rpms/libreoffice
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#2208509 CVE-2023-1183 libreoffice: Arbitrary File Write

Browse Source
This commit is contained in:
Stephan Bergmann 2023-06-19 15:46:22 +02:00
parent 2030b03cbd
commit c0069bfe12
2 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
0001-disable-script-dump.patch Normal file
View File

@ -0,0 +1,99 @@
From ff68c22161071ce89851c6d81e80ba51b67e8e0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Mon, 13 Feb 2023 13:56:10 +0000
Subject: [PATCH] disable script dump
Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146986
Tested-by: Jenkins
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147051
Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147255
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
(cherry picked from commit ae3a7dcbb60bb73700737b9ca8940ce3103648d9)
---
.../source/drivers/hsqldb/HDriver.cxx | 31 +++++++++++++++++++
external/hsqldb/UnpackedTarball_hsqldb.mk | 1 +
.../hsqldb/patches/disable-dump-script.patch | 14 +++++++++
3 files changed, 46 insertions(+)
create mode 100644 external/hsqldb/patches/disable-dump-script.patch
diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx b/connectivity/source/drivers/hsqldb/HDriver.cxx
index de76ecbba29de..95c610843efab 100644
--- a/connectivity/source/drivers/hsqldb/HDriver.cxx
+++ b/connectivity/source/drivers/hsqldb/HDriver.cxx
@@ -300,6 +300,37 @@ namespace connectivity
} // if ( xStream.is() )
::comphelper::disposeComponent(xStream);
}
+
+ // disallow any database/script files that contain a "SCRIPT[.*]" entry (this is belt and braces
+ // in that bundled hsqldb 1.8.0 is patched to also reject them)
+ //
+ // hsqldb 2.6.0 release notes have: added system role SCRIPT_OPS for export / import of database structure and data
+ // which seems to provide a builtin way to do this with contemporary hsqldb
+ const OUString sScript( "script" );
+ if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
+ {
+ Reference<XStream > xStream = xStorage->openStreamElement(sScript, ElementModes::READ);
+ if (xStream.is())
+ {
+ std::unique_ptr<SvStream> pStream(::utl::UcbStreamHelper::CreateStream(xStream));
+ if (pStream)
+ {
+ OString sLine;
+ while (pStream->ReadLine(sLine))
+ {
+ OString sText = sLine.trim();
+ if (sText.startsWithIgnoreAsciiCase("SCRIPT"))
+ {
+ ::connectivity::SharedResources aResources;
+ sMessage = aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$", sSystemPath);
+ break;
+ }
+ }
+ }
+ } // if ( xStream.is() )
+ ::comphelper::disposeComponent(xStream);
+ }
+
}
catch(Exception&)
{
diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk b/external/hsqldb/UnpackedTarball_hsqldb.mk
index cbba770f19a07..ed262cccf4caa 100644
--- a/external/hsqldb/UnpackedTarball_hsqldb.mk
+++ b/external/hsqldb/UnpackedTarball_hsqldb.mk
@@ -29,6 +29,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
external/hsqldb/patches/jdbc-4.1.patch \
external/hsqldb/patches/multipleResultSets.patch \
) \
+ external/hsqldb/patches/disable-dump-script.patch \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/hsqldb/patches/disable-dump-script.patch b/external/hsqldb/patches/disable-dump-script.patch
new file mode 100644
index 0000000000000..401dd38abc9a2
--- /dev/null
+++ b/external/hsqldb/patches/disable-dump-script.patch
@@ -0,0 +1,14 @@
+--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 11:08:11.297243034 +0000
++++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 13:49:17.973089433 +0000
+@@ -403,6 +403,11 @@
+ throw Trace.error(Trace.INVALID_IDENTIFIER);
+ }
+
++ // added condition to avoid execution of spurious command in .script or .log file
++ if (session.isProcessingScript() || session.isProcessingLog()) {
++ return new Result(ResultConstants.UPDATECOUNT);
++ }
++
+ dsw = new ScriptWriterText(database, token, true, true, true);
+
+ dsw.writeAll();
--
2.41.0

4
libreoffice.spec
View File

@ -292,6 +292,7 @@ Patch48: 0003-Always-push-a-result-even-if-it-s-only-an-error.patch
Patch49: 0001-set-Referer-on-loading-IFrames.patch Patch49: 0001-set-Referer-on-loading-IFrames.patch
Patch50: 0002-put-floating-frames-under-managed-links-control.patch Patch50: 0002-put-floating-frames-under-managed-links-control.patch
Patch51: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch Patch51: 0003-assume-IFrame-script-macro-support-isn-t-needed.patch
Patch52: 0001-disable-script-dump.patch
%if 0%{?rhel} %if 0%{?rhel}
# not upstreamed # not upstreamed
@ -2294,11 +2295,12 @@ done
%{_includedir}/LibreOfficeKit %{_includedir}/LibreOfficeKit
%changelog %changelog
* Mon Jun 19 2023 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-15 UNBUILT * Mon Jun 19 2023 Stephan Bergmann <sbergman@redhat.com> - 1:6.4.7.2-15
- Resolves: rhbz#2210191 CVE-2023-0950 Array Index UnderFlow in Calc Formula - Resolves: rhbz#2210191 CVE-2023-0950 Array Index UnderFlow in Calc Formula
Parsing Parsing
- Resolves: rhbz#2210195 CVE-2023-2255 libreoffice: Remote documents loaded - Resolves: rhbz#2210195 CVE-2023-2255 libreoffice: Remote documents loaded
without prompt via IFrame without prompt via IFrame
- Resolves: rhbz#2208509 CVE-2023-1183 libreoffice: Arbitrary File Write
* Wed Apr 12 2023 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-14 * Wed Apr 12 2023 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-14
- Resolves: rhbz#2182390 CVE-2022-38745 Empty entry in Java class path - Resolves: rhbz#2182390 CVE-2022-38745 Empty entry in Java class path