diff --git a/changelog b/changelog index 6964d72b0..4778a9023 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,19 @@ +libreoffice (1:7.3.7-0ubuntu0.22.04.4) jammy-security; urgency=medium + + * SECURITY UPDATE: Improper input validation enabling arbitrary Gstreamer + pipeline injection + - debian/patches/CVE-2023-6185.patch: escape url passed to gstreamer + - CVE-2023-6185 + * SECURITY UPDATE: Link targets allow arbitrary script execution + - debian/patches/CVE-2023-6186-*.patch: multiple commits to fix + security issues. + - CVE-2023-6186 + * patches/CppunitTest_desktop_lib-adjust-asserts-so-this-works.patch: + - Usage of expired certificates in CppunitTest_desktop_lib: + adjust asserts so this works again + + -- Rico Tzschichholz Mon, 11 Dec 2023 15:19:13 +0100 + libreoffice (1:7.3.7-0ubuntu0.22.04.3) jammy-security; urgency=high * SECURITY UPDATE: Remote documents loaded without prompt via IFrame diff --git a/patches/CVE-2023-6185.patch b/patches/CVE-2023-6185.patch new file mode 100644 index 000000000..d63b27fda --- /dev/null +++ b/patches/CVE-2023-6185.patch @@ -0,0 +1,51 @@ +From 0f14350fe70907d4466bcef15bfe05865b37babd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 14:20:07 +0000 +Subject: [PATCH] escape url passed to gstreamer + +Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158895 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit 2ee1167da1952b133280db2ae26eed6bf0303bc2) +(cherry picked from commit a77d9c151f043f070512488d84f0b839f4ed4553) +(cherry picked from commit 2b896a0ba8818804b89735bd7c8991fa8eb3d7b5) +--- + avmedia/source/gstreamer/gstframegrabber.cxx | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx b/avmedia/source/gstreamer/gstframegrabber.cxx +index ece799d87530..25170a296e66 100644 +--- a/avmedia/source/gstreamer/gstframegrabber.cxx ++++ b/avmedia/source/gstreamer/gstframegrabber.cxx +@@ -50,11 +50,9 @@ void FrameGrabber::disposePipeline() + + FrameGrabber::FrameGrabber( std::u16string_view rURL ) + { +- gchar *pPipelineStr; +- pPipelineStr = g_strdup_printf( +- "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink " +- "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"", +- OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() ); ++ const char pPipelineStr[] = ++ "uridecodebin name=source ! videoconvert ! videoscale ! appsink " ++ "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\""; + + GError *pError = nullptr; + mpPipeline = gst_parse_launch( pPipelineStr, &pError ); +@@ -65,6 +63,12 @@ FrameGrabber::FrameGrabber( std::u16string_view rURL ) + } + + if( mpPipeline ) { ++ ++ if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline), "source")) ++ g_object_set(pUriDecode, "uri", OUStringToOString(rURL, RTL_TEXTENCODING_UTF8).getStr(), nullptr); ++ else ++ g_warning("Missing 'source' element in gstreamer pipeline"); ++ + // pre-roll + switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) { + case GST_STATE_CHANGE_FAILURE: +-- +2.43.0 + diff --git a/patches/CVE-2023-6186-1.patch b/patches/CVE-2023-6186-1.patch new file mode 100644 index 000000000..1c4794b8a --- /dev/null +++ b/patches/CVE-2023-6186-1.patch @@ -0,0 +1,87 @@ +From fa390145228c9b9a044698fe4b7636c05210fda3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 17:14:26 +0000 +Subject: [PATCH 1/5] add some protocols that don't make sense as floating + frame targets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Id900a5eef248731d1184c1df501a2cf7a2de7eb9 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158910 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 11ebdfef16501c6d35c3e3d0d62507f706557c71) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158901 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit 73e90d15c48a8f148e4e8f024cdf1b397efbcc53) +(cherry picked from commit b35aa37a5d1f32a419e7f311e415615808731acd) +(cherry picked from commit 421be99a6b101ac4ec91ad95b48c50fa17e47d36) +--- + include/tools/urlobj.hxx | 5 +++++ + sfx2/source/doc/iframe.cxx | 6 +++++- + tools/source/fsys/urlobj.cxx | 8 ++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/include/tools/urlobj.hxx b/include/tools/urlobj.hxx +index 82b30fe2676b..07e31409c0e9 100644 +--- a/include/tools/urlobj.hxx ++++ b/include/tools/urlobj.hxx +@@ -915,6 +915,11 @@ public: + + void changeScheme(INetProtocol eTargetScheme); + ++ // INetProtocol::Macro, INetProtocol::Uno, INetProtocol::Slot, ++ // vnd.sun.star.script, etc. All the types of URLs which shouldn't ++ // be accepted from an outside controlled source ++ bool IsExoticProtocol() const; ++ + private: + // General Structure: + +diff --git a/sfx2/source/doc/iframe.cxx b/sfx2/source/doc/iframe.cxx +index 08dfee998c6d..a2cf27ff5883 100644 +--- a/sfx2/source/doc/iframe.cxx ++++ b/sfx2/source/doc/iframe.cxx +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -167,8 +168,11 @@ sal_Bool SAL_CALL IFrameObject::load( + xTrans->parseStrict( aTargetURL ); + + INetURLObject aURLObject(aTargetURL.Complete); +- if (aURLObject.GetProtocol() == INetProtocol::Macro || aURLObject.isSchemeEqualTo(u"vnd.sun.star.script")) ++ if (aURLObject.IsExoticProtocol()) ++ { ++ SAL_WARN("sfx", "IFrameObject::load ignoring: " << aTargetURL.Complete); + return false; ++ } + + uno::Reference xParentFrame = xFrame->getCreator(); + SfxObjectShell* pDoc = SfxMacroLoader::GetObjectShell(xParentFrame); +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index 7b86fe0f5261..187190b0dfe3 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4829,4 +4829,12 @@ OUString INetURLObject::CutExtension() + ? aTheExtension : OUString(); + } + ++bool INetURLObject::IsExoticProtocol() const ++{ ++ return m_eScheme == INetProtocol::Slot || ++ m_eScheme == INetProtocol::Macro || ++ m_eScheme == INetProtocol::Uno || ++ isSchemeEqualTo(u"vnd.sun.star.script"); ++} ++ + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ +-- +2.43.0 + diff --git a/patches/CVE-2023-6186-2.patch b/patches/CVE-2023-6186-2.patch new file mode 100644 index 000000000..d3de9461d --- /dev/null +++ b/patches/CVE-2023-6186-2.patch @@ -0,0 +1,75 @@ +From a7138808fbb8eb263af436ee4227cbe9c829b676 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Sat, 4 Nov 2023 19:57:51 +0000 +Subject: [PATCH 2/5] warn about exotic protocols as well + +Change-Id: I50dcf4f36cd20d75f5ad3876353143268740a50f +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158902 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit aafe05584e601236e84a165f2816b187189cfb77) +(cherry picked from commit 799f0225d7171e6c04324ace1f31c7fe976662a4) +(cherry picked from commit ae06669597e5a485676ba4394822cba8bb88d394) +--- + sw/source/filter/html/htmlplug.cxx | 2 +- + sw/source/filter/xml/xmltexti.cxx | 2 +- + tools/source/fsys/urlobj.cxx | 3 ++- + xmloff/source/draw/ximpshap.cxx | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/sw/source/filter/html/htmlplug.cxx b/sw/source/filter/html/htmlplug.cxx +index 76e07d63073d..8fe27496c8d4 100644 +--- a/sw/source/filter/html/htmlplug.cxx ++++ b/sw/source/filter/html/htmlplug.cxx +@@ -1102,7 +1102,7 @@ void SwHTMLParser::InsertFloatingFrame() + + OUString sHRef = aFrameDesc.GetURL().GetMainURL( INetURLObject::DecodeMechanism::NONE ); + +- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(sHRef).IsExoticProtocol()) + NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", uno::makeAny( sHRef ) ); +diff --git a/sw/source/filter/xml/xmltexti.cxx b/sw/source/filter/xml/xmltexti.cxx +index c14bd16e80e2..9a34b547f5af 100644 +--- a/sw/source/filter/xml/xmltexti.cxx ++++ b/sw/source/filter/xml/xmltexti.cxx +@@ -826,7 +826,7 @@ uno::Reference< XPropertySet > SwXMLTextImportHelper::createAndInsertFloatingFra + OUString sHRef = URIHelper::SmartRel2Abs( + INetURLObject( GetXMLImport().GetBaseURL() ), rHRef ); + +- if (INetURLObject(sHRef).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(sHRef).IsExoticProtocol()) + GetXMLImport().NotifyMacroEventRead(); + + xSet->setPropertyValue("FrameURL", +diff --git a/tools/source/fsys/urlobj.cxx b/tools/source/fsys/urlobj.cxx +index 187190b0dfe3..bcedfe4ff973 100644 +--- a/tools/source/fsys/urlobj.cxx ++++ b/tools/source/fsys/urlobj.cxx +@@ -4834,7 +4834,8 @@ bool INetURLObject::IsExoticProtocol() const + return m_eScheme == INetProtocol::Slot || + m_eScheme == INetProtocol::Macro || + m_eScheme == INetProtocol::Uno || +- isSchemeEqualTo(u"vnd.sun.star.script"); ++ isSchemeEqualTo(u"vnd.sun.star.script") || ++ isSchemeEqualTo(u"service"); + } + + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ +diff --git a/xmloff/source/draw/ximpshap.cxx b/xmloff/source/draw/ximpshap.cxx +index ad41b8dcd3ad..53c2fcb9f86c 100644 +--- a/xmloff/source/draw/ximpshap.cxx ++++ b/xmloff/source/draw/ximpshap.cxx +@@ -3154,7 +3154,7 @@ void SdXMLFloatingFrameShapeContext::startFastElement (sal_Int32 /*nElement*/, + + if( !maHref.isEmpty() ) + { +- if (INetURLObject(maHref).GetProtocol() == INetProtocol::Macro) ++ if (INetURLObject(maHref).IsExoticProtocol()) + GetImport().NotifyMacroEventRead(); + + xProps->setPropertyValue("FrameURL", Any(maHref) ); +-- +2.43.0 + diff --git a/patches/CVE-2023-6186-3.patch b/patches/CVE-2023-6186-3.patch new file mode 100644 index 000000000..a75647897 --- /dev/null +++ b/patches/CVE-2023-6186-3.patch @@ -0,0 +1,226 @@ +From ee4849d06b7db4dbb0bed9696c548ace8f8d8313 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Fri, 3 Nov 2023 17:26:25 +0000 +Subject: [PATCH 3/5] default to ignoring libreoffice special-purpose protocols + in calc hyperlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ib9f62be3acc05f24ca234dec0fec21e24579e9de +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158911 +Tested-by: Jenkins +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit b6062623b4d69c79e90e9365ac7c5e7f11986793) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159046 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit cfe5672c069d6ed3a62dfc3370fdfbc80b6de434) +(cherry picked from commit 5109649b65206ca6abd823fe2ccf07925e36d71b) +(cherry picked from commit 01e7c1682b544266f7b85d58127e878484ea46b0) +--- + dbaccess/source/core/dataaccess/ModelImpl.cxx | 3 +- + include/sfx2/docmacromode.hxx | 4 ++- + include/sfx2/objsh.hxx | 3 ++ + sc/source/core/data/global.cxx | 34 ++++++++++++++++++- + sfx2/source/doc/docmacromode.cxx | 8 +++-- + sfx2/source/doc/objmisc.cxx | 8 ++++- + sfx2/source/doc/objxtor.cxx | 1 + + sfx2/source/inc/objshimp.hxx | 3 +- + 8 files changed, 57 insertions(+), 7 deletions(-) + +diff --git a/dbaccess/source/core/dataaccess/ModelImpl.cxx b/dbaccess/source/core/dataaccess/ModelImpl.cxx +index 49a74717e559..ffa91c19924e 100644 +--- a/dbaccess/source/core/dataaccess/ModelImpl.cxx ++++ b/dbaccess/source/core/dataaccess/ModelImpl.cxx +@@ -1123,7 +1123,8 @@ bool ODatabaseModelImpl::checkMacrosOnLoading() + { + Reference< XInteractionHandler > xInteraction; + xInteraction = m_aMediaDescriptor.getOrDefault( "InteractionHandler", xInteraction ); +- return m_aMacroMode.checkMacrosOnLoading( xInteraction ); ++ const bool bHasMacros = m_aMacroMode.hasMacros(); ++ return m_aMacroMode.checkMacrosOnLoading(xInteraction, false /*HasValidContentSignature*/, bHasMacros); + } + + void ODatabaseModelImpl::resetMacroExecutionMode() +diff --git a/include/sfx2/docmacromode.hxx b/include/sfx2/docmacromode.hxx +index 7ed42f6a14dd..0acb44cbfbb1 100644 +--- a/include/sfx2/docmacromode.hxx ++++ b/include/sfx2/docmacromode.hxx +@@ -264,6 +264,8 @@ namespace sfx2 + */ + static bool storageHasMacros( const css::uno::Reference< css::embed::XStorage >& _rxStorage ); + ++ bool hasMacros() const; ++ + static bool containerHasBasicMacros( const css::uno::Reference< css::script::XLibraryContainer >& xContainer ); + /** checks the macro execution mode while loading the document. + +@@ -291,7 +293,7 @@ namespace sfx2 + bool + checkMacrosOnLoading( + const css::uno::Reference< css::task::XInteractionHandler >& _rxInteraction, +- bool bHasValidContentSignature = false ++ bool bHasValidContentSignature, bool bHasMacros + ); + + private: +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index cbdf256c6c67..926ae0ad8f9e 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -427,6 +427,9 @@ public: + void SetMacroCallsSeenWhileLoading(); + bool GetMacroCallsSeenWhileLoading() const; + ++ // true if the document had macros (or similar) on load to trigger warning user ++ bool GetHadCheckedMacrosOnLoad() const; ++ + const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const; + bool SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo ); + +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index e29fccf5c1b2..22d957b54ea2 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -27,7 +27,9 @@ + #include + #include + #include ++#include + #include ++#include + #include + #include + #include +@@ -37,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -771,7 +774,7 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + + OUString aUrlName( rURL ); + SfxViewFrame* pFrame = nullptr; +- const SfxObjectShell* pObjShell = nullptr; ++ SfxObjectShell* pObjShell = nullptr; + OUString aReferName; + if ( pScActiveViewShell ) + { +@@ -805,6 +808,35 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + ++ if (INetURLObject(aUrlName).IsExoticProtocol()) ++ { ++ // Default to ignoring exotic protocols ++ bool bAllow = false; ++ if (pObjShell) ++ { ++ // If the document had macros when loaded then follow the allowed macro-mode ++ if (pObjShell->GetHadCheckedMacrosOnLoad()) ++ bAllow = pObjShell->AdjustMacroMode(); ++ else // otherwise ask the user, defaulting to cancel ++ { ++ assert(pFrame && "if we have pObjShell we have pFrame"); ++ //Reuse URITools::onOpenURI warning string ++ std::unique_ptr xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(), ++ VclMessageType::Warning, VclButtonsType::YesNo, ++ SfxResId(STR_DANGEROUS_TO_OPEN))); ++ xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", ++ INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous))); ++ xQueryBox->set_default_response(RET_NO); ++ bAllow = xQueryBox->run() == RET_YES; ++ } ++ } ++ if (!bAllow) ++ { ++ SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName); ++ return; ++ } ++ } ++ + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); + SfxStringItem aTarget( SID_TARGETNAME, rTarget ); + if ( nScClickMouseModifier & KEY_SHIFT ) // control-click -> into new window +diff --git a/sfx2/source/doc/docmacromode.cxx b/sfx2/source/doc/docmacromode.cxx +index 10630d0f3eae..887c672a3ffd 100644 +--- a/sfx2/source/doc/docmacromode.cxx ++++ b/sfx2/source/doc/docmacromode.cxx +@@ -400,8 +400,12 @@ namespace sfx2 + return bHasMacros; + } + ++ bool DocumentMacroMode::hasMacros() const ++ { ++ return m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading(); ++ } + +- bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature ) ++ bool DocumentMacroMode::checkMacrosOnLoading( const Reference< XInteractionHandler >& rxInteraction, bool bHasValidContentSignature, bool bHasMacros ) + { + bool bAllow = false; + if ( SvtSecurityOptions::IsMacroDisabled() ) +@@ -411,7 +415,7 @@ namespace sfx2 + } + else + { +- if (m_xData->m_rDocumentAccess.documentStorageHasMacros() || hasMacroLibrary() || m_xData->m_rDocumentAccess.macroCallsSeenWhileLoading()) ++ if (bHasMacros) + { + bAllow = adjustMacroMode( rxInteraction, bHasValidContentSignature ); + } +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 9da250188825..56a8d3f4c848 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -944,9 +944,15 @@ void SfxObjectShell::CheckSecurityOnLoading_Impl() + + // check macro security + const bool bHasValidContentSignature = HasValidSignatures(); +- pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasValidContentSignature ); ++ const bool bHasMacros = pImpl->aMacroMode.hasMacros(); ++ pImpl->aMacroMode.checkMacrosOnLoading( xInteraction, bHasValidContentSignature, bHasMacros ); ++ pImpl->m_bHadCheckedMacrosOnLoad = bHasMacros; + } + ++bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const ++{ ++ return pImpl->m_bHadCheckedMacrosOnLoad; ++} + + void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler ) + { +diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx +index fb6cca399cec..7b71fb9d7206 100644 +--- a/sfx2/source/doc/objxtor.cxx ++++ b/sfx2/source/doc/objxtor.cxx +@@ -210,6 +210,7 @@ SfxObjectShell_Impl::SfxObjectShell_Impl( SfxObjectShell& _rDocShell ) + ,m_bAllowShareControlFileClean( true ) + ,m_bConfigOptionsChecked( false ) + ,m_bMacroCallsSeenWhileLoading( false ) ++ ,m_bHadCheckedMacrosOnLoad( false ) + ,lErr(ERRCODE_NONE) + ,nEventId ( SfxEventHintId::NONE ) + ,nLoadedFlags ( SfxLoadedFlags::ALL ) +diff --git a/sfx2/source/inc/objshimp.hxx b/sfx2/source/inc/objshimp.hxx +index 46db158984ac..f6f84d6f40e2 100644 +--- a/sfx2/source/inc/objshimp.hxx ++++ b/sfx2/source/inc/objshimp.hxx +@@ -90,7 +90,8 @@ struct SfxObjectShell_Impl final : public ::sfx2::IMacroDocumentAccess + m_bSharedXMLFlag:1, // whether the document should be edited in shared mode + m_bAllowShareControlFileClean:1, // whether the flag should be stored in xml file + m_bConfigOptionsChecked:1, // whether or not the user options are checked after the Options dialog is closed. +- m_bMacroCallsSeenWhileLoading:1; // whether or not the user options are checked after the Options dialog is closed. ++ m_bMacroCallsSeenWhileLoading:1, // whether or not macro calls were seen when loading document. ++ m_bHadCheckedMacrosOnLoad:1; // if document contained macros (or calls) when loaded + + IndexBitSet aBitSet; + ErrCode lErr; +-- +2.43.0 + diff --git a/patches/CVE-2023-6186-4.patch b/patches/CVE-2023-6186-4.patch new file mode 100644 index 000000000..6d5ed1a5b --- /dev/null +++ b/patches/CVE-2023-6186-4.patch @@ -0,0 +1,266 @@ +From 583a30728042993d7fcacccf49c8e338150f2f44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 15 Nov 2023 11:39:24 +0000 +Subject: [PATCH 4/5] reuse AllowedLinkProtocolFromDocument in writer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +reorg calc hyperlink check to reuse elsewhere + +Change-Id: I20ae3c5df15502c3a0a366fb4a2924c06ffac3d0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159487 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit e6a7537762e19fde446441edd10d301f9b37ce75) + +reuse AllowedLinkProtocolFromDocument in writer + +Change-Id: Iacf5e313fc6ca5f7d69ca6986a036f0e1ab1f2a0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159488 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 32535dfa82200b54296838b52285c054fbe5e51d) + +combine these hyperlink dispatchers into one call + +Change-Id: Icb7822e811013de648ccf2fbb23a5f0be9e29bb0 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159489 +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +(cherry picked from commit 0df175ccc6ea542bc5801f631ff72bed187042eb) + +we can have just one LoadURL for writer + +Change-Id: Ia0162ee1c275292fcf200bad4662e4c2c6b7b972 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159557 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit 521ca9cf6acbae96cf95d9740859c9682212013d) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159858 +Tested-by: Jenkins CollaboraOffice +Reviewed-by: Miklos Vajna +(cherry picked from commit e32b8601dbd63cf01497889601d6c9c1241106d6) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159883 +(cherry picked from commit 6d29ee15039a567ad5f70a3e51289fea93c1f64e) +(cherry picked from commit 6708272c15941d94ab828a188e06a0addca1dd15) +(cherry picked from commit 8423af18d7b8b82d106acede33720457071e79e9) +(cherry picked from commit 6aa0be1d2905b77e567ca32446b61ab2e9bef0b1) +--- + include/sfx2/objsh.hxx | 7 +++-- + sc/source/core/data/global.cxx | 32 ++--------------------- + sfx2/source/doc/objmisc.cxx | 27 ++++++++++++++++++++ + sw/source/uibase/shells/drwtxtex.cxx | 8 ++---- + sw/source/uibase/wrtsh/wrtsh2.cxx | 38 ++++++++++++++++++---------- + 5 files changed, 60 insertions(+), 52 deletions(-) + +diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx +index 926ae0ad8f9e..400ed47b86aa 100644 +--- a/include/sfx2/objsh.hxx ++++ b/include/sfx2/objsh.hxx +@@ -200,6 +200,9 @@ private: + + SAL_DLLPRIVATE bool SaveTo_Impl(SfxMedium &rMedium, const SfxItemSet* pSet ); + ++ // true if the document had macros (or similar) on load to trigger warning user ++ SAL_DLLPRIVATE bool GetHadCheckedMacrosOnLoad() const; ++ + protected: + SfxObjectShell(SfxObjectCreateMode); + SfxObjectShell(SfxModelFlags); // see sfxmodelfactory.hxx +@@ -427,8 +430,8 @@ public: + void SetMacroCallsSeenWhileLoading(); + bool GetMacroCallsSeenWhileLoading() const; + +- // true if the document had macros (or similar) on load to trigger warning user +- bool GetHadCheckedMacrosOnLoad() const; ++ // true if this type of link, from a document, is allowed by the user to be passed to uno:OpenDoc ++ static bool AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent); + + const css::uno::Sequence< css::beans::PropertyValue >& GetModifyPasswordInfo() const; + bool SetModifyPasswordInfo( const css::uno::Sequence< css::beans::PropertyValue >& aInfo ); +diff --git a/sc/source/core/data/global.cxx b/sc/source/core/data/global.cxx +index 22d957b54ea2..440990ccac8c 100644 +--- a/sc/source/core/data/global.cxx ++++ b/sc/source/core/data/global.cxx +@@ -27,9 +27,7 @@ + #include + #include + #include +-#include + #include +-#include + #include + #include + #include +@@ -808,34 +806,8 @@ void ScGlobal::OpenURL(const OUString& rURL, const OUString& rTarget, bool bIgno + aUrlName = aNewUrlName; + } + +- if (INetURLObject(aUrlName).IsExoticProtocol()) +- { +- // Default to ignoring exotic protocols +- bool bAllow = false; +- if (pObjShell) +- { +- // If the document had macros when loaded then follow the allowed macro-mode +- if (pObjShell->GetHadCheckedMacrosOnLoad()) +- bAllow = pObjShell->AdjustMacroMode(); +- else // otherwise ask the user, defaulting to cancel +- { +- assert(pFrame && "if we have pObjShell we have pFrame"); +- //Reuse URITools::onOpenURI warning string +- std::unique_ptr xQueryBox(Application::CreateMessageDialog(pFrame->GetFrameWeld(), +- VclMessageType::Warning, VclButtonsType::YesNo, +- SfxResId(STR_DANGEROUS_TO_OPEN))); +- xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", +- INetURLObject::decode(aUrlName, INetURLObject::DecodeMechanism::Unambiguous))); +- xQueryBox->set_default_response(RET_NO); +- bAllow = xQueryBox->run() == RET_YES; +- } +- } +- if (!bAllow) +- { +- SAL_WARN("sc", "ScGlobal::OpenURL ignoring: " << aUrlName); +- return; +- } +- } ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(aUrlName, pObjShell, pFrame ? pFrame->GetFrameWeld() : nullptr)) ++ return; + + SfxStringItem aUrl( SID_FILE_NAME, aUrlName ); + SfxStringItem aTarget( SID_TARGETNAME, rTarget ); +diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx +index 56a8d3f4c848..bd5153ee5c6c 100644 +--- a/sfx2/source/doc/objmisc.cxx ++++ b/sfx2/source/doc/objmisc.cxx +@@ -954,6 +954,33 @@ bool SfxObjectShell::GetHadCheckedMacrosOnLoad() const + return pImpl->m_bHadCheckedMacrosOnLoad; + } + ++bool SfxObjectShell::AllowedLinkProtocolFromDocument(const OUString& rUrl, SfxObjectShell* pObjShell, weld::Window* pDialogParent) ++{ ++ if (!INetURLObject(rUrl).IsExoticProtocol()) ++ return true; ++ // Default to ignoring exotic protocols ++ bool bAllow = false; ++ if (pObjShell) ++ { ++ // If the document had macros when loaded then follow the allowed macro-mode ++ if (pObjShell->GetHadCheckedMacrosOnLoad()) ++ bAllow = pObjShell->AdjustMacroMode(); ++ else // otherwise ask the user, defaulting to cancel ++ { ++ //Reuse URITools::onOpenURI warning string ++ std::unique_ptr xQueryBox(Application::CreateMessageDialog(pDialogParent, ++ VclMessageType::Warning, VclButtonsType::YesNo, ++ SfxResId(STR_DANGEROUS_TO_OPEN))); ++ xQueryBox->set_primary_text(xQueryBox->get_primary_text().replaceFirst("$(ARG1)", ++ INetURLObject::decode(rUrl, INetURLObject::DecodeMechanism::Unambiguous))); ++ xQueryBox->set_default_response(RET_NO); ++ bAllow = xQueryBox->run() == RET_YES; ++ } ++ } ++ SAL_WARN_IF(!bAllow, "sfx.appl", "SfxObjectShell::AllowedLinkProtocolFromDocument ignoring: " << rUrl); ++ return bAllow; ++} ++ + void SfxObjectShell::CheckEncryption_Impl( const uno::Reference< task::XInteractionHandler >& xHandler ) + { + OUString aVersion; +diff --git a/sw/source/uibase/shells/drwtxtex.cxx b/sw/source/uibase/shells/drwtxtex.cxx +index e94dbae0b0b8..87592d255f76 100644 +--- a/sw/source/uibase/shells/drwtxtex.cxx ++++ b/sw/source/uibase/shells/drwtxtex.cxx +@@ -528,12 +528,8 @@ void SwDrawTextShell::Execute( SfxRequest &rReq ) + const SvxFieldData* pField = pOLV->GetFieldAtCursor(); + if (const SvxURLField* pURLField = dynamic_cast(pField)) + { +- SfxStringItem aUrl(SID_FILE_NAME, pURLField->GetURL()); +- SfxStringItem aTarget(SID_TARGETNAME, pURLField->GetTargetFrame()); +- SfxBoolItem aNewView(SID_OPEN_NEW_VIEW, false); +- SfxBoolItem aBrowsing(SID_BROWSE, true); +- GetView().GetViewFrame()->GetDispatcher()->ExecuteList( +- SID_OPENDOC, SfxCallMode::SYNCHRON, { &aUrl, &aTarget, &aNewView, &aBrowsing }); ++ ::LoadURL(GetShell(), pURLField->GetURL(), LoadUrlFlags::NONE, ++ pURLField->GetTargetFrame()); + } + } + break; +diff --git a/sw/source/uibase/wrtsh/wrtsh2.cxx b/sw/source/uibase/wrtsh/wrtsh2.cxx +index e53580e6a746..b6d6a89535ef 100644 +--- a/sw/source/uibase/wrtsh/wrtsh2.cxx ++++ b/sw/source/uibase/wrtsh/wrtsh2.cxx +@@ -501,30 +501,24 @@ bool SwWrtShell::ClickToINetGrf( const Point& rDocPt, LoadUrlFlags nFilter ) + return bRet; + } + +-void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, +- const OUString& rTargetFrameName ) ++static void LoadURL(SwView& rView, const OUString& rURL, LoadUrlFlags nFilter, ++ const OUString& rTargetFrameName) + { +- OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" ); +- if( rURL.isEmpty() ) +- return ; ++ SwDocShell* pDShell = rView.GetDocShell(); ++ OSL_ENSURE( pDShell, "No DocShell?!"); ++ SfxViewFrame* pViewFrame = rView.GetViewFrame(); + +- // The shell could be 0 also!!!!! +- if ( dynamic_cast( &rVSh) == nullptr ) ++ if (!SfxObjectShell::AllowedLinkProtocolFromDocument(rURL, pDShell, pViewFrame->GetFrameWeld())) + return; + + // We are doing tiledRendering, let the client handles the URL loading, + // unless we are jumping to a TOC mark. + if (comphelper::LibreOfficeKit::isActive() && !rURL.startsWith("#")) + { +- rVSh.GetSfxViewShell()->libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr()); ++ rView.libreOfficeKitViewCallback(LOK_CALLBACK_HYPERLINK_CLICKED, rURL.toUtf8().getStr()); + return; + } + +- //A CursorShell is always a WrtShell +- SwWrtShell &rSh = static_cast(rVSh); +- +- SwDocShell* pDShell = rSh.GetView().GetDocShell(); +- OSL_ENSURE( pDShell, "No DocShell?!"); + OUString sTargetFrame(rTargetFrameName); + if (sTargetFrame.isEmpty() && pDShell) + { +@@ -539,7 +533,6 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, + OUString sReferer; + if( pDShell && pDShell->GetMedium() ) + sReferer = pDShell->GetMedium()->GetName(); +- SfxViewFrame* pViewFrame = rSh.GetView().GetViewFrame(); + SfxFrameItem aView( SID_DOCFRAME, pViewFrame ); + SfxStringItem aName( SID_FILE_NAME, rURL ); + SfxStringItem aTargetFrameName( SID_TARGETNAME, sTargetFrame ); +@@ -565,6 +558,23 @@ void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, + SfxCallMode::ASYNCHRON|SfxCallMode::RECORD ); + } + ++void LoadURL( SwViewShell& rVSh, const OUString& rURL, LoadUrlFlags nFilter, ++ const OUString& rTargetFrameName ) ++{ ++ OSL_ENSURE( !rURL.isEmpty(), "what should be loaded here?" ); ++ if( rURL.isEmpty() ) ++ return ; ++ ++ // The shell could be 0 also!!!!! ++ if ( dynamic_cast( &rVSh) == nullptr ) ++ return; ++ ++ //A CursorShell is always a WrtShell ++ SwWrtShell &rSh = static_cast(rVSh); ++ ++ ::LoadURL(rSh.GetView(), rURL, nFilter, rTargetFrameName); ++} ++ + void SwWrtShell::NavigatorPaste( const NaviContentBookmark& rBkmk, + const sal_uInt16 nAction ) + { +-- +2.43.0 + diff --git a/patches/CVE-2023-6186-5.patch b/patches/CVE-2023-6186-5.patch new file mode 100644 index 000000000..13e979227 --- /dev/null +++ b/patches/CVE-2023-6186-5.patch @@ -0,0 +1,85 @@ +From fd809982a280218046ab7e6e6d24492420143e6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 22 Nov 2023 21:14:41 +0000 +Subject: [PATCH 5/5] reuse AllowedLinkProtocolFromDocument in impress/draw +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: I73ca4f087946a45dbf92d69a0dc1e769de9b5690 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159843 +Tested-by: Jenkins +Reviewed-by: Caolán McNamara +(cherry picked from commit f0942eed2eb328b04856f20613f5226d66b66a20) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159759 +Reviewed-by: Michael Stahl +Signed-off-by: Xisco Fauli +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159884 +Reviewed-by: Miklos Vajna +(cherry picked from commit 569fa7f755718a06f23d25b2132bf0400cec7a0f) +(cherry picked from commit b60bd2dddc4b9d6d60615d61051a9f9ee5410851) +(cherry picked from commit 8b244a0ce8a9170a1fd61e19a0c943230a741fbe) +(cherry picked from commit 87535988868baac08173fc826dbb6c6cbdf91dd4) +--- + sd/source/ui/app/sdmod1.cxx | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/sd/source/ui/app/sdmod1.cxx b/sd/source/ui/app/sdmod1.cxx +index f3ec8b3df514..aec7a3dcb2d8 100644 +--- a/sd/source/ui/app/sdmod1.cxx ++++ b/sd/source/ui/app/sdmod1.cxx +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -193,26 +194,32 @@ void SdModule::Execute(SfxRequest& rReq) + { + bool bIntercept = false; + ::sd::DrawDocShell* pDocShell = dynamic_cast< ::sd::DrawDocShell *>( SfxObjectShell::Current() ); +- if (pDocShell) ++ ::sd::ViewShell* pViewShell = pDocShell ? pDocShell->GetViewShell() : nullptr; ++ if (pViewShell) + { +- ::sd::ViewShell* pViewShell = pDocShell->GetViewShell(); +- if (pViewShell) ++ if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) ) + { +- if( sd::SlideShow::IsRunning( pViewShell->GetViewShellBase() ) ) ++ // Prevent documents from opening while the slide ++ // show is running, except when this request comes ++ // from a shape interaction. ++ if (rReq.GetArgs() == nullptr) + { +- // Prevent documents from opening while the slide +- // show is running, except when this request comes +- // from a shape interaction. +- if (rReq.GetArgs() == nullptr) +- { +- bIntercept = true; +- } ++ bIntercept = true; + } + } + } + + if (!bIntercept) + { ++ if (const SfxStringItem* pURLItem = rReq.GetArg(SID_FILE_NAME)) ++ { ++ if (!pViewShell || !SfxObjectShell::AllowedLinkProtocolFromDocument(pURLItem->GetValue(), ++ pViewShell->GetObjectShell(), ++ pViewShell->GetFrameWeld())) ++ { ++ return; ++ } ++ } + SfxGetpApp()->ExecuteSlot(rReq, SfxGetpApp()->GetInterface()); + } + else +-- +2.43.0 + diff --git a/patches/CppunitTest_desktop_lib-adjust-asserts-so-this-works.patch b/patches/CppunitTest_desktop_lib-adjust-asserts-so-this-works.patch new file mode 100644 index 000000000..e84548311 --- /dev/null +++ b/patches/CppunitTest_desktop_lib-adjust-asserts-so-this-works.patch @@ -0,0 +1,44 @@ +From ececb678b8362e3be8e02768ddd5e4197d87dc2a Mon Sep 17 00:00:00 2001 +From: Miklos Vajna +Date: Mon, 27 Nov 2023 11:21:57 +0100 +Subject: [PATCH] CppunitTest_desktop_lib: adjust asserts so this works again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Id6aba3d9203e3fe4e95771a895d1de50a2030908 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159990 +Tested-by: Jenkins CollaboraOffice +Tested-by: Caolán McNamara +Reviewed-by: Caolán McNamara +--- + desktop/qa/desktop_lib/test_desktop_lib.cxx | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/desktop/qa/desktop_lib/test_desktop_lib.cxx b/desktop/qa/desktop_lib/test_desktop_lib.cxx +index 12c52f08e833..65d6a4231960 100644 +--- a/desktop/qa/desktop_lib/test_desktop_lib.cxx ++++ b/desktop/qa/desktop_lib/test_desktop_lib.cxx +@@ -2891,7 +2891,8 @@ void DesktopLOKTest::testInsertCertificate_PEM_ODT() + } + + int nState = pDocument->m_pDocumentClass->getSignatureState(pDocument); +- CPPUNIT_ASSERT_EQUAL(int(1), nState); ++ // OK or NOTVALIDATED (signature is OK, but certificate could not be validated) ++ CPPUNIT_ASSERT(nState == 1 || nState == 4); + } + + void DesktopLOKTest::testInsertCertificate_PEM_DOCX() +@@ -2946,7 +2947,8 @@ void DesktopLOKTest::testInsertCertificate_PEM_DOCX() + } + + int nState = pDocument->m_pDocumentClass->getSignatureState(pDocument); +- CPPUNIT_ASSERT_EQUAL(int(5), nState); ++ // PARTIAL_OK or NOTVALIDATED_PARTIAL_OK ++ CPPUNIT_ASSERT(nState == 5 || nState == 6); + } + + void DesktopLOKTest::testSignDocument_PEM_PDF() +-- +2.42.0 + diff --git a/patches/series b/patches/series index 1d38230c6..a38a61f1e 100644 --- a/patches/series +++ b/patches/series @@ -63,3 +63,10 @@ CVE-2023-2255-1.patch CVE-2023-2255-2.patch CVE-2023-2255-3.patch CVE-2023-0950.patch +CVE-2023-6185.patch +CVE-2023-6186-1.patch +CVE-2023-6186-2.patch +CVE-2023-6186-3.patch +CVE-2023-6186-4.patch +CVE-2023-6186-5.patch +CppunitTest_desktop_lib-adjust-asserts-so-this-works.patch