diff --git a/SOURCES/0001-CVE-2021-25636.patch b/SOURCES/0001-CVE-2021-25636.patch new file mode 100644 index 0000000..61bfe18 --- /dev/null +++ b/SOURCES/0001-CVE-2021-25636.patch @@ -0,0 +1,69 @@ +From ae1bd20a2d4d7b7d64edc3b06d7f901c05175b7d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 20 Dec 2021 17:05:44 +0000 +Subject: [PATCH] only use X509Data + +Change-Id: I52e6588f5fac04bb26d77c1f3af470db73e41f72 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127193 +Tested-by: Jenkins +Reviewed-by: Miklos Vajna +(cherry picked from commit be446d81e07b5499152efeca6ca23034e51ea5ff) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127178 +Reviewed-by: Adolfo Jayme Barrientos +(cherry picked from commit b0404f80577de9ff69e58390c6f6ef949fdb0139) +--- + .../source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx | 6 ++++++ + xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx +index db400e6..39f9d7f 100644 +--- a/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx ++++ b/xmlsecurity/source/xmlsec/mscrypt/xmlsignature_mscryptimpl.cxx +@@ -21,6 +21,8 @@ + #include + #include + ++#include ++ + #include + #include + +@@ -229,6 +231,10 @@ SAL_CALL XMLSignature_MSCryptImpl::validate( + // We do certificate verification ourselves. + pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; + ++ // limit possible key data to valid X509 certificates only, no KeyValues ++ if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecMSCngKeyDataX509GetKlass()) < 0) ++ throw RuntimeException("failed to limit allowed key data"); ++ + //Verify signature + //The documentation says that the signature is only valid if the return value is 0 (that is, not < 0) + //AND pDsigCtx->status == xmlSecDSigStatusSucceeded. That is, we must not make any assumptions, if +diff --git a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx +index 827580b..8f4d6f8 100644 +--- a/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx ++++ b/xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx +@@ -19,6 +19,8 @@ + + #include + ++#include ++ + #include + #include + #include +@@ -243,6 +245,10 @@ SAL_CALL XMLSignature_NssImpl::validate( + // We do certificate verification ourselves. + pDsigCtx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; + ++ // limit possible key data to valid X509 certificates only, no KeyValues ++ if (xmlSecPtrListAdd(&(pDsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecNssKeyDataX509GetKlass()) < 0) ++ throw RuntimeException("failed to limit allowed key data"); ++ + //Verify signature + int rs = xmlSecDSigCtxVerify( pDsigCtx.get() , pNode ); + +-- +2.33.1 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 44e5e0d..fbf9d6a 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -54,7 +54,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.2 -Release: 10%{?libo_prerelease}%{?dist} +Release: 11%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -279,6 +279,7 @@ Patch35: 0001-Correctly-read-PNG-into-bitmaps-N32BitTcA.-formats-w.patch Patch36: 0001-Read-MOSDocumentLockFile-UTF-16-string-data-with-sam.patch Patch37: 0001-Convert-attribute-value-to-UTF-8-when-passing-it-to-.patch Patch38: 0001-Fix-endianness-issues-in-OOX-crypto-routines.patch +Patch39: 0001-CVE-2021-25636.patch %if 0%{?rhel} # not upstreamed @@ -2275,6 +2276,9 @@ done %{_includedir}/LibreOfficeKit %changelog +* Mon Mar 07 2022 Caolán McNamara - 1:6.4.7.2-11 +- Resolves: rhbz#2060559 CVE-2021-25636 + * Mon Feb 07 2022 Caolán McNamara - 1:6.4.7.2-10 - Related: rhbz#2029810 bump n-v-r