From b867cb88a31bcaa574580cc370236101cca488cb Mon Sep 17 00:00:00 2001 From: Eduard Abdullin <55892454+eabdullin1@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:55:31 +0300 Subject: [PATCH] - escape url passed to gstreamer - add some protocols that don't make sense as floating frame targets - warn about exotic protocols as well - default to ignoring libreoffice special-purpose protocols in calc hyperlink - reuse AllowedLinkProtocolFromDocument in writer - reuse AllowedLinkProtocolFromDocument in impress/draw - CVE-2023-6186 backporting --- ...-6185-escape-url-passed-to-gstreamer.patch | 69 +++++ ...ls-that-don-t-make-sense-as-floating.patch | 93 ++++++ ...-warn-about-exotic-protocols-as-well.patch | 100 +++++++ ...ing-libreoffice-special-purpose-prot.patch | 239 +++++++++++++++ ...edLinkProtocolFromDocument-in-writer.patch | 281 ++++++++++++++++++ ...kProtocolFromDocument-in-impress-dra.patch | 99 ++++++ SOURCES/0006-CVE-2023-6186-backporting.patch | 65 ++++ SPECS/libreoffice.spec | 44 ++- 8 files changed, 978 insertions(+), 12 deletions(-) create mode 100644 SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch create mode 100644 SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch create mode 100644 SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch create mode 100644 SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch create mode 100644 SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch create mode 100644 SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch create mode 100644 SOURCES/0006-CVE-2023-6186-backporting.patch diff --git a/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch b/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch new file mode 100644 index 0000000..9df483c --- /dev/null +++ b/SOURCES/0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch @@ -0,0 +1,69 @@ +From 6167f5815aefa78a70517c8e2acbdd7b9c9be27d Mon Sep 17 00:00:00 2001 +Message-ID: <6167f5815aefa78a70517c8e2acbdd7b9c9be27d.1703003067.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 14:20:07 +0000 +Subject: [PATCH] escape url passed to gstreamer +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158894 +Tested-by: Jenkins +Reviewed-by: Michael Stahl +(cherry picked from commit f41dcadf6492a6ffd32696d50f818e44355b9ad9) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159583 + +erAck: backported to 7.1.8.1 + +--- + avmedia/source/gstreamer/gstframegrabber.cxx | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0001-escape-url-passed-to-gstreamer.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0001-escape-url-passed-to-gstreamer.patch" + +diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx b/avmedia/source/gstreamer/gstframegrabber.cxx +index ece799d87530..25170a296e66 100644 +--- a/avmedia/source/gstreamer/gstframegrabber.cxx ++++ b/avmedia/source/gstreamer/gstframegrabber.cxx +@@ -51,11 +51,9 @@ void FrameGrabber::disposePipeline() + FrameGrabber::FrameGrabber( const OUString &rURL ) : + FrameGrabber_BASE() + { +- gchar *pPipelineStr; +- pPipelineStr = g_strdup_printf( +- "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink " +- "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"", +- OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() ); ++ const char pPipelineStr[] = ++ "uridecodebin name=source ! videoconvert ! videoscale ! appsink " ++ "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\""; + + GError *pError = nullptr; + mpPipeline = gst_parse_launch( pPipelineStr, &pError ); +@@ -66,6 +64,12 @@ FrameGrabber::FrameGrabber( const OUString &rURL ) : + } + + if( mpPipeline ) { ++ ++ if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline), "source")) ++ g_object_set(pUriDecode, "uri", OUStringToOString(rURL, RTL_TEXTENCODING_UTF8).getStr(), nullptr); ++ else ++ g_warning("Missing 'source' element in gstreamer pipeline"); ++ + // pre-roll + switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) { + case GST_STATE_CHANGE_FAILURE: + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch b/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch new file mode 100644 index 0000000..22947a9 --- /dev/null +++ b/SOURCES/0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch @@ -0,0 +1,93 @@ +From 37d73a1ab94b43e03866d5a910cb58331543b8c3 Mon Sep 17 00:00:00 2001 +Message-ID: <37d73a1ab94b43e03866d5a910cb58331543b8c3.1703086247.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 17:14:26 +0000 +Subject: [PATCH] add some protocols that don't make sense as floating frame + targets +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +Change-Id: Id900a5eef248731d1184c1df501a2cf7a2de7eb9 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158910 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 11ebdfef16501c6d35c3e3d0d62507f706557c71) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158900 +Reviewed-by: Michael Stahl +(cherry picked from commit bab433911bdecb344f7ea94dbd00690241a08c54) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159582 + +erAck: backported to 7.1.8.1 + +--- + include/tools/urlobj.hxx | 5 +++++ + sfx2/source/doc/iframe.cxx | 5 ++++- + tools/source/fsys/urlobj.cxx | 8 ++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0001-add-some-protocols-that-don-t-make-sense-as-floating.patch" + +diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx +index 9d6820ddf241..dfd658722826 100644 +--- a/include/tools/urlobj.hxx ++++ b/include/tools/urlobj.hxx +@@ -915,6 +915,11 @@ public: + + void changeScheme(INetProtocol eTargetScheme); + ++ // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot, ++ // vnd.sun.star.script, etc. All the types of URLs which shouldn't ++ // be accepted from an outside controlled source ++ bool IsExoticProtocol() const; ++ + private: + // General Structure: + +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index 150218b436e9..b81ce82fd32e 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -168,8 +168,11 @@ sal_Bool SAL_CALL IFrameObject::load( + xTrans->parseStrict( aTargetURL ); + + INetURLObject aURLObject(aTargetURL.Complete); +- if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script")) ++ if (aURLObject.IsExoticProtocol()) ++ { ++ //SAL_WARN("sfx", "IFrameObject::load ignoring: " << aTargetURL.Complete); + return false; ++ } + + uno::Reference xParentFrame = xFrame->getCreator(); + SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index 764bb28ef623..2a9f7bc3d7dc 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4829,4 +4829,12 @@ OUString INetURLObject::CutExtension() + ? aTheExtension : OUString(); + } + ++bool INetURLObject::IsExoticProtocol() const ++{ ++ return m_eScheme == INetProtocol::Slot || ++ m_eScheme == INetProtocol::Macro || ++ m_eScheme == INetProtocol::Uno || ++ isSchemeEqualTo(u"vnd.sun.star.script"); ++} ++ + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch b/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch new file mode 100644 index 0000000..cdfc1a7 --- /dev/null +++ b/SOURCES/0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch @@ -0,0 +1,100 @@ +From 82752ccba78ecdbf94908377ec022f68ba7d9d59 Mon Sep 17 00:00:00 2001 +Message-ID: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Sat, 4 Nov 2023 19:57:51 +0000 +Subject: [PATCH 1/4] warn about exotic protocols as well +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +Change-Id: I50dcf4f36cd20d75f5ad3876353143268740a50f +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151834 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 1305f70cff8a81a58a5a6d9c96c5bb032005389e) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159034 +Reviewed-by: Eike Rathke +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159881 +Reviewed-by: Miklos Vajna +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159911 +Reviewed-by: Michael Stahl + +erAck: backported to 7.1.8.1 + +--- + sw/source/filter/html/htmlplug.cxx | 2 +- + sw/source/filter/xml/xmltexti.cxx | 2 +- + tools/source/fsys/urlobj.cxx | 3 ++- + xmloff/source/draw/ximpshap.cxx | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0001-warn-about-exotic-protocols-as-well.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0001-warn-about-exotic-protocols-as-well.patch" + +diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx +index 1aec184d8a6c..1c1f5f49f13e 100644 +--- a/sw/source/filter/html/htmlplug.cxx ++++ b/sw/source/filter/html/htmlplug.cxx +@@ -1092,7 +1092,7 @@ void SwHTMLParser::InsertFloatingFrame() + + OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); + +- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(sHRef).IsExoticProtocol()) + NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) ); +diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx +index 7ec4616f76dd..4bbed6bb8ff8 100644 +--- a/sw/source/filter/xml/xmltexti.cxx ++++ b/sw/source/filter/xml/xmltexti.cxx +@@ -860,7 +860,7 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra + OUString sHRef = URIHelper::SmartRel2Abs( + INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ); + +- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(sHRef).IsExoticProtocol()) + GetXMLImport().NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index 2a9f7bc3d7dc..36a8af31a0fb 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4767,7 +4767,8 @@ bool INetURLObject::IsExoticProtocol() const + return m_eScheme == INetProtocol::Slot || + m_eScheme == INetProtocol::Macro || + m_eScheme == INetProtocol::Uno || +- isSchemeEqualTo(u"vnd.sun.star.script"); ++ isSchemeEqualTo(u"vnd.sun.star.script") || ++ isSchemeEqualTo(u"service"); + } + + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ +diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx +index 113f3a3ffc2a..263b4b937608 100644 +--- a/xmloff/source/draw/ximpshap.cxx ++++ b/xmloff/source/draw/ximpshap.cxx +@@ -3257,7 +3257,7 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs + + if( !maHref.isEmpty() ) + { +- if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(maHref).IsExoticProtocol()) + GetImport().NotifyMacroEventRead(); + + xProps->setPropertyValue("FrameURL", Any(maHref) ); + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch b/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch new file mode 100644 index 0000000..a8633be --- /dev/null +++ b/SOURCES/0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch @@ -0,0 +1,239 @@ +From b74078dd27a8d9e7151bc0466ca231a06f555459 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +References: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 17:26:25 +0000 +Subject: [PATCH 2/4] default to ignoring libreoffice special-purpose protocols + in calc hyperlink +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +Change-Id: Ib9f62be3acc05f24ca234dec0fec21e24579e9de +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158911 +Tested-by: Jenkins +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit b6062623b4d69c79e90e9365ac7c5e7f11986793) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159045 +Reviewed-by: Eike Rathke +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159882 +Tested-by: Miklos Vajna +Reviewed-by: Miklos Vajna +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159912 +Reviewed-by: Michael Stahl + +erAck: backported to 7.1.8.1 + +--- + dbaccess/source/core/dataaccess/ModelImpl.cxx | 3 +- + include/sfx2/docmacromode.hxx | 4 ++- + include/sfx2/objsh.hxx | 3 ++ + sc/source/core/data/global.cxx | 33 ++++++++++++++++++- + sfx2/source/doc/docmacromode.cxx | 8 +++-- + sfx2/source/doc/objmisc.cxx | 8 ++++- + sfx2/source/doc/objxtor.cxx | 1 + + sfx2/source/inc/objshimp.hxx | 3 +- + 8 files changed, 56 insertions(+), 7 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0002-default-to-ignoring-libreoffice-special-purpose-prot.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0002-default-to-ignoring-libreoffice-special-purpose-prot.patch" + +diff --git a/dbaccess/source/core/dataaccess/ModelImpl.cxx b/dbaccess/source/core/dataaccess/ModelImpl.cxx +index 3e21289dbe9a..e399d5da7067 100644 +--- a/dbaccess/source/core/dataaccess/ModelImpl.cxx ++++ b/dbaccess/source/core/dataaccess/ModelImpl.cxx +@@ -1133,7 +1133,8 @@ bool ODatabaseModelImpl::checkMacrosOnLoading() + { + Reference< XInteractionHandler > xInteraction; + xInteraction = m_aMediaDescriptor.getOrDefault( "InteractionHandler", xInteraction ); +- return m_aMacroMode.checkMacrosOnLoading( xInteraction ); ++ const bool bHasMacros = m_aMacroMode.hasMacros(); ++ return m_aMacroMode.checkMacrosOnLoading(xInteraction, false /*HasValidContentSignature*/, bHasMacros); + } + + void ODatabaseModelImpl::resetMacroExecutionMode() +diff --git a/include/sfx2/docmacromode.hxx b/include/sfx2/docmacromode.hxx +index 7ed42f6a14dd..0acb44cbfbb1 100644 +--- a/include/sfx2/docmacromode.hxx ++++ b/include/sfx2/docmacromode.hxx +@@ -261,6 +261,8 @@ namespace sfx2 + */ + static bool storageHasMacros( const css::uno::Reference< css::embed::XStorage >& _rxStorage ); + ++ bool hasMacros() const; ++ + static bool containerHasBasicMacros( const css::uno::Reference< css::script::XLibraryContainer >& xContainer ); + /** checks the macro execution mode while loading the document. + +@@ -288,7 +290,7 @@ namespace sfx2 + bool + checkMacrosOnLoading( + const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction, +- bool bHasValidContentSignature = false ++ bool bHasValidContentSignature, bool bHasMacros + ); + + private: +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index ef1a0a33e1dc..fde0dba3d7c9 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -433,6 +433,9 @@ public: + void SetMacroCallsSeenWhileLoading(); + bool GetMacroCallsSeenWhileLoading() const; + ++ // true if the document had macros (or similar) on load to trigger warning user ++ bool GetHadCheckedMacrosOnLoad() const; ++ + const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const; + bool SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo ); + +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index b0a91cb397d8..92caea1ea459 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -26,7 +26,9 @@ + #include + #include + #include ++#include + #include ++#include + #include + #include + #include +@@ -772,7 +774,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + + OUString aUrlName( rURL ); + SfxViewFrame* pFrame = nullptr; +- const SfxObjectShell* pObjShell = nullptr; ++ SfxObjectShell* pObjShell = nullptr; + OUString aReferName; + if ( pScActiveViewShell ) + { +@@ -806,6 +808,35 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + ++ if (INetURLObject(aUrlName).IsExoticProtocol()) ++ { ++ // Default to ignoring exotic protocols ++ bool bAllow = false; ++ if (pObjShell) ++ { ++ // If the document had macros when loaded then follow the allowed macro-mode ++ if (pObjShell->GetHadCheckedMacrosOnLoad()) ++ bAllow = pObjShell->AdjustMacroMode(); ++ else // otherwise ask the user, defaulting to cancel ++ { ++ assert(pFrame && "if we have pObjShell we have pFrame"); ++ //Reuse URITools::onOpenURI warning string ++ std::unique_ptr xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(), ++ VclMessageType::Warning, VclButtonsType::YesNo, ++ SfxResId(STR_DANGEROUS_TO_OPEN))); ++ xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", ++ INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous))); ++ xQueryBox->set_default_response(RET_NO); ++ bAllow = xQueryBox->run() == RET_YES; ++ } ++ } ++ if (!bAllow) ++ { ++ SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName); ++ return; ++ } ++ } ++ + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); + SfxStringItem aTarget( SID_TARGETNAME, rTarget ); + if ( nScClickMouseModifier & KEY_SHIFT ) // control-click -> into new window +diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx +index bdae350b22f5..d8757c7a505d 100644 +--- a/sfx2/source/doc/docmacromode.cxx ++++ b/sfx2/source/doc/docmacromode.cxx +@@ -403,8 +403,12 @@ namespace sfx2 + return bHasMacros; + } + ++ bool DocumentMacroMode::hasMacros() const ++ { ++ return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading(); ++ } + +- bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature ) ++ bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature, bool bHasMacros ) + { + bool bAllow = false; + if ( SvtSecurityOptions().IsMacroDisabled() ) +@@ -414,7 +418,7 @@ namespace sfx2 + } + else + { +- if (m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading()) ++ if (bHasMacros) + { + if (m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading()) + m_bNeedsContentSigned = true; +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 6b86e2163ccb..ddf95eeafe5e 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -944,9 +944,15 @@ void SfxObjectShell::CheckSecurityOnLoading_Impl() + + // check macro security + const bool bHasValidContentSignature = HasValidSignatures(); +- pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasValidContentSignature ); ++ const bool bHasMacros = pImpl->aMacroMode.hasMacros(); ++ pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasValidContentSignature, bHasMacros ); ++ pImpl->m_bHadCheckedMacrosOnLoad = bHasMacros; + } + ++bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const ++{ ++ return pImpl->m_bHadCheckedMacrosOnLoad; ++} + + void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler ) + { +diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx +index c7f34aeadc31..ae6f713251ea 100644 +--- a/sfx2/source/doc/objxtor.cxx ++++ b/sfx2/source/doc/objxtor.cxx +@@ -211,6 +211,7 @@ SfxObjectShell_Impl::SfxObjectShell_Impl( SfxObjectShell& _rDocShell ) + ,m_bAllowShareControlFileClean( true ) + ,m_bConfigOptionsChecked( false ) + ,m_bMacroCallsSeenWhileLoading( false ) ++ ,m_bHadCheckedMacrosOnLoad( false ) + ,lErr(ERRCODE_NONE) + ,nEventId ( SfxEventHintId::NONE ) + ,nLoadedFlags ( SfxLoadedFlags::ALL ) +diff --git a/sfx2/source/inc/objshimp.hxx b/sfx2/source/inc/objshimp.hxx +index 192470e5542d..b011b3737d66 100644 +--- a/sfx2/source/inc/objshimp.hxx ++++ b/sfx2/source/inc/objshimp.hxx +@@ -90,7 +90,8 @@ struct SfxObjectShell_Impl : public ::sfx2::IMacroDocumentAccess + m_bSharedXMLFlag:1, // whether the document should be edited in shared mode + m_bAllowShareControlFileClean:1, // whether the flag should be stored in xml file + m_bConfigOptionsChecked:1, // whether or not the user options are checked after the Options dialog is closed. +- m_bMacroCallsSeenWhileLoading:1; // whether or not the user options are checked after the Options dialog is closed. ++ m_bMacroCallsSeenWhileLoading:1, // whether or not macro calls were seen when loading document. ++ m_bHadCheckedMacrosOnLoad:1; // if document contained macros (or calls) when loaded + + IndexBitSet aBitSet; + ErrCode lErr; + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch b/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch new file mode 100644 index 0000000..b454135 --- /dev/null +++ b/SOURCES/0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch @@ -0,0 +1,281 @@ +From 6a69b533227ae22d97824317f14dfa6991959101 Mon Sep 17 00:00:00 2001 +Message-ID: <6a69b533227ae22d97824317f14dfa6991959101.1703086328.git.erack@redhat.com> +In-Reply-To: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +References: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 15 Nov 2023 11:39:24 +0000 +Subject: [PATCH 3/4] reuse AllowedLinkProtocolFromDocument in writer +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +reorg calc hyperlink check to reuse elsewhere + +Change-Id: I20ae3c5df15502c3a0a366fb4a2924c06ffac3d0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159487 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit e6a7537762e19fde446441edd10d301f9b37ce75) + +reuse AllowedLinkProtocolFromDocument in writer + +Change-Id: Iacf5e313fc6ca5f7d69ca6986a036f0e1ab1f2a0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159488 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 32535dfa82200b54296838b52285c054fbe5e51d) + +combine these hyperlink dispatchers into one call + +Change-Id: Icb7822e811013de648ccf2fbb23a5f0be9e29bb0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159489 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 0df175ccc6ea542bc5801f631ff72bed187042eb) + +we can have just one LoadURL for writer + +Change-Id: Ia0162ee1c275292fcf200bad4662e4c2c6b7b972 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159557 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 521ca9cf6acbae96cf95d9740859c9682212013d) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159858 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit e32b8601dbd63cf01497889601d6c9c1241106d6) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159883 +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159913 +Reviewed-by: Michael Stahl +Reviewed-by: Eike Rathke +--- + include/sfx2/objsh.hxx | 7 +++-- + sc/source/core/data/global.cxx | 32 ++--------------------- + sfx2/source/doc/objmisc.cxx | 27 ++++++++++++++++++++ + sw/source/uibase/shells/drwtxtex.cxx | 8 ++---- + sw/source/uibase/wrtsh/wrtsh2.cxx | 38 ++++++++++++++++++---------- + 5 files changed, 60 insertions(+), 52 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0003-reuse-AllowedLinkProtocolFromDocument-in-writer.patch" + +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index fde0dba3d7c9..79f22c978dcb 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -200,6 +200,9 @@ private: + + SAL_DLLPRIVATE bool SaveTo_Impl(SfxMedium &rMedium, const SfxItemSet* pSet ); + ++ // true if the document had macros (or similar) on load to trigger warning user ++ SAL_DLLPRIVATE bool GetHadCheckedMacrosOnLoad() const; ++ + protected: + SfxObjectShell(SfxObjectCreateMode); + SfxObjectShell(SfxModelFlags); // see sfxmodelfactory.hxx +@@ -427,8 +430,8 @@ public: + void SetMacroCallsSeenWhileLoading(); + bool GetMacroCallsSeenWhileLoading() const; + +- // true if the document had macros (or similar) on load to trigger warning user +- bool GetHadCheckedMacrosOnLoad() const; ++ // true if this type of link, from a document, is allowed by the user to be passed to uno:OpenDoc ++ static bool AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent); + + const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const; + bool SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo ); +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index 92caea1ea459..27c5a51a46c1 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -29,9 +29,7 @@ + #include + #include + #include +-#include + #include +-#include + #include + #include + #include +@@ -856,34 +854,8 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + +- if (INetURLObject(aUrlName).IsExoticProtocol()) +- { +- // Default to ignoring exotic protocols +- bool bAllow = false; +- if (pObjShell) +- { +- // If the document had macros when loaded then follow the allowed macro-mode +- if (pObjShell->GetHadCheckedMacrosOnLoad()) +- bAllow = pObjShell->AdjustMacroMode(); +- else // otherwise ask the user, defaulting to cancel +- { +- assert(pFrame && "if we have pObjShell we have pFrame"); +- //Reuse URITools::onOpenURI warning string +- std::unique_ptr xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(), +- VclMessageType::Warning, VclButtonsType::YesNo, +- SfxResId(STR_DANGEROUS_TO_OPEN))); +- xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", +- INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous))); +- xQueryBox->set_default_response(RET_NO); +- bAllow = xQueryBox->run() == RET_YES; +- } +- } +- if (!bAllow) +- { +- SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName); +- return; +- } +- } ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr)) ++ return; + + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); + SfxStringItem aTarget( SID_TARGETNAME, rTarget ); +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index ddf95eeafe5e..8c76c3f0f4d6 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -962,6 +962,33 @@ bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const + return pImpl->m_bHadCheckedMacrosOnLoad; + } + ++bool SfxObjectShell::AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent) ++{ ++ if (!INetURLObject(rUrl).IsExoticProtocol()) ++ return true; ++ // Default to ignoring exotic protocols ++ bool bAllow = false; ++ if (pObjShell) ++ { ++ // If the document had macros when loaded then follow the allowed macro-mode ++ if (pObjShell->GetHadCheckedMacrosOnLoad()) ++ bAllow = pObjShell->AdjustMacroMode(); ++ else // otherwise ask the user, defaulting to cancel ++ { ++ //Reuse URITools::onOpenURI warning string ++ std::unique_ptr xQueryBox(Application::CreateMessageDialog(pDialogParent, ++ VclMessageType::Warning, VclButtonsType::YesNo, ++ SfxResId(STR_DANGEROUS_TO_OPEN))); ++ xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", ++ INetURLObject::decode(rUrl, INetURLObject::DecodeMechanism::Unambiguous))); ++ xQueryBox->set_default_response(RET_NO); ++ bAllow = xQueryBox->run() == RET_YES; ++ } ++ } ++ SAL_WARN_IF(!bAllow, "sfx.appl", "SfxObjectShell::AllowedLinkProtocolFromDocument ignoring: " << rUrl); ++ return bAllow; ++} ++ + void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler ) + { + OUString aVersion; +diff --git a/sw/source/uibase/shells/drwtxtex.cxx b/sw/source/uibase/shells/drwtxtex.cxx +index c84ee7bd9af4..c51f501841ad 100644 +--- a/sw/source/uibase/shells/drwtxtex.cxx ++++ b/sw/source/uibase/shells/drwtxtex.cxx +@@ -533,12 +533,8 @@ void SwDrawTextShell::Execute( SfxRequest &rReq ) + const SvxFieldData* pField = pOLV->GetFieldAtCursor(); + if (const SvxURLField* pURLField = dynamic_cast(pField)) + { +- SfxStringItem aUrl(SID_FILE_NAME, pURLField->GetURL()); +- SfxStringItem aTarget(SID_TARGETNAME, pURLField->GetTargetFrame()); +- SfxBoolItem aNewView(SID_OPEN_NEW_VIEW, false); +- SfxBoolItem aBrowsing(SID_BROWSE, true); +- GetView().GetViewFrame()->GetDispatcher()->ExecuteList( +- SID_OPENDOC, SfxCallMode::SYNCHRON, { &aUrl, &aTarget, &aNewView, &aBrowsing }); ++ ::LoadURL(GetShell(), pURLField->GetURL(), LoadUrlFlags::NONE, ++ pURLField->GetTargetFrame()); + } + } + break; +diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx +index 1995e7133c4a..d781823e82ec 100644 +--- a/sw/source/uibase/wrtsh/wrtsh2.cxx ++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx +@@ -501,30 +501,24 @@ bool SwWrtShell::ClickToINetGrf( const Point& rDocPt, LoadUrlFlags nFilter ) + return bRet; + } + +-void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, +- const OUString& rTargetFrameName ) ++static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter, ++ const OUString& rTargetFrameName) + { +- OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" ); +- if( rURL.isEmpty() ) +- return ; ++ SwDocShell* pDShell = rView.GetDocShell(); ++ OSL_ENSURE( pDShell, "No DocShell?!"); ++ SfxViewFrame* pViewFrame = rView.GetViewFrame(); + +- // The shell could be 0 also!!!!! +- if ( dynamic_cast( &rVSh) == nullptr ) ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld())) + return; + + // We are doing tiledRendering, let the client handles the URL loading, + // unless we are jumping to a TOC mark. + if (comphelper::LibreOfficeKit::isActive() && !rURL.startsWith("#")) + { +- rVSh.GetSfxViewShell()->libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr()); ++ rView.libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr()); + return; + } + +- //A CursorShell is always a WrtShell +- SwWrtShell &rSh = static_cast(rVSh); +- +- SwDocShell* pDShell = rSh.GetView().GetDocShell(); +- OSL_ENSURE( pDShell, "No DocShell?!"); + OUString sTargetFrame(rTargetFrameName); + if (sTargetFrame.isEmpty() && pDShell) + { +@@ -539,7 +533,6 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, + OUString sReferer; + if( pDShell && pDShell->GetMedium() ) + sReferer = pDShell->GetMedium()->GetName(); +- SfxViewFrame* pViewFrame = rSh.GetView().GetViewFrame(); + SfxFrameItem aView( SID_DOCFRAME, pViewFrame ); + SfxStringItem aName( SID_FILE_NAME, rURL ); + SfxStringItem aTargetFrameName( SID_TARGETNAME, sTargetFrame ); +@@ -565,6 +558,23 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, + SfxCallMode::ASYNCHRON|SfxCallMode::RECORD ); + } + ++void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, ++ const OUString& rTargetFrameName ) ++{ ++ OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" ); ++ if( rURL.isEmpty() ) ++ return ; ++ ++ // The shell could be 0 also!!!!! ++ if ( dynamic_cast( &rVSh) == nullptr ) ++ return; ++ ++ //A CursorShell is always a WrtShell ++ SwWrtShell &rSh = static_cast(rVSh); ++ ++ ::LoadURL(rSh.GetView(), rURL, nFilter, rTargetFrameName); ++} ++ + void SwWrtShell::NavigatorPaste( const NaviContentBookmark& rBkmk, + const sal_uInt16 nAction ) + { + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch b/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch new file mode 100644 index 0000000..6095a11 --- /dev/null +++ b/SOURCES/0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch @@ -0,0 +1,99 @@ +From 2b72aefb0ad620b4c5431a87f6493edba2563f27 Mon Sep 17 00:00:00 2001 +Message-ID: <2b72aefb0ad620b4c5431a87f6493edba2563f27.1703086328.git.erack@redhat.com> +In-Reply-To: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +References: <82752ccba78ecdbf94908377ec022f68ba7d9d59.1703086328.git.erack@redhat.com> +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 22 Nov 2023 21:14:41 +0000 +Subject: [PATCH 4/4] reuse AllowedLinkProtocolFromDocument in impress/draw +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +Change-Id: I73ca4f087946a45dbf92d69a0dc1e769de9b5690 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159843 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit f0942eed2eb328b04856f20613f5226d66b66a20) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159759 +Reviewed-by: Michael Stahl +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159884 +Reviewed-by: Miklos Vajna +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159914 +Reviewed-by: Eike Rathke +--- + sd/source/ui/app/sdmod1.cxx | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0004-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0004-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch" + +diff --git a/sd/source/ui/app/sdmod1.cxx b/sd/source/ui/app/sdmod1.cxx +index 573ee853069b..b22feb2d1f21 100644 +--- a/sd/source/ui/app/sdmod1.cxx ++++ b/sd/source/ui/app/sdmod1.cxx +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -192,26 +193,32 @@ void SdModule::Execute(SfxRequest& rReq) + { + bool bIntercept = false; + ::sd::DrawDocShell* pDocShell = dynamic_cast< ::sd::DrawDocShell *>( SfxObjectShell::Current() ); +- if (pDocShell) ++ ::sd::ViewShell* pViewShell = pDocShell ? pDocShell->GetViewShell() : nullptr; ++ if (pViewShell) + { +- ::sd::ViewShell* pViewShell = pDocShell->GetViewShell(); +- if (pViewShell) ++ if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) ) + { +- if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) ) ++ // Prevent documents from opening while the slide ++ // show is running, except when this request comes ++ // from a shape interaction. ++ if (rReq.GetArgs() == nullptr) + { +- // Prevent documents from opening while the slide +- // show is running, except when this request comes +- // from a shape interaction. +- if (rReq.GetArgs() == nullptr) +- { +- bIntercept = true; +- } ++ bIntercept = true; + } + } + } + + if (!bIntercept) + { ++ if (const SfxStringItem* pURLItem = rReq.GetArg(SID_FILE_NAME)) ++ { ++ if (!pViewShell || !SfxObjectShell::AllowedLinkProtocolFromDocument(pURLItem->GetValue(), ++ pViewShell->GetObjectShell(), ++ pViewShell->GetFrameWeld())) ++ { ++ return; ++ } ++ } + SfxGetpApp()->ExecuteSlot(rReq, SfxGetpApp()->GetInterface()); + } + else + +--------------erAck-patch-parts-- + + diff --git a/SOURCES/0006-CVE-2023-6186-backporting.patch b/SOURCES/0006-CVE-2023-6186-backporting.patch new file mode 100644 index 0000000..5ba765d --- /dev/null +++ b/SOURCES/0006-CVE-2023-6186-backporting.patch @@ -0,0 +1,65 @@ +From 762ed044e9c696a58e2ab41bd16b57003717a6ce Mon Sep 17 00:00:00 2001 +From: Eike Rathke +Date: Wed, 6 Mar 2024 23:19:34 +0100 +Subject: [PATCH] CVE-2023-6186 backporting + +Add dialog text string STR_DANGEROUS_TO_OPEN +as per upstream commit 70009098fd70df021048c540d1796c928554b494 + +SfxViewFrame doesn't have GetFrameWeld() yet, get from Window. +--- + include/sfx2/strings.hrc | 1 + + sc/source/core/data/global.cxx | 4 +++- + sw/source/uibase/wrtsh/wrtsh2.cxx | 2 +- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc +index 317dd88..b1bfa69 100644 +--- a/include/sfx2/strings.hrc ++++ b/include/sfx2/strings.hrc +@@ -101,6 +101,7 @@ + #define STR_GB NC_("STR_GB", "GB") + #define STR_QUERY_LASTVERSION NC_("STR_QUERY_LASTVERSION", "Cancel all changes?") + #define STR_NO_WEBBROWSER_FOUND NC_("STR_NO_WEBBROWSER_FOUND", "Opening \"$(ARG1)\" failed with error code $(ARG2) and message: \"$(ARG3)\"\nMaybe no web browser could be found on your system. In that case, please check your Desktop Preferences or install a web browser (for example, Firefox) in the default location requested during the browser installation.") ++#define STR_DANGEROUS_TO_OPEN NC_("STR_DANGEROUS_TO_OPEN", "It might be dangerous to open \"$(ARG1)\".\nDo you really want to open it?") + #define STR_NO_ABS_URI_REF NC_("STR_NO_ABS_URI_REF", "\"$(ARG1)\" cannot be passed to an external application to open it (e.g., it might not be an absolute URL, or might denote no existing file).") + #define STR_GID_INTERN NC_("STR_GID_INTERN", "Internal") + #define STR_GID_APPLICATION NC_("STR_GID_APPLICATION", "Application") +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index d2f7343..a066985 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -37,6 +37,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -806,7 +808,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + +- if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr)) ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetWindow().GetFrameWeld() : nullptr)) + return; + + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); +diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx +index c91a8f3..7908814 100644 +--- a/sw/source/uibase/wrtsh/wrtsh2.cxx ++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx +@@ -483,7 +483,7 @@ static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter, + OSL_ENSURE( pDShell, "No DocShell?!"); + SfxViewFrame* pViewFrame = rView.GetViewFrame(); + +- if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld())) ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetWindow().GetFrameWeld())) + return; + + // We are doing tiledRendering, let the client handles the URL loading, +-- +2.43.0 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index f4312c9..84774ba 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -58,7 +58,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 11%{?libo_prerelease}%{?dist} +Release: 11%{?libo_prerelease}%{?dist}.alma License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -290,6 +290,14 @@ Patch33: 0001-set-Referer-on-loading-IFrames.patch Patch34: 0002-put-floating-frames-under-managed-links-control.patch Patch35: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch Patch36: 0001-disable-script-dump.patch +# Patches were taken from the latest OL relase +Patch37: 0001-CVE-2023-6185-escape-url-passed-to-gstreamer.patch +Patch38: 0001-CVE-2023-6186-add-some-protocols-that-don-t-make-sense-as-floating.patch +Patch39: 0002-CVE-2023-6186-warn-about-exotic-protocols-as-well.patch +Patch40: 0003-CVE-2023-6186-default-to-ignoring-libreoffice-special-purpose-prot.patch +Patch41: 0004-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-writer.patch +Patch42: 0005-CVE-2023-6186-reuse-AllowedLinkProtocolFromDocument-in-impress-dra.patch +Patch43: 0006-CVE-2023-6186-backporting.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch @@ -383,7 +391,7 @@ Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} %description base -GUI database front-end for LibreOffice. Allows creation and management of +GUI database front-end for LibreOffice. Allows creation and management of databases through a GUI. %if 0%{?fedora} @@ -469,7 +477,7 @@ BuildArch: noarch %description %{fontname}-fonts A dingbats font, OpenSymbol, suitable for use by LibreOffice for bullets and -mathematical symbols. +mathematical symbols. %package writer Summary: LibreOffice Word Processor Application @@ -483,7 +491,7 @@ Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} The LibreOffice Word Processor application. %package emailmerge -Summary: Email mail-merge component for LibreOffice +Summary: Email mail-merge component for LibreOffice Requires: %{name}-writer%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release} @@ -533,7 +541,7 @@ Requires: %{name}-pdfimport%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-pyuno%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} -%description math +%description math The LibreOffice Equation Editor Application. %package graphicfilter @@ -1032,6 +1040,7 @@ rm -rf git-hooks */git-hooks # apply patches %autopatch -M 99 %if 0%{?rhel} +%{?!apply_patch:%define apply_patch(qp:m:) {%__apply_patch %**}} %apply_patch -q %{PATCH500} %endif @@ -1249,7 +1258,7 @@ pushd %{buildroot}%{baseinstdir}/share/autocorr %make_autocorr_aliases -l en-GB en-AG en-AU en-BS en-BW en-BZ en-CA en-DK en-GH en-HK en-IE en-IN en-JM en-NG en-NZ en-SG en-TT %make_autocorr_aliases -l en-US en-PH -#en-ZA exists and has a good autocorrect file with two or three extras that make sense for +#en-ZA exists and has a good autocorrect file with two or three extras that make sense for #neighbouring english speaking territories %make_autocorr_aliases -l en-ZA en-NA en-ZW %if %{with langpacks} @@ -1309,7 +1318,7 @@ rm -f %{buildroot}%{baseinstdir}/CREDITS.fodt %{buildroot}%{baseinstdir}/LICENSE ln -sr %{buildroot}%{lodatadocdir}/CREDITS.fodt %{buildroot}%{baseinstdir}/CREDITS.fodt ln -sr %{buildroot}%{lodatadocdir}/LICENSE.html %{buildroot}%{baseinstdir}/LICENSE.html -#ensure that no sneaky un-prelinkable, un-fpic or non executable shared libs +#ensure that no sneaky un-prelinkable, un-fpic or non executable shared libs #have snuck through pic=0 executable=0 @@ -1498,13 +1507,13 @@ export DESTDIR=%{buildroot} # appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-writer.appdata.xml \ https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/a.png \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/b.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-writer/b.png appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-calc.appdata.xml \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-calc/a.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-calc/a.png appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-draw.appdata.xml \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-draw/a.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-draw/a.png appstream-util replace-screenshots %{buildroot}%{_datadir}/metainfo/libreoffice-impress.appdata.xml \ - https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-impress/a.png + https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/libreoffice-impress/a.png %endif %if 0%{?flatpak} # Assemble the libreoffice-*.appdata.xml files into a single @@ -2275,6 +2284,17 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog +* Thu Mar 21 2024 Eduard Abdullin - 1:7.1.8.1-12.alma +- escape url passed to gstreamer +- add some protocols that don't make sense as floating frame + targets +- warn about exotic protocols as well +- default to ignoring libreoffice special-purpose protocols + in calc hyperlink +- reuse AllowedLinkProtocolFromDocument in writer +- reuse AllowedLinkProtocolFromDocument in impress/draw +- CVE-2023-6186 backporting + * Thu Sep 21 2023 Eduard Abdullin - 1:7.1.8.1-11.alma - Debrand for AlmaLinux @@ -4422,7 +4442,7 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : * Wed Oct 19 2011 Caolán McNamara - 3.4.3.2-14 - Related: rhbz#743750 addXineramaScreenUnique issue - + * Fri Oct 07 2011 Stephan Bergmann - 3.4.3.2-13 - Patches to build with GCC 6.4.1