import libreoffice-6.4.7.2-12.el8_7

This commit is contained in:
CentOS Sources 2023-01-12 03:27:22 -05:00 committed by Stepan Oksanichenko
parent c5711baf0e
commit fdfe5265c8
6 changed files with 1262 additions and 2 deletions

View File

@ -0,0 +1,63 @@
From 77f30ada1156ca1e1357776fea8e9dc113f6898d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Thu, 3 Mar 2022 14:22:37 +0000
Subject: [PATCH 1/4] CVE-2022-26305 compare authors using Thumbprint
Change-Id: I338f58eb07cbf0a3d13a7dafdaddac09252a8546
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130929
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
(cherry picked from commit 65442205b5b274ad309308162f150f8d41648f72)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130866
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit a7aaa78acea4c1d51283c2fce54ff9f5339026f8)
---
.../component/documentdigitalsignatures.cxx | 23 +++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx
index b9066ea92cac..5a21c8421bec 100644
--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx
+++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx
@@ -19,9 +19,10 @@
#include <resourcemanager.hxx>
-#include <digitalsignaturesdialog.hxx>
+#include <certificate.hxx>
#include <certificatechooser.hxx>
#include <certificateviewer.hxx>
+#include <digitalsignaturesdialog.hxx>
#include <macrosecurity.hxx>
#include <biginteger.hxx>
#include <strings.hrc>
@@ -666,9 +667,23 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted(
Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors();
return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(),
- [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) {
- return xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName())
- && ( rAuthor[1] == sSerialNum );
+ [this, &xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) {
+ if (!xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName()))
+ return false;
+ if (rAuthor[1] != sSerialNum)
+ return false;
+
+ DocumentSignatureManager aSignatureManager(mxCtx, {});
+ if (!aSignatureManager.init())
+ return false;
+ uno::Reference<css::security::XCertificate> xCert = aSignatureManager.getSecurityEnvironment()->createCertificateFromAscii(rAuthor[2]);
+
+ auto pAuthor = dynamic_cast<xmlsecurity::Certificate*>(xAuthor.get());
+ auto pCert = dynamic_cast<xmlsecurity::Certificate*>(xCert.get());
+ if (pAuthor && pCert)
+ return pCert->getSHA256Thumbprint() == pAuthor->getSHA256Thumbprint();
+
+ return xCert->getSHA1Thumbprint() == xAuthor->getSHA1Thumbprint();
});
}
--
2.37.1

View File

@ -0,0 +1,279 @@
From 3831e68bffc233f581e3eb1cb3c7ed925daab86f Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Tue, 30 Aug 2022 14:04:52 +0200
Subject: [PATCH] Filter out unwanted command URIs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139225
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 27d29f7df428885865a8e2313283839b20f2a34b)
Conflicts:
desktop/source/app/cmdlineargs.cxx
Change-Id: I0b7e5329af8cc053d14d5c60ec14fe7f364ef993
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139182
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
(cherry picked from commit da291e2960b75153f41d440a1b41961567432e8c)
These commands are always URLs already
Change-Id: I5083765c879689d7f933bbe00ad70bb68e635a21
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139042
Tested-by: Jean-Pierre Ledure <jp@ledure.be>
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit e61701e1ee6763de72b397e6ade1124eca9400f3)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138980
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 5b4025bb56999f5c895c6f7e0b52f521800d65b0)
check IFrame "FrameURL" target
similiar to
commit b3edf85e0fe6ca03dc26e1bf531be82193bc9627
Date: Wed Aug 7 17:37:11 2019 +0100
warn on load when a document binds an event to a macro
Change-Id: Iea888b1c083d2dc69ec322309ac9ae8c5e5eb315
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139059
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit c7450d0b9d02c64ae3da467d329040787039767e)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139117
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
(cherry picked from commit f5e3b0a7966d7d28817292adbb58fb43f28b7c6d)
check impress/calc IFrame "FrameURL" target
similar to
commit c7450d0b9d02c64ae3da467d329040787039767e
Date: Tue Aug 30 17:01:08 2022 +0100
check IFrame "FrameURL" target
Change-Id: Ibf28c29acb4476830431d02772f3ecd4b23a6a27
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139495
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit d0312786571221c2dd4f63fa69f6f0489d7d39ec)
---
desktop/source/app/cmdlineargs.cxx | 10 +++++++++-
sfx2/source/appl/macroloader.cxx | 9 +++++++--
sfx2/source/doc/iframe.cxx | 21 ++++++++++++++++-----
sfx2/source/inc/macroloader.hxx | 2 ++
sw/source/filter/html/htmlplug.cxx | 7 ++++++-
sw/source/filter/xml/xmltexti.cxx | 9 +++++++--
wizards/source/access2base/DoCmd.xba | 2 +-
xmloff/source/draw/ximpshap.cxx | 4 ++++
8 files changed, 52 insertions(+), 12 deletions(-)
diff --git a/desktop/source/app/cmdlineargs.cxx b/desktop/source/app/cmdlineargs.cxx
index 381147c..5babfbe 100644
--- a/desktop/source/app/cmdlineargs.cxx
+++ b/desktop/source/app/cmdlineargs.cxx
@@ -27,6 +27,7 @@
#include "cmdlineargs.hxx"
#include <tools/stream.hxx>
+#include <tools/urlobj.hxx>
#include <vcl/svapp.hxx>
#include <rtl/uri.hxx>
#include <rtl/ustring.hxx>
@@ -169,7 +170,14 @@ CommandLineEvent CheckOfficeURI(/* in,out */ OUString& arg, CommandLineEvent cur
}
if (nURIlen < 0)
nURIlen = rest2.getLength();
- arg = rest2.copy(0, nURIlen);
+ auto const uri = rest2.copy(0, nURIlen);
+ if (INetURLObject(uri).GetProtocol() == INetProtocol::Macro) {
+ // Let the "Open" machinery process the full command URI (leading to failure, by intention,
+ // as the "Open" machinery does not know about those command URI schemes):
+ curEvt = CommandLineEvent::Open;
+ } else {
+ arg = uri;
+ }
return curEvt;
}
diff --git a/sfx2/source/appl/macroloader.cxx b/sfx2/source/appl/macroloader.cxx
index 98e036e..b50d1e6 100644
--- a/sfx2/source/appl/macroloader.cxx
+++ b/sfx2/source/appl/macroloader.cxx
@@ -76,10 +76,10 @@ css::uno::Sequence<OUString> SAL_CALL SfxMacroLoader::getSupportedServiceNames()
return aSeq;
}
-SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
+SfxObjectShell* SfxMacroLoader::GetObjectShell(const Reference <XFrame>& xFrame)
{
SfxObjectShell* pDocShell = nullptr;
- Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
+
if ( xFrame.is() )
{
SfxFrame* pFrame=nullptr;
@@ -96,6 +96,11 @@ SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
return pDocShell;
}
+SfxObjectShell* SfxMacroLoader::GetObjectShell_Impl()
+{
+ Reference < XFrame > xFrame( m_xFrame.get(), UNO_QUERY );
+ return SfxMacroLoader::GetObjectShell(xFrame);
+}
uno::Reference<frame::XDispatch> SAL_CALL SfxMacroLoader::queryDispatch(
const util::URL& aURL ,
diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx
index 8b12715..b5291b2 100644
--- a/sfx2/source/doc/iframe.cxx
+++ b/sfx2/source/doc/iframe.cxx
@@ -39,11 +39,13 @@
#include <svl/ownlist.hxx>
#include <svl/itemprop.hxx>
#include <sfx2/frmdescr.hxx>
+#include <sfx2/objsh.hxx>
#include <sfx2/sfxdlg.hxx>
#include <sfx2/sfxsids.hrc>
#include <toolkit/helper/vclunohelper.hxx>
#include <vcl/window.hxx>
#include <tools/debug.hxx>
+#include <macroloader.hxx>
using namespace ::com::sun::star;
@@ -159,6 +161,19 @@ sal_Bool SAL_CALL IFrameObject::load(
{
if ( SvtMiscOptions().IsPluginsEnabled() )
{
+ util::URL aTargetURL;
+ aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+ uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
+ xTrans->parseStrict( aTargetURL );
+
+ if (INetURLObject(aTargetURL.Complete).GetProtocol() == INetProtocol::Macro)
+ {
+ uno::Reference<frame::XFramesSupplier> xParentFrame = xFrame->getCreator();
+ SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame);
+ if (pDoc && !pDoc->AdjustMacroMode())
+ return false;
+ }
+
DBG_ASSERT( !mxFrame.is(), "Frame already existing!" );
VclPtr<vcl::Window> pParent = VCLUnoHelper::GetWindow( xFrame->getContainerWindow() );
VclPtr<IFrameWindow_Impl> pWin = VclPtr<IFrameWindow_Impl>::Create( pParent, maFrmDescr.IsFrameBorderOn() );
@@ -181,16 +196,12 @@ sal_Bool SAL_CALL IFrameObject::load(
if ( xFramesSupplier.is() )
mxFrame->setCreator( xFramesSupplier );
- util::URL aTargetURL;
- aTargetURL.Complete = maFrmDescr.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
- uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( mxContext ) );
- xTrans->parseStrict( aTargetURL );
-
uno::Sequence < beans::PropertyValue > aProps(2);
aProps[0].Name = "PluginMode";
aProps[0].Value <<= sal_Int16(2);
aProps[1].Name = "ReadOnly";
aProps[1].Value <<= true;
+
uno::Reference < frame::XDispatch > xDisp = mxFrame->queryDispatch( aTargetURL, "_self", 0 );
if ( xDisp.is() )
xDisp->dispatch( aTargetURL, aProps );
diff --git a/sfx2/source/inc/macroloader.hxx b/sfx2/source/inc/macroloader.hxx
index 9e1dfba..b3e7a5e 100644
--- a/sfx2/source/inc/macroloader.hxx
+++ b/sfx2/source/inc/macroloader.hxx
@@ -82,6 +82,8 @@ public:
virtual void SAL_CALL addStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
virtual void SAL_CALL removeStatusListener( const css::uno::Reference< css::frame::XStatusListener >& xControl, const css::util::URL& aURL ) override;
+
+ static SfxObjectShell* GetObjectShell(const css::uno::Reference<css::frame::XFrame>& xFrame);
};
#endif
diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx
index a0da671..eb70704 100644
--- a/sw/source/filter/html/htmlplug.cxx
+++ b/sw/source/filter/html/htmlplug.cxx
@@ -1087,7 +1087,12 @@ void SwHTMLParser::InsertFloatingFrame()
bool bHasBorder = aFrameDesc.HasFrameBorder();
Size aMargin = aFrameDesc.GetMargin();
- xSet->setPropertyValue("FrameURL", uno::makeAny( aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ) ) );
+ OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE );
+
+ if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
+ NotifyMacroEventRead();
+
+ xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) );
xSet->setPropertyValue("FrameName", uno::makeAny( aName ) );
if ( eScroll == ScrollingMode::Auto )
diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx
index 788bec5..72a14b9 100644
--- a/sw/source/filter/xml/xmltexti.cxx
+++ b/sw/source/filter/xml/xmltexti.cxx
@@ -853,9 +853,14 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra
uno::Reference < beans::XPropertySet > xSet( xObj->getComponent(), uno::UNO_QUERY );
if ( xSet.is() )
{
+ OUString sHRef = URIHelper::SmartRel2Abs(
+ INetURLObject( GetXMLImport().GetBaseURL() ), rHRef );
+
+ if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro)
+ GetXMLImport().NotifyMacroEventRead();
+
xSet->setPropertyValue("FrameURL",
- makeAny( URIHelper::SmartRel2Abs(
- INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ) ) );
+ makeAny( rHRef ) );
xSet->setPropertyValue("FrameName",
makeAny( rName ) );
diff --git a/wizards/source/access2base/DoCmd.xba b/wizards/source/access2base/DoCmd.xba
index 27b0d74..26755a8 100644
--- a/wizards/source/access2base/DoCmd.xba
+++ b/wizards/source/access2base/DoCmd.xba
@@ -2655,7 +2655,7 @@ Private Sub _ShellExecute(sCommand As String)
Dim oShell As Object
Set oShell = createUnoService(&quot;com.sun.star.system.SystemShellExecute&quot;)
- oShell.execute(sCommand, &quot;&quot; , com.sun.star.system.SystemShellExecuteFlags.DEFAULTS)
+ oShell.execute(sCommand, &quot;&quot; , com.sun.star.system.SystemShellExecuteFlags.URIS_ONLY)
End Sub &apos; _ShellExecute V0.8.5
diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx
index 2e509f8..ae35f1e 100644
--- a/xmloff/source/draw/ximpshap.cxx
+++ b/xmloff/source/draw/ximpshap.cxx
@@ -87,6 +87,7 @@
#include <basegfx/polygon/b2dpolypolygon.hxx>
#include <basegfx/polygon/b2dpolypolygontools.hxx>
#include <basegfx/vector/b2dvector.hxx>
+#include <tools/urlobj.hxx>
#include <o3tl/safeint.hxx>
using namespace ::com::sun::star;
@@ -3243,6 +3244,9 @@ void SdXMLFloatingFrameShapeContext::StartElement( const css::uno::Reference< cs
if( !maHref.isEmpty() )
{
+ if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro)
+ GetImport().NotifyMacroEventRead();
+
xProps->setPropertyValue("FrameURL", Any(maHref) );
}
}
--
2.37.3

View File

@ -0,0 +1,198 @@
From 61f8673fb44150bd629d88f6626aff8d5b026449 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Mon, 21 Mar 2022 20:58:34 +0000
Subject: [PATCH] make hash encoding match decoding
Seeing as old versions of the hash may be in the users config, add a
StorageVersion field to the office config Passwords section which
defaults to 0 to indicate the old hash is in use.
Try the old varient when StorageVersion is 0. When a new encoded master
password it set write StorageVersion of 1 to indicate a new hash is in
use and use the new style when StorageVersion is 1.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132080
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit e890f54dbac57f3ab5acf4fbd31222095d3e8ab6)
svl: fix crash if user cancels/closes master password dialog
(regression from d7ba5614d90381d68f880ca7e7c5ef8bbb1b1c43)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133932
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit bbb8617ece6d946957c2eb96287081029bce530f)
Change-Id: I3174c37a5891bfc849984e0ec5c2c392b9c6e7b1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133905
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
.../schema/org/openoffice/Office/Common.xcs | 6 +++
.../passwordcontainer/passwordcontainer.cxx | 47 ++++++++++++++++++-
.../passwordcontainer/passwordcontainer.hxx | 6 +++
uui/source/iahndl-authentication.cxx | 5 +-
4 files changed, 60 insertions(+), 4 deletions(-)
diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
index b317f616deeb..b033b29b60d7 100644
--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
@@ -911,6 +911,12 @@
</info>
<value>false</value>
</prop>
+ <prop oor:name="StorageVersion" oor:type="xs:int" oor:nillable="false">
+ <info>
+ <desc>Specifies what version of encoding scheme the password container uses.</desc>
+ </info>
+ <value>0</value>
+ </prop>
<prop oor:name="HasMaster" oor:type="xs:boolean" oor:nillable="false">
<info>
<desc>Specifies if there is a valid master password.</desc>
diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx
index 02947cd3892c..ff0b40df4016 100644
--- a/svl/source/passwordcontainer/passwordcontainer.cxx
+++ b/svl/source/passwordcontainer/passwordcontainer.cxx
@@ -17,6 +17,8 @@
* the License at http://www.apache.org/licenses/LICENSE-2.0 .
*/
+#include <sal/config.h>
+#include <sal/log.hxx>
#include "passwordcontainer.hxx"
@@ -259,6 +261,23 @@ bool StorageItem::useStorage()
return aResult;
}
+sal_Int32 StorageItem::getStorageVersion()
+{
+ Sequence<OUString> aNodeNames { "StorageVersion" };
+
+ Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames );
+
+ if( aPropertyValues.getLength() != aNodeNames.getLength() )
+ {
+ OSL_FAIL( "Problems during reading" );
+ return 0;
+ }
+
+ sal_Int32 nResult = 0;
+ aPropertyValues[0] >>= nResult;
+
+ return nResult;
+}
bool StorageItem::getEncodedMP( OUString& aResult )
{
@@ -291,15 +310,17 @@ bool StorageItem::getEncodedMP( OUString& aResult )
void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty )
{
- Sequence< OUString > sendNames(2);
- Sequence< uno::Any > sendVals(2);
+ Sequence< OUString > sendNames(3);
+ Sequence< uno::Any > sendVals(3);
sendNames[0] = "HasMaster";
sendNames[1] = "Master";
+ sendNames[2] = "StorageVersion";
bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty );
sendVals[0] <<= bHasMaster;
sendVals[1] <<= aEncoded;
+ sendVals[2] <<= nCurrentStorageVersion;
ConfigItem::SetModified();
ConfigItem::PutProperties( sendNames, sendVals );
@@ -800,6 +821,18 @@ OUString PasswordContainer::RequestPasswordFromUser( PasswordRequestMode aRMode,
return aResult;
}
+// Mangle the key to match an old bug
+static OUString ReencodeAsOldHash(const OUString& rPass)
+{
+ OUStringBuffer aBuffer;
+ for (int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ++ind)
+ {
+ unsigned char i = static_cast<char>(rPass.copy(ind * 2, 2).toUInt32(16));
+ aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4)));
+ aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15)));
+ }
+ return aBuffer.makeStringAndClear();
+}
OUString const & PasswordContainer::GetMasterPassword( const Reference< XInteractionHandler >& aHandler )
{
@@ -838,6 +871,9 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
}
else
{
+ if (m_pStorageFile->getStorageVersion() == 0)
+ aPass = ReencodeAsOldHash(aPass);
+
std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) );
if( aRM.empty() || aPass != aRM[0] )
{
@@ -1042,6 +1078,13 @@ sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::R
do {
aPass = RequestPasswordFromUser( aRMode, xTmpHandler );
+
+
+ if (!aPass.isEmpty() && m_pStorageFile->getStorageVersion() == 0)
+ {
+ aPass = ReencodeAsOldHash(aPass);
+ }
+
bResult = ( !aPass.isEmpty() && aPass == m_aMasterPasswd );
aRMode = PasswordRequestMode_PASSWORD_REENTER; // further questions with error notification
} while( !bResult && !aPass.isEmpty() );
diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx
index 09fb7e03629d..cf5c717d0c9e 100644
--- a/svl/source/passwordcontainer/passwordcontainer.hxx
+++ b/svl/source/passwordcontainer/passwordcontainer.hxx
@@ -167,6 +167,10 @@ public:
typedef ::std::pair< const OUString, ::std::vector< NamePassRecord > > PairUrlRecord;
typedef ::std::map< OUString, ::std::vector< NamePassRecord > > PassMap;
+// org.openoffice.Office.Common/Passwords/StorageVersion bump if details of
+// how password details are saved changes. Enables migration from previous
+// schemes.
+constexpr sal_Int32 nCurrentStorageVersion = 1;
class PasswordContainer;
@@ -195,6 +199,8 @@ public:
void remove( const OUString& url, const OUString& rec );
void clear();
+ sal_Int32 getStorageVersion();
+
bool getEncodedMP( OUString& aResult );
void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false );
void setUseStorage( bool bUse );
diff --git a/uui/source/iahndl-authentication.cxx b/uui/source/iahndl-authentication.cxx
index 4835a485dd2a..5764e62cb1c6 100644
--- a/uui/source/iahndl-authentication.cxx
+++ b/uui/source/iahndl-authentication.cxx
@@ -436,8 +436,9 @@ executeMasterPasswordDialog(
OUStringBuffer aBuffer;
for (sal_uInt8 i : aKey)
{
- aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4)));
- aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15)));
+ // match PasswordContainer::DecodePasswords aMasterPasswd.copy(index * 2, 2).toUInt32(16));
+ aBuffer.append(OUString::number(i >> 4, 16));
+ aBuffer.append(OUString::number(i & 15, 16));
}
rInfo.SetPassword(aBuffer.makeStringAndClear());
}
--
2.37.1

View File

@ -0,0 +1,586 @@
From a3046cfa58bdfa2a1b9ea6287a021230830f056f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 22 Mar 2022 17:22:22 +0000
Subject: [PATCH] add Initialization Vectors to password storage
old ones default to the current all zero case and continue to work
as before
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131974
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 192fa1e3bfc6269f2ebb91716471485a56074aea)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132306
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
(cherry picked from commit ab77587ec300f5c30084471000663c46ddf25dad)
Change-Id: I6fe3b02fafcce1b5e7133e77e76a5118177d77af
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133907
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
.../schema/org/openoffice/Office/Common.xcs | 10 ++
.../passwordcontainer/passwordcontainer.cxx | 127 ++++++++++++------
.../passwordcontainer/passwordcontainer.hxx | 63 +++++++--
3 files changed, 151 insertions(+), 49 deletions(-)
diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
index b033b29b60d7..e57d26ab3366 100644
--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs
+++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs
@@ -27,6 +27,11 @@
<info>
<desc>Contains a container for passwords.</desc>
</info>
+ <prop oor:name="InitializationVector" oor:type="xs:string">
+ <info>
+ <desc>Contains an initialization vector for the password encryption.</desc>
+ </info>
+ </prop>
<prop oor:name="Password" oor:type="xs:string" oor:localized="false">
<info>
<desc>Contains a password encoded with the master password.</desc>
@@ -923,6 +928,11 @@
</info>
<value>false</value>
</prop>
+ <prop oor:name="MasterInitializationVector" oor:type="xs:string">
+ <info>
+ <desc>Contains an initialization vector for the master password encryption.</desc>
+ </info>
+ </prop>
<prop oor:name="Master" oor:type="xs:string" oor:nillable="false">
<info>
<desc>Contains the master password encrypted by itself.</desc>
diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx
index ff0b40df4016..380188ef495c 100644
--- a/svl/source/passwordcontainer/passwordcontainer.cxx
+++ b/svl/source/passwordcontainer/passwordcontainer.cxx
@@ -184,15 +184,18 @@ PassMap StorageItem::getInfo()
Sequence< OUString > aNodeNames = ConfigItem::GetNodeNames( "Store" );
sal_Int32 aNodeCount = aNodeNames.getLength();
- Sequence< OUString > aPropNames( aNodeCount );
+ Sequence< OUString > aPropNames( aNodeCount * 2);
std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.begin(),
[](const OUString& rName) -> OUString {
return "Store/Passwordstorage['" + rName + "']/Password"; });
+ std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.getArray() + aNodeCount,
+ [](const OUString& rName) -> OUString {
+ return "Store/Passwordstorage['" + rName + "']/InitializationVector"; });
Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aPropNames );
- if( aPropertyValues.getLength() != aNodeCount )
+ if( aPropertyValues.getLength() != aNodeCount * 2)
{
OSL_FAIL( "Problems during reading" );
return aResult;
@@ -208,14 +211,16 @@ PassMap StorageItem::getInfo()
OUString aName = aUrlUsr[1];
OUString aEPasswd;
+ OUString aIV;
aPropertyValues[aNodeInd] >>= aEPasswd;
+ aPropertyValues[aNodeInd + aNodeCount] >>= aIV;
PassMap::iterator aIter = aResult.find( aUrl );
if( aIter != aResult.end() )
- aIter->second.emplace_back( aName, aEPasswd );
+ aIter->second.emplace_back( aName, aEPasswd, aIV );
else
{
- NamePassRecord aNewRecord( aName, aEPasswd );
+ NamePassRecord aNewRecord( aName, aEPasswd, aIV );
std::vector< NamePassRecord > listToAdd( 1, aNewRecord );
aResult.insert( PairUrlRecord( aUrl, listToAdd ) );
@@ -279,17 +284,19 @@ sal_Int32 StorageItem::getStorageVersion()
return nResult;
}
-bool StorageItem::getEncodedMP( OUString& aResult )
+bool StorageItem::getEncodedMP( OUString& aResult, OUString& aResultIV )
{
if( hasEncoded )
{
aResult = mEncoded;
+ aResultIV = mEncodedIV;
return true;
}
- Sequence< OUString > aNodeNames( 2 );
+ Sequence< OUString > aNodeNames( 3 );
aNodeNames[0] = "HasMaster";
aNodeNames[1] = "Master";
+ aNodeNames[2] = "MasterInitializationVector";
Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames );
@@ -301,32 +308,37 @@ bool StorageItem::getEncodedMP( OUString& aResult )
aPropertyValues[0] >>= hasEncoded;
aPropertyValues[1] >>= mEncoded;
+ aPropertyValues[2] >>= mEncodedIV;
aResult = mEncoded;
+ aResultIV = mEncodedIV;
return hasEncoded;
}
-void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty )
+void StorageItem::setEncodedMP( const OUString& aEncoded, const OUString& aEncodedIV, bool bAcceptEmpty )
{
- Sequence< OUString > sendNames(3);
- Sequence< uno::Any > sendVals(3);
+ Sequence< OUString > sendNames(4);
+ Sequence< uno::Any > sendVals(4);
sendNames[0] = "HasMaster";
sendNames[1] = "Master";
- sendNames[2] = "StorageVersion";
+ sendNames[2] = "MasterInitializationVector";
+ sendNames[3] = "StorageVersion";
bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty );
sendVals[0] <<= bHasMaster;
sendVals[1] <<= aEncoded;
- sendVals[2] <<= nCurrentStorageVersion;
+ sendVals[2] <<= aEncodedIV;
+ sendVals[3] <<= nCurrentStorageVersion;
ConfigItem::SetModified();
ConfigItem::PutProperties( sendNames, sendVals );
hasEncoded = bHasMaster;
mEncoded = aEncoded;
+ mEncodedIV = aEncodedIV;
}
@@ -362,11 +374,13 @@ void StorageItem::update( const OUString& aURL, const NamePassRecord& aRecord )
forIndex.push_back( aURL );
forIndex.push_back( aRecord.GetUserName() );
- Sequence< beans::PropertyValue > sendSeq(1);
+ Sequence< beans::PropertyValue > sendSeq(2);
- sendSeq[0].Name = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password";
+ sendSeq[0].Name = "Store/Passwordstorage['" + createIndex( { aURL, aRecord.GetUserName() } ) + "']/InitializationVector";
+ sendSeq[0].Value <<= aRecord.GetPersistentIV();
- sendSeq[0].Value <<= aRecord.GetPersPasswords();
+ sendSeq[1].Name = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password";
+ sendSeq[1].Value <<= aRecord.GetPersPasswords();
ConfigItem::SetModified();
ConfigItem::SetSetProperties( "Store", sendSeq );
@@ -427,7 +441,7 @@ void SAL_CALL PasswordContainer::disposing( const EventObject& )
}
}
-std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode )
+std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode )
{
if( !aMasterPasswd.isEmpty() )
{
@@ -442,9 +456,16 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin
for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
code[ ind ] = static_cast<char>(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16));
+ unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0};
+ if (!aIV.isEmpty())
+ {
+ for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
+ iv[ ind ] = static_cast<char>(aIV.copy( ind*2, 2 ).toUInt32(16));
+ }
+
rtlCipherError result = rtl_cipher_init (
aDecoder, rtl_Cipher_DirectionDecode,
- code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 );
+ code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 );
if( result == rtl_Cipher_E_None )
{
@@ -477,7 +498,7 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin
"Can't decode!", css::uno::Reference<css::uno::XInterface>(), mode);
}
-OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPasswd )
+OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPasswd)
{
if( !aMasterPasswd.isEmpty() )
{
@@ -494,9 +515,16 @@ OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines
for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
code[ ind ] = static_cast<char>(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16));
+ unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0};
+ if (!aIV.isEmpty())
+ {
+ for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ )
+ iv[ ind ] = static_cast<char>(aIV.copy( ind*2, 2 ).toUInt32(16));
+ }
+
rtlCipherError result = rtl_cipher_init (
aEncoder, rtl_Cipher_DirectionEncode,
- code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 );
+ code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 );
if( result == rtl_Cipher_E_None )
{
@@ -564,7 +592,7 @@ void PasswordContainer::UpdateVector( const OUString& aURL, std::vector< NamePas
if( aRecord.HasPasswords( PERSISTENT_RECORD ) )
{
- aNPIter.SetPersPasswords( aRecord.GetPersPasswords() );
+ aNPIter.SetPersPasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV() );
if( writeFile )
{
@@ -597,7 +625,8 @@ UserRecord PasswordContainer::CopyToUserRecord( const NamePassRecord& aRecord, b
{
try
{
- ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER );
+ ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV(),
+ GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER );
aPasswords.insert( aPasswords.end(), aDecodedPasswords.begin(), aDecodedPasswords.end() );
}
catch( NoMasterException& )
@@ -642,6 +671,19 @@ void SAL_CALL PasswordContainer::addPersistent( const OUString& Url, const OUStr
PrivateAdd( Url, UserName, Passwords, PERSISTENT_RECORD, aHandler );
}
+OUString PasswordContainer::createIV()
+{
+ rtlRandomPool randomPool = mRandomPool.get();
+ unsigned char iv[RTL_DIGEST_LENGTH_MD5];
+ rtl_random_getBytes(randomPool, iv, RTL_DIGEST_LENGTH_MD5);
+ OUStringBuffer aBuffer;
+ for (sal_uInt8 i : iv)
+ {
+ aBuffer.append(OUString::number(i >> 4, 16));
+ aBuffer.append(OUString::number(i & 15, 16));
+ }
+ return aBuffer.makeStringAndClear();
+}
void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserName, const Sequence< OUString >& Passwords, char Mode, const Reference< XInteractionHandler >& aHandler )
{
@@ -649,7 +691,11 @@ void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserNam
::std::vector< OUString > aStorePass = comphelper::sequenceToContainer< std::vector<OUString> >( Passwords );
if( Mode == PERSISTENT_RECORD )
- aRecord.SetPersPasswords( EncodePasswords( aStorePass, GetMasterPassword( aHandler ) ) );
+ {
+ OUString sIV = createIV();
+ OUString sEncodedPasswords = EncodePasswords( aStorePass, sIV, GetMasterPassword( aHandler ) );
+ aRecord.SetPersPasswords( sEncodedPasswords, sIV );
+ }
else if( Mode == MEMORY_RECORD )
aRecord.SetMemPasswords( aStorePass );
else
@@ -842,10 +888,10 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
if( m_aMasterPasswd.isEmpty() && aHandler.is() )
{
- OUString aEncodedMP;
+ OUString aEncodedMP, aEncodedMPIV;
bool bDefaultPassword = false;
- if( !m_pStorageFile->getEncodedMP( aEncodedMP ) )
+ if( !m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
aRMode = PasswordRequestMode_PASSWORD_CREATE;
else if ( aEncodedMP.isEmpty() )
{
@@ -867,14 +913,15 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac
m_aMasterPasswd = aPass;
std::vector< OUString > aMaster( 1, m_aMasterPasswd );
- m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) );
+ OUString sIV = createIV();
+ m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, sIV, m_aMasterPasswd ), sIV );
}
else
{
if (m_pStorageFile->getStorageVersion() == 0)
aPass = ReencodeAsOldHash(aPass);
- std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) );
+ std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aEncodedMPIV, aPass, aRMode ) );
if( aRM.empty() || aPass != aRM[0] )
{
bAskAgain = true;
@@ -1031,7 +1078,8 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere
{
sal_Int32 oldLen = aUsers.getLength();
aUsers.realloc( oldLen + 1 );
- aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) );
+ aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), aNP.GetPersistentIV(),
+ GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) );
}
if( aUsers.hasElements() )
@@ -1048,12 +1096,12 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere
sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::Reference< task::XInteractionHandler >& xHandler )
{
bool bResult = false;
- OUString aEncodedMP;
+ OUString aEncodedMP, aEncodedMPIV;
uno::Reference< task::XInteractionHandler > xTmpHandler = xHandler;
::osl::MutexGuard aGuard( mMutex );
// the method should fail if there is no master password
- if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) )
+ if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
{
if ( aEncodedMP.isEmpty() )
{
@@ -1122,8 +1170,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference<
bool bCanChangePassword = true;
// if there is already a stored master password it should be entered by the user before the change happen
- OUString aEncodedMP;
- if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP ) )
+ OUString aEncodedMP, aEncodedMPIV;
+ if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) )
bCanChangePassword = authorizateWithMasterPassword( xTmpHandler );
if ( bCanChangePassword )
@@ -1142,7 +1190,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference<
// store the new master password
m_aMasterPasswd = aPass;
std::vector< OUString > aMaster( 1, m_aMasterPasswd );
- m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) );
+ OUString aIV = createIV();
+ m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, aIV, m_aMasterPasswd ), aIV );
// store all the entries with the new password
for ( const auto& rURL : aPersistent )
@@ -1167,7 +1216,7 @@ void SAL_CALL PasswordContainer::removeMasterPassword()
if ( m_pStorageFile )
{
m_aMasterPasswd.clear();
- m_pStorageFile->setEncodedMP( OUString() ); // let the master password be removed from configuration
+ m_pStorageFile->setEncodedMP( OUString(), OUString() ); // let the master password be removed from configuration
}
}
@@ -1178,8 +1227,8 @@ sal_Bool SAL_CALL PasswordContainer::hasMasterPassword( )
if ( !m_pStorageFile )
throw uno::RuntimeException();
- OUString aEncodedMP;
- return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) );
+ OUString aEncodedMP, aEncodedMPIV;
+ return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) );
}
sal_Bool SAL_CALL PasswordContainer::allowPersistentStoring( sal_Bool bAllow )
@@ -1226,8 +1275,8 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere
bool bCanChangePassword = true;
// if there is already a stored nondefault master password it should be entered by the user before the change happen
- OUString aEncodedMP;
- if( m_pStorageFile->getEncodedMP( aEncodedMP ) && !aEncodedMP.isEmpty() )
+ OUString aEncodedMP, aEncodedMPIV;
+ if( m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && !aEncodedMP.isEmpty() )
bCanChangePassword = authorizateWithMasterPassword( xTmpHandler );
if ( bCanChangePassword )
@@ -1244,7 +1293,7 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere
// store the empty string to flag the default master password
m_aMasterPasswd = aPass;
- m_pStorageFile->setEncodedMP( OUString(), true );
+ m_pStorageFile->setEncodedMP( OUString(), OUString(), true );
// store all the entries with the new password
for ( const auto& rURL : aPersistent )
@@ -1268,8 +1317,8 @@ sal_Bool SAL_CALL PasswordContainer::isDefaultMasterPasswordUsed()
if ( !m_pStorageFile )
throw uno::RuntimeException();
- OUString aEncodedMP;
- return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) && aEncodedMP.isEmpty() );
+ OUString aEncodedMP, aEncodedMPIV;
+ return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && aEncodedMP.isEmpty() );
}
diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx
index cf5c717d0c9e..4e3a6629139e 100644
--- a/svl/source/passwordcontainer/passwordcontainer.hxx
+++ b/svl/source/passwordcontainer/passwordcontainer.hxx
@@ -33,6 +33,7 @@
#include <unotools/configitem.hxx>
#include <ucbhelper/interactionrequest.hxx>
+#include <rtl/random.h>
#include <rtl/ref.hxx>
#include <osl/mutex.hxx>
@@ -51,11 +52,12 @@ class NamePassRecord
::std::vector< OUString > m_aMemPass;
// persistent passwords are encrypted in one string
- bool m_bHasPersPass;
+ bool m_bHasPersPass;
OUString m_aPersPass;
+ OUString m_aPersistentIV;
void InitArrays( bool bHasMemoryList, const ::std::vector< OUString >& aMemoryList,
- bool bHasPersistentList, const OUString& aPersistentList )
+ bool bHasPersistentList, const OUString& aPersistentList, const OUString& aPersistentIV )
{
m_bHasMemPass = bHasMemoryList;
if ( bHasMemoryList )
@@ -63,7 +65,10 @@ class NamePassRecord
m_bHasPersPass = bHasPersistentList;
if ( bHasPersistentList )
+ {
m_aPersPass = aPersistentList;
+ m_aPersistentIV = aPersistentIV;
+ }
}
public:
@@ -75,11 +80,12 @@ public:
{
}
- NamePassRecord( const OUString& aName, const OUString& aPersistentList )
+ NamePassRecord( const OUString& aName, const OUString& aPersistentList, const OUString& aPersistentIV )
: m_aName( aName )
, m_bHasMemPass( false )
, m_bHasPersPass( true )
, m_aPersPass( aPersistentList )
+ , m_aPersistentIV( aPersistentIV )
{
}
@@ -88,7 +94,8 @@ public:
, m_bHasMemPass( false )
, m_bHasPersPass( false )
{
- InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass );
+ InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass,
+ aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV );
}
NamePassRecord& operator=( const NamePassRecord& aRecord )
@@ -99,7 +106,9 @@ public:
m_aMemPass.clear();
m_aPersPass.clear();
- InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass );
+ m_aPersistentIV.clear();
+ InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass,
+ aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV );
}
return *this;
}
@@ -135,15 +144,24 @@ public:
return OUString();
}
+ OUString GetPersistentIV() const
+ {
+ if ( m_bHasPersPass )
+ return m_aPersistentIV;
+
+ return OUString();
+ }
+
void SetMemPasswords( const ::std::vector< OUString >& aMemList )
{
m_aMemPass = aMemList;
m_bHasMemPass = true;
}
- void SetPersPasswords( const OUString& aPersList )
+ void SetPersPasswords( const OUString& aPersList, const OUString& aPersIV )
{
m_aPersPass = aPersList;
+ m_aPersistentIV = aPersIV;
m_bHasPersPass = true;
}
@@ -158,6 +176,7 @@ public:
{
m_bHasPersPass = false;
m_aPersPass.clear();
+ m_aPersistentIV.clear();
}
}
@@ -181,6 +200,7 @@ private:
PasswordContainer* mainCont;
bool hasEncoded;
OUString mEncoded;
+ OUString mEncodedIV;
virtual void ImplCommit() override;
@@ -201,8 +221,8 @@ public:
sal_Int32 getStorageVersion();
- bool getEncodedMP( OUString& aResult );
- void setEncodedMP( const OUString& aResult, bool bAcceptEnmpty = false );
+ bool getEncodedMP( OUString& aResult, OUString& aResultIV );
+ void setEncodedMP( const OUString& aResult, const OUString& aResultIV, bool bAcceptEmpty = false );
void setUseStorage( bool bUse );
bool useStorage();
@@ -223,6 +243,29 @@ private:
css::uno::Reference< css::lang::XComponent > mComponent;
SysCredentialsConfig mUrlContainer;
+ class RandomPool
+ {
+ private:
+ rtlRandomPool m_aRandomPool;
+ public:
+ RandomPool() : m_aRandomPool(rtl_random_createPool())
+ {
+ }
+ rtlRandomPool get()
+ {
+ return m_aRandomPool;
+ }
+ ~RandomPool()
+ {
+ // Clean up random pool memory
+ rtl_random_destroyPool(m_aRandomPool);
+ }
+ };
+
+ RandomPool mRandomPool;
+
+ OUString createIV();
+
/// @throws css::uno::RuntimeException
css::uno::Sequence< css::task::UserRecord > CopyToUserRecordSequence(
const ::std::vector< NamePassRecord >& original,
@@ -273,10 +316,10 @@ css::task::UrlRecord find(
const css::uno::Reference< css::task::XInteractionHandler >& Handler );
/// @throws css::uno::RuntimeException
- static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aMasterPassword, css::task::PasswordRequestMode mode );
+ static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPassword, css::task::PasswordRequestMode mode );
/// @throws css::uno::RuntimeException
- static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPassword );
+ static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPassword );
public:
PasswordContainer( const css::uno::Reference< css::lang::XMultiServiceFactory >& );
--
2.37.1

View File

@ -0,0 +1,117 @@
From 4cfd591942e4cfd3efc416bfac8e46e3580d37ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 23 Mar 2022 13:03:30 +0000
Subject: [PATCH] add infobar to prompt to refresh to replace old format
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131976
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit bbd196ff82bda9f66b4ba32a412f10cefe6da60e)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132307
Reviewed-by: Sophie Gautier <sophi@libreoffice.org>
Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
(cherry picked from commit c5d01b11db3c83cb4a89d3b388d78e20dd3990b5)
Change-Id: Id99cbf2b50a4ebf289dae6fc67e22e20afcda35b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133906
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
include/sfx2/strings.hrc | 2 ++
include/sfx2/viewfrm.hxx | 1 +
sfx2/source/view/viewfrm.cxx | 40 ++++++++++++++++++++++++++++++++++++
3 files changed, 43 insertions(+)
diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc
index 1f21f0a0f186..1db36e733c0c 100644
--- a/include/sfx2/strings.hrc
+++ b/include/sfx2/strings.hrc
@@ -297,6 +297,8 @@
#define STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK NC_("STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK", "The certificate could not be validated and the document is only partially signed.")
#define STR_SIGNATURE_OK NC_("STR_SIGNATURE_OK", "This document is digitally signed and the signature is valid.")
#define STR_SIGNATURE_SHOW NC_("STR_SIGNATURE_SHOW", "Show Signatures")
+#define STR_REFRESH_MASTER_PASSWORD NC_("STR_REFRESH_MASTER_PASSWORD", "The master password is stored in an outdated format, you should refresh it")
+#define STR_REFRESH_PASSWORD NC_("STR_REFRESH_PASSWORD", "Refresh Password")
#define STR_CLOSE_PANE NC_("STR_CLOSE_PANE", "Close Pane")
#define STR_SFX_DOCK NC_("STR_SFX_DOCK", "Dock")
diff --git a/include/sfx2/viewfrm.hxx b/include/sfx2/viewfrm.hxx
index fe336ba5f091..cc6a7dae7047 100644
--- a/include/sfx2/viewfrm.hxx
+++ b/include/sfx2/viewfrm.hxx
@@ -61,6 +61,7 @@ protected:
DECL_LINK(WhatsNewHandler, Button*, void);
DECL_LINK(SwitchReadOnlyHandler, Button*, void);
DECL_LINK(SignDocumentHandler, Button*, void);
+ DECL_DLLPRIVATE_LINK(RefreshMasterPasswordHdl, Button*, void);
SAL_DLLPRIVATE void KillDispatcher_Impl();
virtual ~SfxViewFrame() override;
diff --git a/sfx2/source/view/viewfrm.cxx b/sfx2/source/view/viewfrm.cxx
index 5a64599e5894..86e7d51bbfea 100644
--- a/sfx2/source/view/viewfrm.cxx
+++ b/sfx2/source/view/viewfrm.cxx
@@ -32,6 +32,7 @@
#include <com/sun/star/frame/XLoadable.hpp>
#include <com/sun/star/frame/XLayoutManager.hpp>
#include <com/sun/star/frame/XComponentLoader.hpp>
+#include <com/sun/star/task/PasswordContainer.hpp>
#include <officecfg/Office/Common.hxx>
#include <officecfg/Setup.hxx>
#include <toolkit/helper/vclunohelper.hxx>
@@ -1390,6 +1391,24 @@ void SfxViewFrame::Notify( SfxBroadcaster& /*rBC*/, const SfxHint& rHint )
batch->commit();
}
+ if (officecfg::Office::Common::Passwords::HasMaster::get() &&
+ officecfg::Office::Common::Passwords::StorageVersion::get() == 0)
+ {
+ // master password stored in deprecated format
+ VclPtr<SfxInfoBarWindow> pOldMasterPasswordInfoBar =
+ AppendInfoBar("oldmasterpassword", "",
+ SfxResId(STR_REFRESH_MASTER_PASSWORD), InfobarType::DANGER, false);
+ if (pOldMasterPasswordInfoBar)
+ {
+ VclPtrInstance<PushButton> const xBtn(&GetWindow());
+ xBtn->SetText(SfxResId(STR_REFRESH_PASSWORD));
+ xBtn->SetSizePixel(xBtn->GetOptimalSize());
+ xBtn->SetClickHdl(LINK(this,
+ SfxViewFrame, RefreshMasterPasswordHdl));
+ pOldMasterPasswordInfoBar->addButton(xBtn);
+ }
+ }
+
// read-only infobar if necessary
const SfxViewShell *pVSh;
const SfxShell *pFSh;
@@ -1565,6 +1584,27 @@ IMPL_LINK_NOARG(SfxViewFrame, SignDocumentHandler, Button*, void)
GetDispatcher()->Execute(SID_SIGNATURE);
}
+IMPL_LINK_NOARG(SfxViewFrame, RefreshMasterPasswordHdl, Button*, void)
+{
+ bool bChanged = false;
+ try
+ {
+ Reference< task::XPasswordContainer2 > xMasterPasswd(
+ task::PasswordContainer::create(comphelper::getProcessComponentContext()));
+
+ css::uno::Reference<css::frame::XFrame> xFrame = GetFrame().GetFrameInterface();
+ css::uno::Reference<css::awt::XWindow> xContainerWindow = xFrame->getContainerWindow();
+
+ uno::Reference<task::XInteractionHandler> xTmpHandler(task::InteractionHandler::createWithParent(comphelper::getProcessComponentContext(),
+ xContainerWindow));
+ bChanged = xMasterPasswd->changeMasterPassword(xTmpHandler);
+ }
+ catch (const Exception&)
+ {}
+ if (bChanged)
+ RemoveInfoBar(u"oldmasterpassword");
+}
+
void SfxViewFrame::Construct_Impl( SfxObjectShell *pObjSh )
{
m_pImpl->bResizeInToOut = true;
--
2.37.1

View File

@ -54,7 +54,7 @@ Summary: Free Software Productivity Suite
Name: libreoffice Name: libreoffice
Epoch: 1 Epoch: 1
Version: %{libo_version}.2 Version: %{libo_version}.2
Release: 11%{?libo_prerelease}%{?dist} Release: 12%{?libo_prerelease}%{?dist}
License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0
URL: http://www.libreoffice.org/ URL: http://www.libreoffice.org/
@ -280,6 +280,11 @@ Patch36: 0001-Read-MOSDocumentLockFile-UTF-16-string-data-with-sam.patch
Patch37: 0001-Convert-attribute-value-to-UTF-8-when-passing-it-to-.patch Patch37: 0001-Convert-attribute-value-to-UTF-8-when-passing-it-to-.patch
Patch38: 0001-Fix-endianness-issues-in-OOX-crypto-routines.patch Patch38: 0001-Fix-endianness-issues-in-OOX-crypto-routines.patch
Patch39: 0001-CVE-2021-25636.patch Patch39: 0001-CVE-2021-25636.patch
Patch40: 0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch
Patch41: 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch
Patch42: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch
Patch43: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch
Patch44: 0001-CVE-2022-3140.patch
%if 0%{?rhel} %if 0%{?rhel}
# not upstreamed # not upstreamed
@ -1130,7 +1135,13 @@ touch autogen.lastrun
ulimit -c unlimited || true ulimit -c unlimited || true
make verbose=true build-nocheck if ! make verbose=true build-nocheck; then
echo "build attempt 1 failed"
if ! make verbose=true build-nocheck; then
echo "build attempt 2 failed"
make verbose=true GMAKE_OPTIONS=-rj1 build-nocheck
fi
fi
#generate the icons and mime type stuff #generate the icons and mime type stuff
export DESTDIR=../output export DESTDIR=../output
@ -2276,6 +2287,12 @@ done
%{_includedir}/LibreOfficeKit %{_includedir}/LibreOfficeKit
%changelog %changelog
* Fri Oct 14 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-12
- Resolves: rhbz#2134752 CVE-2022-26305 Untrusted Macros
- Resolves: rhbz#2134751 CVE-2022-26307 Weak Master Keys
- Resolves: rhbz#2134750 CVE-2022-26306 Static Initialization Vector
- Resolves: rhbz#2134753 CVE-2022-3140 Macro URL arbitrary script execution
* Mon Mar 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-11 * Mon Mar 07 2022 Caolán McNamara <caolanm@redhat.com> - 1:6.4.7.2-11
- Resolves: rhbz#2060559 CVE-2021-25636 - Resolves: rhbz#2060559 CVE-2021-25636