849f0ad763cd8a31352f4aeba9636fd4e3f0f2a0cd985a6f49b4261b9ace68d6be821ed42cfa7a73eb13c
SHA512 (884ed41809687c3e168fc7c19b16585149ff058eca79acbf3ee784f6630704cc-opens___.ttf) = ce7e23e750f2c6f7ff2e590cc8941caa18eaae2727c9ca31313ab72ab19278055bd9393d38b0b5b685594e2f04ee15cb83b3bbb25d09665fe7383d7f26bf2ae8 SHA512 (884ed41809687c3e168fc7c19b16585149ff058eca79acbf3ee784f6630704cc-opens___.ttf) = ce7e23e750f2c6f7ff2e590cc8941caa18eaae2727c9ca31313ab72ab19278055bd9393d38b0b5b685594e2f04ee15cb83b3bbb25d09665fe7383d7f26bf2ae8
SHA512 (a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip) = 2d3835f7ac356805025cafedcad97faa48d0f5da386e6ac7b7451030059df8e2fdb0861ade07a576ebf9fb5b88a973585ab0437944b06aac9289d6898ba8586a SHA512 (a7983f859eafb2677d7ff386a023bc40-xsltml_2.1.2.zip) = 2d3835f7ac356805025cafedcad97faa48d0f5da386e6ac7b7451030059df8e2fdb0861ade07a576ebf9fb5b88a973585ab0437944b06aac9289d6898ba8586a
SHA512 (gpgkey-C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3.gpg.asc) = 103ff61dc18b82b5a14fbcbf0886d2e094766000593df6f0b6db4b875bde9eb29c1db0b70708a25156e3c0d9b916ef7a1546afcb388781973c3a24676cc2c495
SHA512 (libreoffice-6.4.7.2.tar.xz) = ba6ff5948624d7a76025406c38728d643be656091d79320a1c5ddba10000411662951a0b02de7a9e796e76d8185b6e9113882406bb0c1452b4c988ac3095afa8 SHA512 (libreoffice-6.4.7.2.tar.xz) = ba6ff5948624d7a76025406c38728d643be656091d79320a1c5ddba10000411662951a0b02de7a9e796e76d8185b6e9113882406bb0c1452b4c988ac3095afa8
SHA512 (libreoffice-help-6.4.7.2.tar.xz) = a5381a8cca9988998dc01d3815869e47193c1da814b714cbedb51a2099f7dc5444315c657e32defab2eb0b9a9e2a922bc4c5fbc36b7a2b60e7c551887a9cdbb3 SHA512 (libreoffice-help-6.4.7.2.tar.xz) = a5381a8cca9988998dc01d3815869e47193c1da814b714cbedb51a2099f7dc5444315c657e32defab2eb0b9a9e2a922bc4c5fbc36b7a2b60e7c551887a9cdbb3
SHA512 (libreoffice-translations-6.4.7.2.tar.xz) = 94d809c257f50c231696fabd268e18f500cd6c8d0fd24a8c5be687e884116369281f4d960219b3c22c740fc5c4ef1f49fdf3b415a868e6c156fab3c96a5dc69e SHA512 (libreoffice-translations-6.4.7.2.tar.xz) = 94d809c257f50c231696fabd268e18f500cd6c8d0fd24a8c5be687e884116369281f4d960219b3c22c740fc5c4ef1f49fdf3b415a868e6c156fab3c96a5dc69e