diff --git a/SOURCES/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch b/SOURCES/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch new file mode 100644 index 0000000..e02b110 --- /dev/null +++ b/SOURCES/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch @@ -0,0 +1,63 @@ +From 77f30ada1156ca1e1357776fea8e9dc113f6898d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 3 Mar 2022 14:22:37 +0000 +Subject: [PATCH 1/4] CVE-2022-26305 compare authors using Thumbprint + +Change-Id: I338f58eb07cbf0a3d13a7dafdaddac09252a8546 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130929 +Tested-by: Jenkins +Reviewed-by: Miklos Vajna +(cherry picked from commit 65442205b5b274ad309308162f150f8d41648f72) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130866 +Reviewed-by: Michael Stahl +(cherry picked from commit a7aaa78acea4c1d51283c2fce54ff9f5339026f8) +--- + .../component/documentdigitalsignatures.cxx | 23 +++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx +index b9066ea92cac..5a21c8421bec 100644 +--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx ++++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx +@@ -19,9 +19,10 @@ + + #include + +-#include ++#include + #include + #include ++#include + #include + #include + #include +@@ -666,9 +667,23 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted( + Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors(); + + return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(), +- [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) { +- return xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName()) +- && ( rAuthor[1] == sSerialNum ); ++ [this, &xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) { ++ if (!xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName())) ++ return false; ++ if (rAuthor[1] != sSerialNum) ++ return false; ++ ++ DocumentSignatureManager aSignatureManager(mxCtx, {}); ++ if (!aSignatureManager.init()) ++ return false; ++ uno::Reference xCert = aSignatureManager.getSecurityEnvironment()->createCertificateFromAscii(rAuthor[2]); ++ ++ auto pAuthor = dynamic_cast(xAuthor.get()); ++ auto pCert = dynamic_cast(xCert.get()); ++ if (pAuthor && pCert) ++ return pCert->getSHA256Thumbprint() == pAuthor->getSHA256Thumbprint(); ++ ++ return xCert->getSHA1Thumbprint() == xAuthor->getSHA1Thumbprint(); + }); + } + +-- +2.37.1 + diff --git a/SOURCES/0001-CVE-2022-3140.patch b/SOURCES/0001-CVE-2022-3140.patch new file mode 100644 index 0000000..4bb1976 --- /dev/null +++ b/SOURCES/0001-CVE-2022-3140.patch @@ -0,0 +1,279 @@ +From 3831e68bffc233f581e3eb1cb3c7ed925daab86f Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Tue, 30 Aug 2022 14:04:52 +0200 +Subject: [PATCH] Filter out unwanted command URIs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139225 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit 27d29f7df428885865a8e2313283839b20f2a34b) +Conflicts: + desktop/source/app/cmdlineargs.cxx + +Change-Id: I0b7e5329af8cc053d14d5c60ec14fe7f364ef993 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139182 +Tested-by: Jenkins +Reviewed-by: Miklos Vajna +(cherry picked from commit da291e2960b75153f41d440a1b41961567432e8c) + +These commands are always URLs already + +Change-Id: I5083765c879689d7f933bbe00ad70bb68e635a21 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139042 +Tested-by: Jean-Pierre Ledure +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit e61701e1ee6763de72b397e6ade1124eca9400f3) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138980 +Reviewed-by: Caolán McNamara +(cherry picked from commit 5b4025bb56999f5c895c6f7e0b52f521800d65b0) + +check IFrame "FrameURL" target + +similiar to + +commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627 +Date: Wed Aug 7 17:37:11 2019 +0100 + + warn on load when a document binds an event to a macro + +Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit c7450d0b9d02c64ae3da467d329040787039767e) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139117 +Reviewed-by: Christian Lohmaier +(cherry picked from commit f5e3b0a7966d7d28817292adbb58fb43f28b7c6d) + +check impress/calc IFrame "FrameURL" target + +similar to + +commit c7450d0b9d02c64ae3da467d329040787039767e +Date: Tue Aug 30 17:01:08 2022 +0100 + + check IFrame "FrameURL" target + +Change-Id: Ibf28c29acb4476830431d02772f3ecd4b23a6a27 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139495 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit d0312786571221c2dd4f63fa69f6f0489d7d39ec) +--- + desktop/source/app/cmdlineargs.cxx | 10 +++++++++- + sfx2/source/appl/macroloader.cxx | 9 +++++++-- + sfx2/source/doc/iframe.cxx | 21 ++++++++++++++++----- + sfx2/source/inc/macroloader.hxx | 2 ++ + sw/source/filter/html/htmlplug.cxx | 7 ++++++- + sw/source/filter/xml/xmltexti.cxx | 9 +++++++-- + wizards/source/access2base/DoCmd.xba | 2 +- + xmloff/source/draw/ximpshap.cxx | 4 ++++ + 8 files changed, 52 insertions(+), 12 deletions(-) + +diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx +index 381147c..5babfbe 100644 +--- a/desktop/source/app/cmdlineargs.cxx ++++ b/desktop/source/app/cmdlineargs.cxx +@@ -27,6 +27,7 @@ + + #include "cmdlineargs.hxx" + #include ++#include + #include + #include + #include +@@ -169,7 +170,14 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur + } + if (nURIlen < 0) + nURIlen = rest2.getLength(); +- arg = rest2.copy(0, nURIlen); ++ auto const uri = rest2.copy(0, nURIlen); ++ if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) { ++ // Let the "Open" machinery process the full command URI (leading to failure, by intention, ++ // as the "Open" machinery does not know about those command URI schemes): ++ curEvt = CommandLineEvent::Open; ++ } else { ++ arg = uri; ++ } + return curEvt; + } + +diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx +index 98e036e..b50d1e6 100644 +--- a/sfx2/source/appl/macroloader.cxx ++++ b/sfx2/source/appl/macroloader.cxx +@@ -76,10 +76,10 @@ css::uno::Sequence SAL_CALL SfxMacroLoader::getSupportedServiceNames() + return aSeq; + } + +-SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() ++SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference & xFrame) + { + SfxObjectShell* pDocShell = nullptr; +- Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); ++ + if ( xFrame.is() ) + { + SfxFrame* pFrame=nullptr; +@@ -96,6 +96,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() + return pDocShell; + } + ++SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl() ++{ ++ Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY ); ++ return SfxMacroLoader::GetObjectShell(xFrame); ++} + + uno::Reference SAL_CALL SfxMacroLoader::queryDispatch( + const util::URL& aURL , +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index 8b12715..b5291b2 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -39,11 +39,13 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + #include ++#include + + using namespace ::com::sun::star; + +@@ -159,6 +161,19 @@ sal_Bool SAL_CALL IFrameObject::load( + { + if ( SvtMiscOptions().IsPluginsEnabled() ) + { ++ util::URL aTargetURL; ++ aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); ++ uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); ++ xTrans->parseStrict( aTargetURL ); ++ ++ if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro) ++ { ++ uno::Reference xParentFrame = xFrame->getCreator(); ++ SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); ++ if (pDoc && !pDoc->AdjustMacroMode()) ++ return false; ++ } ++ + DBG_ASSERT( !mxFrame.is(), "Frame already existing!" ); + VclPtr pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() ); + VclPtr pWin = VclPtr::Create( pParent, maFrmDescr.IsFrameBorderOn() ); +@@ -181,16 +196,12 @@ sal_Bool SAL_CALL IFrameObject::load( + if ( xFramesSupplier.is() ) + mxFrame->setCreator( xFramesSupplier ); + +- util::URL aTargetURL; +- aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); +- uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) ); +- xTrans->parseStrict( aTargetURL ); +- + uno::Sequence < beans::PropertyValue > aProps(2); + aProps[0].Name = "PluginMode"; + aProps[0].Value <<= sal_Int16(2); + aProps[1].Name = "ReadOnly"; + aProps[1].Value <<= true; ++ + uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 ); + if ( xDisp.is() ) + xDisp->dispatch( aTargetURL, aProps ); +diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx +index 9e1dfba..b3e7a5e 100644 +--- a/sfx2/source/inc/macroloader.hxx ++++ b/sfx2/source/inc/macroloader.hxx +@@ -82,6 +82,8 @@ public: + virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override; + + virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override; ++ ++ static SfxObjectShell* GetObjectShell(const css::uno::Reference& xFrame); + }; + + #endif +diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx +index a0da671..eb70704 100644 +--- a/sw/source/filter/html/htmlplug.cxx ++++ b/sw/source/filter/html/htmlplug.cxx +@@ -1087,7 +1087,12 @@ void SwHTMLParser::InsertFloatingFrame() + bool bHasBorder = aFrameDesc.HasFrameBorder(); + Size aMargin = aFrameDesc.GetMargin(); + +- xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) ); ++ OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); ++ ++ if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ NotifyMacroEventRead(); ++ ++ xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) ); + xSet->setPropertyValue("FrameName", uno::makeAny( aName ) ); + + if ( eScroll == ScrollingMode::Auto ) +diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx +index 788bec5..72a14b9 100644 +--- a/sw/source/filter/xml/xmltexti.cxx ++++ b/sw/source/filter/xml/xmltexti.cxx +@@ -853,9 +853,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra + uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY ); + if ( xSet.is() ) + { ++ OUString sHRef = URIHelper::SmartRel2Abs( ++ INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ); ++ ++ if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ GetXMLImport().NotifyMacroEventRead(); ++ + xSet->setPropertyValue("FrameURL", +- makeAny( URIHelper::SmartRel2Abs( +- INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) ); ++ makeAny( rHRef ) ); + + xSet->setPropertyValue("FrameName", + makeAny( rName ) ); +diff --git a/wizards/source/access2base/DoCmd.xba b/wizards/source/access2base/DoCmd.xba +index 27b0d74..26755a8 100644 +--- a/wizards/source/access2base/DoCmd.xba ++++ b/wizards/source/access2base/DoCmd.xba +@@ -2655,7 +2655,7 @@ Private Sub _ShellExecute(sCommand As String) + + Dim oShell As Object + Set oShell = createUnoService("com.sun.star.system.SystemShellExecute") +- oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.DEFAULTS) ++ oShell.execute(sCommand, "" , com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY) + + End Sub ' _ShellExecute V0.8.5 + +diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx +index 2e509f8..ae35f1e 100644 +--- a/xmloff/source/draw/ximpshap.cxx ++++ b/xmloff/source/draw/ximpshap.cxx +@@ -87,6 +87,7 @@ + #include + #include + #include ++#include + #include + + using namespace ::com::sun::star; +@@ -3243,6 +3244,9 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs + + if( !maHref.isEmpty() ) + { ++ if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro) ++ GetImport().NotifyMacroEventRead(); ++ + xProps->setPropertyValue("FrameURL", Any(maHref) ); + } + } +-- +2.37.3 + diff --git a/SOURCES/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch b/SOURCES/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch new file mode 100644 index 0000000..4137ef1 --- /dev/null +++ b/SOURCES/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch @@ -0,0 +1,198 @@ +From 61f8673fb44150bd629d88f6626aff8d5b026449 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 21 Mar 2022 20:58:34 +0000 +Subject: [PATCH] make hash encoding match decoding + +Seeing as old versions of the hash may be in the users config, add a +StorageVersion field to the office config Passwords section which +defaults to 0 to indicate the old hash is in use. + +Try the old varient when StorageVersion is 0. When a new encoded master +password it set write StorageVersion of 1 to indicate a new hash is in +use and use the new style when StorageVersion is 1. + +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132080 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit e890f54dbac57f3ab5acf4fbd31222095d3e8ab6) + +svl: fix crash if user cancels/closes master password dialog + +(regression from d7ba5614d90381d68f880ca7e7c5ef8bbb1b1c43) + +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133932 +Tested-by: Jenkins +Reviewed-by: Michael Stahl +(cherry picked from commit bbb8617ece6d946957c2eb96287081029bce530f) + +Change-Id: I3174c37a5891bfc849984e0ec5c2c392b9c6e7b1 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133905 +Tested-by: Michael Stahl +Reviewed-by: Michael Stahl +--- + .../schema/org/openoffice/Office/Common.xcs | 6 +++ + .../passwordcontainer/passwordcontainer.cxx | 47 ++++++++++++++++++- + .../passwordcontainer/passwordcontainer.hxx | 6 +++ + uui/source/iahndl-authentication.cxx | 5 +- + 4 files changed, 60 insertions(+), 4 deletions(-) + +diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +index b317f616deeb..b033b29b60d7 100644 +--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs ++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +@@ -911,6 +911,12 @@ + + false + ++ ++ ++ Specifies what version of encoding scheme the password container uses. ++ ++ 0 ++ + + + Specifies if there is a valid master password. +diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx +index 02947cd3892c..ff0b40df4016 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.cxx ++++ b/svl/source/passwordcontainer/passwordcontainer.cxx +@@ -17,6 +17,8 @@ + * the License at http://www.apache.org/licenses/LICENSE-2.0 . + */ + ++#include ++#include + + #include "passwordcontainer.hxx" + +@@ -259,6 +261,23 @@ bool StorageItem::useStorage() + return aResult; + } + ++sal_Int32 StorageItem::getStorageVersion() ++{ ++ Sequence aNodeNames { "StorageVersion" }; ++ ++ Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames ); ++ ++ if( aPropertyValues.getLength() != aNodeNames.getLength() ) ++ { ++ OSL_FAIL( "Problems during reading" ); ++ return 0; ++ } ++ ++ sal_Int32 nResult = 0; ++ aPropertyValues[0] >>= nResult; ++ ++ return nResult; ++} + + bool StorageItem::getEncodedMP( OUString& aResult ) + { +@@ -291,15 +310,17 @@ bool StorageItem::getEncodedMP( OUString& aResult ) + + void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty ) + { +- Sequence< OUString > sendNames(2); +- Sequence< uno::Any > sendVals(2); ++ Sequence< OUString > sendNames(3); ++ Sequence< uno::Any > sendVals(3); + + sendNames[0] = "HasMaster"; + sendNames[1] = "Master"; ++ sendNames[2] = "StorageVersion"; + + bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty ); + sendVals[0] <<= bHasMaster; + sendVals[1] <<= aEncoded; ++ sendVals[2] <<= nCurrentStorageVersion; + + ConfigItem::SetModified(); + ConfigItem::PutProperties( sendNames, sendVals ); +@@ -800,6 +821,18 @@ OUString PasswordContainer::RequestPasswordFromUser( PasswordRequestMode aRMode, + return aResult; + } + ++// Mangle the key to match an old bug ++static OUString ReencodeAsOldHash(const OUString& rPass) ++{ ++ OUStringBuffer aBuffer; ++ for (int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ++ind) ++ { ++ unsigned char i = static_cast(rPass.copy(ind * 2, 2).toUInt32(16)); ++ aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4))); ++ aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15))); ++ } ++ return aBuffer.makeStringAndClear(); ++} + + OUString const & PasswordContainer::GetMasterPassword( const Reference< XInteractionHandler >& aHandler ) + { +@@ -838,6 +871,9 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac + } + else + { ++ if (m_pStorageFile->getStorageVersion() == 0) ++ aPass = ReencodeAsOldHash(aPass); ++ + std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) ); + if( aRM.empty() || aPass != aRM[0] ) + { +@@ -1042,6 +1078,13 @@ sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::R + + do { + aPass = RequestPasswordFromUser( aRMode, xTmpHandler ); ++ ++ ++ if (!aPass.isEmpty() && m_pStorageFile->getStorageVersion() == 0) ++ { ++ aPass = ReencodeAsOldHash(aPass); ++ } ++ + bResult = ( !aPass.isEmpty() && aPass == m_aMasterPasswd ); + aRMode = PasswordRequestMode_PASSWORD_REENTER; // further questions with error notification + } while( !bResult && !aPass.isEmpty() ); +diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx +index 09fb7e03629d..cf5c717d0c9e 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.hxx ++++ b/svl/source/passwordcontainer/passwordcontainer.hxx +@@ -167,6 +167,10 @@ public: + typedef ::std::pair< const OUString, ::std::vector< NamePassRecord > > PairUrlRecord; + typedef ::std::map< OUString, ::std::vector< NamePassRecord > > PassMap; + ++// org.openoffice.Office.Common/Passwords/StorageVersion bump if details of ++// how password details are saved changes. Enables migration from previous ++// schemes. ++constexpr sal_Int32 nCurrentStorageVersion = 1; + + class PasswordContainer; + +@@ -195,6 +199,8 @@ public: + void remove( const OUString& url, const OUString& rec ); + void clear(); + ++ sal_Int32 getStorageVersion(); ++ + bool getEncodedMP( OUString& aResult ); + void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false ); + void setUseStorage( bool bUse ); +diff --git a/uui/source/iahndl-authentication.cxx b/uui/source/iahndl-authentication.cxx +index 4835a485dd2a..5764e62cb1c6 100644 +--- a/uui/source/iahndl-authentication.cxx ++++ b/uui/source/iahndl-authentication.cxx +@@ -436,8 +436,9 @@ executeMasterPasswordDialog( + OUStringBuffer aBuffer; + for (sal_uInt8 i : aKey) + { +- aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4))); +- aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15))); ++ // match PasswordContainer::DecodePasswords aMasterPasswd.copy(index * 2, 2).toUInt32(16)); ++ aBuffer.append(OUString::number(i >> 4, 16)); ++ aBuffer.append(OUString::number(i & 15, 16)); + } + rInfo.SetPassword(aBuffer.makeStringAndClear()); + } +-- +2.37.1 + diff --git a/SOURCES/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch b/SOURCES/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch new file mode 100644 index 0000000..08642bf --- /dev/null +++ b/SOURCES/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch @@ -0,0 +1,586 @@ +From a3046cfa58bdfa2a1b9ea6287a021230830f056f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Tue, 22 Mar 2022 17:22:22 +0000 +Subject: [PATCH] add Initialization Vectors to password storage + +old ones default to the current all zero case and continue to work +as before + +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131974 +Tested-by: Jenkins +Reviewed-by: Michael Stahl +(cherry picked from commit 192fa1e3bfc6269f2ebb91716471485a56074aea) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132306 +Reviewed-by: Thorsten Behrens +(cherry picked from commit ab77587ec300f5c30084471000663c46ddf25dad) + +Change-Id: I6fe3b02fafcce1b5e7133e77e76a5118177d77af +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133907 +Tested-by: Michael Stahl +Reviewed-by: Michael Stahl +--- + .../schema/org/openoffice/Office/Common.xcs | 10 ++ + .../passwordcontainer/passwordcontainer.cxx | 127 ++++++++++++------ + .../passwordcontainer/passwordcontainer.hxx | 63 +++++++-- + 3 files changed, 151 insertions(+), 49 deletions(-) + +diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +index b033b29b60d7..e57d26ab3366 100644 +--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs ++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +@@ -27,6 +27,11 @@ + + Contains a container for passwords. + ++ ++ ++ Contains an initialization vector for the password encryption. ++ ++ + + + Contains a password encoded with the master password. +@@ -923,6 +928,11 @@ + + false + ++ ++ ++ Contains an initialization vector for the master password encryption. ++ ++ + + + Contains the master password encrypted by itself. +diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx +index ff0b40df4016..380188ef495c 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.cxx ++++ b/svl/source/passwordcontainer/passwordcontainer.cxx +@@ -184,15 +184,18 @@ PassMap StorageItem::getInfo() + + Sequence< OUString > aNodeNames = ConfigItem::GetNodeNames( "Store" ); + sal_Int32 aNodeCount = aNodeNames.getLength(); +- Sequence< OUString > aPropNames( aNodeCount ); ++ Sequence< OUString > aPropNames( aNodeCount * 2); + + std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.begin(), + [](const OUString& rName) -> OUString { + return "Store/Passwordstorage['" + rName + "']/Password"; }); ++ std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.getArray() + aNodeCount, ++ [](const OUString& rName) -> OUString { ++ return "Store/Passwordstorage['" + rName + "']/InitializationVector"; }); + + Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aPropNames ); + +- if( aPropertyValues.getLength() != aNodeCount ) ++ if( aPropertyValues.getLength() != aNodeCount * 2) + { + OSL_FAIL( "Problems during reading" ); + return aResult; +@@ -208,14 +211,16 @@ PassMap StorageItem::getInfo() + OUString aName = aUrlUsr[1]; + + OUString aEPasswd; ++ OUString aIV; + aPropertyValues[aNodeInd] >>= aEPasswd; ++ aPropertyValues[aNodeInd + aNodeCount] >>= aIV; + + PassMap::iterator aIter = aResult.find( aUrl ); + if( aIter != aResult.end() ) +- aIter->second.emplace_back( aName, aEPasswd ); ++ aIter->second.emplace_back( aName, aEPasswd, aIV ); + else + { +- NamePassRecord aNewRecord( aName, aEPasswd ); ++ NamePassRecord aNewRecord( aName, aEPasswd, aIV ); + std::vector< NamePassRecord > listToAdd( 1, aNewRecord ); + + aResult.insert( PairUrlRecord( aUrl, listToAdd ) ); +@@ -279,17 +284,19 @@ sal_Int32 StorageItem::getStorageVersion() + return nResult; + } + +-bool StorageItem::getEncodedMP( OUString& aResult ) ++bool StorageItem::getEncodedMP( OUString& aResult, OUString& aResultIV ) + { + if( hasEncoded ) + { + aResult = mEncoded; ++ aResultIV = mEncodedIV; + return true; + } + +- Sequence< OUString > aNodeNames( 2 ); ++ Sequence< OUString > aNodeNames( 3 ); + aNodeNames[0] = "HasMaster"; + aNodeNames[1] = "Master"; ++ aNodeNames[2] = "MasterInitializationVector"; + + Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames ); + +@@ -301,32 +308,37 @@ bool StorageItem::getEncodedMP( OUString& aResult ) + + aPropertyValues[0] >>= hasEncoded; + aPropertyValues[1] >>= mEncoded; ++ aPropertyValues[2] >>= mEncodedIV; + + aResult = mEncoded; ++ aResultIV = mEncodedIV; + + return hasEncoded; + } + + +-void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty ) ++void StorageItem::setEncodedMP( const OUString& aEncoded, const OUString& aEncodedIV, bool bAcceptEmpty ) + { +- Sequence< OUString > sendNames(3); +- Sequence< uno::Any > sendVals(3); ++ Sequence< OUString > sendNames(4); ++ Sequence< uno::Any > sendVals(4); + + sendNames[0] = "HasMaster"; + sendNames[1] = "Master"; +- sendNames[2] = "StorageVersion"; ++ sendNames[2] = "MasterInitializationVector"; ++ sendNames[3] = "StorageVersion"; + + bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty ); + sendVals[0] <<= bHasMaster; + sendVals[1] <<= aEncoded; +- sendVals[2] <<= nCurrentStorageVersion; ++ sendVals[2] <<= aEncodedIV; ++ sendVals[3] <<= nCurrentStorageVersion; + + ConfigItem::SetModified(); + ConfigItem::PutProperties( sendNames, sendVals ); + + hasEncoded = bHasMaster; + mEncoded = aEncoded; ++ mEncodedIV = aEncodedIV; + } + + +@@ -362,11 +374,13 @@ void StorageItem::update( const OUString& aURL, const NamePassRecord& aRecord ) + forIndex.push_back( aURL ); + forIndex.push_back( aRecord.GetUserName() ); + +- Sequence< beans::PropertyValue > sendSeq(1); ++ Sequence< beans::PropertyValue > sendSeq(2); + +- sendSeq[0].Name = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password"; ++ sendSeq[0].Name = "Store/Passwordstorage['" + createIndex( { aURL, aRecord.GetUserName() } ) + "']/InitializationVector"; ++ sendSeq[0].Value <<= aRecord.GetPersistentIV(); + +- sendSeq[0].Value <<= aRecord.GetPersPasswords(); ++ sendSeq[1].Name = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password"; ++ sendSeq[1].Value <<= aRecord.GetPersPasswords(); + + ConfigItem::SetModified(); + ConfigItem::SetSetProperties( "Store", sendSeq ); +@@ -427,7 +441,7 @@ void SAL_CALL PasswordContainer::disposing( const EventObject& ) + } + } + +-std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode ) ++std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode ) + { + if( !aMasterPasswd.isEmpty() ) + { +@@ -442,9 +456,16 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin + for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) + code[ ind ] = static_cast(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16)); + ++ unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0}; ++ if (!aIV.isEmpty()) ++ { ++ for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) ++ iv[ ind ] = static_cast(aIV.copy( ind*2, 2 ).toUInt32(16)); ++ } ++ + rtlCipherError result = rtl_cipher_init ( + aDecoder, rtl_Cipher_DirectionDecode, +- code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 ); ++ code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 ); + + if( result == rtl_Cipher_E_None ) + { +@@ -477,7 +498,7 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin + "Can't decode!", css::uno::Reference(), mode); + } + +-OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPasswd ) ++OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPasswd) + { + if( !aMasterPasswd.isEmpty() ) + { +@@ -494,9 +515,16 @@ OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines + for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) + code[ ind ] = static_cast(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16)); + ++ unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0}; ++ if (!aIV.isEmpty()) ++ { ++ for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) ++ iv[ ind ] = static_cast(aIV.copy( ind*2, 2 ).toUInt32(16)); ++ } ++ + rtlCipherError result = rtl_cipher_init ( + aEncoder, rtl_Cipher_DirectionEncode, +- code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 ); ++ code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 ); + + if( result == rtl_Cipher_E_None ) + { +@@ -564,7 +592,7 @@ void PasswordContainer::UpdateVector( const OUString& aURL, std::vector< NamePas + + if( aRecord.HasPasswords( PERSISTENT_RECORD ) ) + { +- aNPIter.SetPersPasswords( aRecord.GetPersPasswords() ); ++ aNPIter.SetPersPasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV() ); + + if( writeFile ) + { +@@ -597,7 +625,8 @@ UserRecord PasswordContainer::CopyToUserRecord( const NamePassRecord& aRecord, b + { + try + { +- ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ); ++ ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV(), ++ GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ); + aPasswords.insert( aPasswords.end(), aDecodedPasswords.begin(), aDecodedPasswords.end() ); + } + catch( NoMasterException& ) +@@ -642,6 +671,19 @@ void SAL_CALL PasswordContainer::addPersistent( const OUString& Url, const OUStr + PrivateAdd( Url, UserName, Passwords, PERSISTENT_RECORD, aHandler ); + } + ++OUString PasswordContainer::createIV() ++{ ++ rtlRandomPool randomPool = mRandomPool.get(); ++ unsigned char iv[RTL_DIGEST_LENGTH_MD5]; ++ rtl_random_getBytes(randomPool, iv, RTL_DIGEST_LENGTH_MD5); ++ OUStringBuffer aBuffer; ++ for (sal_uInt8 i : iv) ++ { ++ aBuffer.append(OUString::number(i >> 4, 16)); ++ aBuffer.append(OUString::number(i & 15, 16)); ++ } ++ return aBuffer.makeStringAndClear(); ++} + + void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserName, const Sequence< OUString >& Passwords, char Mode, const Reference< XInteractionHandler >& aHandler ) + { +@@ -649,7 +691,11 @@ void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserNam + ::std::vector< OUString > aStorePass = comphelper::sequenceToContainer< std::vector >( Passwords ); + + if( Mode == PERSISTENT_RECORD ) +- aRecord.SetPersPasswords( EncodePasswords( aStorePass, GetMasterPassword( aHandler ) ) ); ++ { ++ OUString sIV = createIV(); ++ OUString sEncodedPasswords = EncodePasswords( aStorePass, sIV, GetMasterPassword( aHandler ) ); ++ aRecord.SetPersPasswords( sEncodedPasswords, sIV ); ++ } + else if( Mode == MEMORY_RECORD ) + aRecord.SetMemPasswords( aStorePass ); + else +@@ -842,10 +888,10 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac + + if( m_aMasterPasswd.isEmpty() && aHandler.is() ) + { +- OUString aEncodedMP; ++ OUString aEncodedMP, aEncodedMPIV; + bool bDefaultPassword = false; + +- if( !m_pStorageFile->getEncodedMP( aEncodedMP ) ) ++ if( !m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ) + aRMode = PasswordRequestMode_PASSWORD_CREATE; + else if ( aEncodedMP.isEmpty() ) + { +@@ -867,14 +913,15 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac + m_aMasterPasswd = aPass; + std::vector< OUString > aMaster( 1, m_aMasterPasswd ); + +- m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) ); ++ OUString sIV = createIV(); ++ m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, sIV, m_aMasterPasswd ), sIV ); + } + else + { + if (m_pStorageFile->getStorageVersion() == 0) + aPass = ReencodeAsOldHash(aPass); + +- std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) ); ++ std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aEncodedMPIV, aPass, aRMode ) ); + if( aRM.empty() || aPass != aRM[0] ) + { + bAskAgain = true; +@@ -1031,7 +1078,8 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere + { + sal_Int32 oldLen = aUsers.getLength(); + aUsers.realloc( oldLen + 1 ); +- aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) ); ++ aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), aNP.GetPersistentIV(), ++ GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) ); + } + + if( aUsers.hasElements() ) +@@ -1048,12 +1096,12 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere + sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::Reference< task::XInteractionHandler >& xHandler ) + { + bool bResult = false; +- OUString aEncodedMP; ++ OUString aEncodedMP, aEncodedMPIV; + uno::Reference< task::XInteractionHandler > xTmpHandler = xHandler; + ::osl::MutexGuard aGuard( mMutex ); + + // the method should fail if there is no master password +- if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) ) ++ if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ) + { + if ( aEncodedMP.isEmpty() ) + { +@@ -1122,8 +1170,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference< + + bool bCanChangePassword = true; + // if there is already a stored master password it should be entered by the user before the change happen +- OUString aEncodedMP; +- if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP ) ) ++ OUString aEncodedMP, aEncodedMPIV; ++ if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ) + bCanChangePassword = authorizateWithMasterPassword( xTmpHandler ); + + if ( bCanChangePassword ) +@@ -1142,7 +1190,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference< + // store the new master password + m_aMasterPasswd = aPass; + std::vector< OUString > aMaster( 1, m_aMasterPasswd ); +- m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) ); ++ OUString aIV = createIV(); ++ m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, aIV, m_aMasterPasswd ), aIV ); + + // store all the entries with the new password + for ( const auto& rURL : aPersistent ) +@@ -1167,7 +1216,7 @@ void SAL_CALL PasswordContainer::removeMasterPassword() + if ( m_pStorageFile ) + { + m_aMasterPasswd.clear(); +- m_pStorageFile->setEncodedMP( OUString() ); // let the master password be removed from configuration ++ m_pStorageFile->setEncodedMP( OUString(), OUString() ); // let the master password be removed from configuration + } + } + +@@ -1178,8 +1227,8 @@ sal_Bool SAL_CALL PasswordContainer::hasMasterPassword( ) + if ( !m_pStorageFile ) + throw uno::RuntimeException(); + +- OUString aEncodedMP; +- return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) ); ++ OUString aEncodedMP, aEncodedMPIV; ++ return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ); + } + + sal_Bool SAL_CALL PasswordContainer::allowPersistentStoring( sal_Bool bAllow ) +@@ -1226,8 +1275,8 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere + + bool bCanChangePassword = true; + // if there is already a stored nondefault master password it should be entered by the user before the change happen +- OUString aEncodedMP; +- if( m_pStorageFile->getEncodedMP( aEncodedMP ) && !aEncodedMP.isEmpty() ) ++ OUString aEncodedMP, aEncodedMPIV; ++ if( m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && !aEncodedMP.isEmpty() ) + bCanChangePassword = authorizateWithMasterPassword( xTmpHandler ); + + if ( bCanChangePassword ) +@@ -1244,7 +1293,7 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere + + // store the empty string to flag the default master password + m_aMasterPasswd = aPass; +- m_pStorageFile->setEncodedMP( OUString(), true ); ++ m_pStorageFile->setEncodedMP( OUString(), OUString(), true ); + + // store all the entries with the new password + for ( const auto& rURL : aPersistent ) +@@ -1268,8 +1317,8 @@ sal_Bool SAL_CALL PasswordContainer::isDefaultMasterPasswordUsed() + if ( !m_pStorageFile ) + throw uno::RuntimeException(); + +- OUString aEncodedMP; +- return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) && aEncodedMP.isEmpty() ); ++ OUString aEncodedMP, aEncodedMPIV; ++ return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && aEncodedMP.isEmpty() ); + } + + +diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx +index cf5c717d0c9e..4e3a6629139e 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.hxx ++++ b/svl/source/passwordcontainer/passwordcontainer.hxx +@@ -33,6 +33,7 @@ + #include + #include + ++#include + #include + #include + +@@ -51,11 +52,12 @@ class NamePassRecord + ::std::vector< OUString > m_aMemPass; + + // persistent passwords are encrypted in one string +- bool m_bHasPersPass; ++ bool m_bHasPersPass; + OUString m_aPersPass; ++ OUString m_aPersistentIV; + + void InitArrays( bool bHasMemoryList, const ::std::vector< OUString >& aMemoryList, +- bool bHasPersistentList, const OUString& aPersistentList ) ++ bool bHasPersistentList, const OUString& aPersistentList, const OUString& aPersistentIV ) + { + m_bHasMemPass = bHasMemoryList; + if ( bHasMemoryList ) +@@ -63,7 +65,10 @@ class NamePassRecord + + m_bHasPersPass = bHasPersistentList; + if ( bHasPersistentList ) ++ { + m_aPersPass = aPersistentList; ++ m_aPersistentIV = aPersistentIV; ++ } + } + + public: +@@ -75,11 +80,12 @@ public: + { + } + +- NamePassRecord( const OUString& aName, const OUString& aPersistentList ) ++ NamePassRecord( const OUString& aName, const OUString& aPersistentList, const OUString& aPersistentIV ) + : m_aName( aName ) + , m_bHasMemPass( false ) + , m_bHasPersPass( true ) + , m_aPersPass( aPersistentList ) ++ , m_aPersistentIV( aPersistentIV ) + { + } + +@@ -88,7 +94,8 @@ public: + , m_bHasMemPass( false ) + , m_bHasPersPass( false ) + { +- InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass ); ++ InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, ++ aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV ); + } + + NamePassRecord& operator=( const NamePassRecord& aRecord ) +@@ -99,7 +106,9 @@ public: + + m_aMemPass.clear(); + m_aPersPass.clear(); +- InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass ); ++ m_aPersistentIV.clear(); ++ InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, ++ aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV ); + } + return *this; + } +@@ -135,15 +144,24 @@ public: + return OUString(); + } + ++ OUString GetPersistentIV() const ++ { ++ if ( m_bHasPersPass ) ++ return m_aPersistentIV; ++ ++ return OUString(); ++ } ++ + void SetMemPasswords( const ::std::vector< OUString >& aMemList ) + { + m_aMemPass = aMemList; + m_bHasMemPass = true; + } + +- void SetPersPasswords( const OUString& aPersList ) ++ void SetPersPasswords( const OUString& aPersList, const OUString& aPersIV ) + { + m_aPersPass = aPersList; ++ m_aPersistentIV = aPersIV; + m_bHasPersPass = true; + } + +@@ -158,6 +176,7 @@ public: + { + m_bHasPersPass = false; + m_aPersPass.clear(); ++ m_aPersistentIV.clear(); + } + } + +@@ -181,6 +200,7 @@ private: + PasswordContainer* mainCont; + bool hasEncoded; + OUString mEncoded; ++ OUString mEncodedIV; + + virtual void ImplCommit() override; + +@@ -201,8 +221,8 @@ public: + + sal_Int32 getStorageVersion(); + +- bool getEncodedMP( OUString& aResult ); +- void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false ); ++ bool getEncodedMP( OUString& aResult, OUString& aResultIV ); ++ void setEncodedMP( const OUString& aResult, const OUString& aResultIV, bool bAcceptEmpty = false ); + void setUseStorage( bool bUse ); + bool useStorage(); + +@@ -223,6 +243,29 @@ private: + css::uno::Reference< css::lang::XComponent > mComponent; + SysCredentialsConfig mUrlContainer; + ++ class RandomPool ++ { ++ private: ++ rtlRandomPool m_aRandomPool; ++ public: ++ RandomPool() : m_aRandomPool(rtl_random_createPool()) ++ { ++ } ++ rtlRandomPool get() ++ { ++ return m_aRandomPool; ++ } ++ ~RandomPool() ++ { ++ // Clean up random pool memory ++ rtl_random_destroyPool(m_aRandomPool); ++ } ++ }; ++ ++ RandomPool mRandomPool; ++ ++ OUString createIV(); ++ + /// @throws css::uno::RuntimeException + css::uno::Sequence< css::task::UserRecord > CopyToUserRecordSequence( + const ::std::vector< NamePassRecord >& original, +@@ -273,10 +316,10 @@ css::task::UrlRecord find( + const css::uno::Reference< css::task::XInteractionHandler >& Handler ); + + /// @throws css::uno::RuntimeException +- static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aMasterPassword, css::task::PasswordRequestMode mode ); ++ static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPassword, css::task::PasswordRequestMode mode ); + + /// @throws css::uno::RuntimeException +- static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPassword ); ++ static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPassword ); + + public: + PasswordContainer( const css::uno::Reference< css::lang::XMultiServiceFactory >& ); +-- +2.37.1 + diff --git a/SOURCES/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch b/SOURCES/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch new file mode 100644 index 0000000..c8f70ac --- /dev/null +++ b/SOURCES/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch @@ -0,0 +1,117 @@ +From 4cfd591942e4cfd3efc416bfac8e46e3580d37ba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 23 Mar 2022 13:03:30 +0000 +Subject: [PATCH] add infobar to prompt to refresh to replace old format + +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131976 +Tested-by: Jenkins +Reviewed-by: Michael Stahl +(cherry picked from commit bbd196ff82bda9f66b4ba32a412f10cefe6da60e) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132307 +Reviewed-by: Sophie Gautier +Reviewed-by: Christian Lohmaier +(cherry picked from commit c5d01b11db3c83cb4a89d3b388d78e20dd3990b5) + +Change-Id: Id99cbf2b50a4ebf289dae6fc67e22e20afcda35b +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133906 +Tested-by: Michael Stahl +Reviewed-by: Michael Stahl +--- + include/sfx2/strings.hrc | 2 ++ + include/sfx2/viewfrm.hxx | 1 + + sfx2/source/view/viewfrm.cxx | 40 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 43 insertions(+) + +diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc +index 1f21f0a0f186..1db36e733c0c 100644 +--- a/include/sfx2/strings.hrc ++++ b/include/sfx2/strings.hrc +@@ -297,6 +297,8 @@ + #define STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK NC_("STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK", "The certificate could not be validated and the document is only partially signed.") + #define STR_SIGNATURE_OK NC_("STR_SIGNATURE_OK", "This document is digitally signed and the signature is valid.") + #define STR_SIGNATURE_SHOW NC_("STR_SIGNATURE_SHOW", "Show Signatures") ++#define STR_REFRESH_MASTER_PASSWORD NC_("STR_REFRESH_MASTER_PASSWORD", "The master password is stored in an outdated format, you should refresh it") ++#define STR_REFRESH_PASSWORD NC_("STR_REFRESH_PASSWORD", "Refresh Password") + + #define STR_CLOSE_PANE NC_("STR_CLOSE_PANE", "Close Pane") + #define STR_SFX_DOCK NC_("STR_SFX_DOCK", "Dock") +diff --git a/include/sfx2/viewfrm.hxx b/include/sfx2/viewfrm.hxx +index fe336ba5f091..cc6a7dae7047 100644 +--- a/include/sfx2/viewfrm.hxx ++++ b/include/sfx2/viewfrm.hxx +@@ -61,6 +61,7 @@ protected: + DECL_LINK(WhatsNewHandler, Button*, void); + DECL_LINK(SwitchReadOnlyHandler, Button*, void); + DECL_LINK(SignDocumentHandler, Button*, void); ++ DECL_DLLPRIVATE_LINK(RefreshMasterPasswordHdl, Button*, void); + SAL_DLLPRIVATE void KillDispatcher_Impl(); + + virtual ~SfxViewFrame() override; +diff --git a/sfx2/source/view/viewfrm.cxx b/sfx2/source/view/viewfrm.cxx +index 5a64599e5894..86e7d51bbfea 100644 +--- a/sfx2/source/view/viewfrm.cxx ++++ b/sfx2/source/view/viewfrm.cxx +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1390,6 +1391,24 @@ void SfxViewFrame::Notify( SfxBroadcaster& /*rBC*/, const SfxHint& rHint ) + batch->commit(); + } + ++ if (officecfg::Office::Common::Passwords::HasMaster::get() && ++ officecfg::Office::Common::Passwords::StorageVersion::get() == 0) ++ { ++ // master password stored in deprecated format ++ VclPtr pOldMasterPasswordInfoBar = ++ AppendInfoBar("oldmasterpassword", "", ++ SfxResId(STR_REFRESH_MASTER_PASSWORD), InfobarType::DANGER, false); ++ if (pOldMasterPasswordInfoBar) ++ { ++ VclPtrInstance const xBtn(&GetWindow()); ++ xBtn->SetText(SfxResId(STR_REFRESH_PASSWORD)); ++ xBtn->SetSizePixel(xBtn->GetOptimalSize()); ++ xBtn->SetClickHdl(LINK(this, ++ SfxViewFrame, RefreshMasterPasswordHdl)); ++ pOldMasterPasswordInfoBar->addButton(xBtn); ++ } ++ } ++ + // read-only infobar if necessary + const SfxViewShell *pVSh; + const SfxShell *pFSh; +@@ -1565,6 +1584,27 @@ IMPL_LINK_NOARG(SfxViewFrame, SignDocumentHandler, Button*, void) + GetDispatcher()->Execute(SID_SIGNATURE); + } + ++IMPL_LINK_NOARG(SfxViewFrame, RefreshMasterPasswordHdl, Button*, void) ++{ ++ bool bChanged = false; ++ try ++ { ++ Reference< task::XPasswordContainer2 > xMasterPasswd( ++ task::PasswordContainer::create(comphelper::getProcessComponentContext())); ++ ++ css::uno::Reference xFrame = GetFrame().GetFrameInterface(); ++ css::uno::Reference xContainerWindow = xFrame->getContainerWindow(); ++ ++ uno::Reference xTmpHandler(task::InteractionHandler::createWithParent(comphelper::getProcessComponentContext(), ++ xContainerWindow)); ++ bChanged = xMasterPasswd->changeMasterPassword(xTmpHandler); ++ } ++ catch (const Exception&) ++ {} ++ if (bChanged) ++ RemoveInfoBar(u"oldmasterpassword"); ++} ++ + void SfxViewFrame::Construct_Impl( SfxObjectShell *pObjSh ) + { + m_pImpl->bResizeInToOut = true; +-- +2.37.1 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index fbf9d6a..0b65bf6 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -54,7 +54,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.2 -Release: 11%{?libo_prerelease}%{?dist} +Release: 12%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -280,6 +280,11 @@ Patch36: 0001-Read-MOSDocumentLockFile-UTF-16-string-data-with-sam.patch Patch37: 0001-Convert-attribute-value-to-UTF-8-when-passing-it-to-.patch Patch38: 0001-Fix-endianness-issues-in-OOX-crypto-routines.patch Patch39: 0001-CVE-2021-25636.patch +Patch40: 0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch +Patch41: 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch +Patch42: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch +Patch43: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch +Patch44: 0001-CVE-2022-3140.patch %if 0%{?rhel} # not upstreamed @@ -1130,7 +1135,13 @@ touch autogen.lastrun ulimit -c unlimited || true -make verbose=true build-nocheck +if ! make verbose=true build-nocheck; then + echo "build attempt 1 failed" + if ! make verbose=true build-nocheck; then + echo "build attempt 2 failed" + make verbose=true GMAKE_OPTIONS=-rj1 build-nocheck + fi +fi #generate the icons and mime type stuff export DESTDIR=../output @@ -2276,6 +2287,12 @@ done %{_includedir}/LibreOfficeKit %changelog +* Fri Oct 14 2022 Caolán McNamara - 1:6.4.7.2-12 +- Resolves: rhbz#2134752 CVE-2022-26305 Untrusted Macros +- Resolves: rhbz#2134751 CVE-2022-26307 Weak Master Keys +- Resolves: rhbz#2134750 CVE-2022-26306 Static Initialization Vector +- Resolves: rhbz#2134753 CVE-2022-3140 Macro URL arbitrary script execution + * Mon Mar 07 2022 Caolán McNamara - 1:6.4.7.2-11 - Resolves: rhbz#2060559 CVE-2021-25636