rpms/openoffice.org/F-8 workspace.sjfixes06.patch, NONE, 1.1 workspace.sjfixes09.patch, NONE, 1.1 openoffice.org.spec, 1.1358, 1.1359
Caolan McNamara
caolanm at fedoraproject.org
Wed Oct 29 09:39:44 UTC 2008
- Previous message: rpms/openoffice.org/F-9 openoffice.org.spec, 1.1509, 1.1510 openoffice.org-2.4.0.ooo93119.shell.echos.patch, 1.1, NONE openoffice.org-3.0.0.ooo90071.chart2.negativecount.patch, 1.1, NONE
- Next message: rpms/ladvd/F-10 ladvd-0.6.1-bonding.patch, NONE, 1.1 ladvd.fc, NONE, 1.1 ladvd.if, NONE, 1.1 ladvd.init, NONE, 1.1 ladvd.spec, NONE, 1.1 ladvd.sysconfig, NONE, 1.1 ladvd.te, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: caolanm
Update of /cvs/pkgs/rpms/openoffice.org/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22086
Modified Files:
openoffice.org.spec
Added Files:
workspace.sjfixes06.patch workspace.sjfixes09.patch
Log Message:
CVE-2008-2237 CVE-2008-2238
workspace.sjfixes06.patch:
--- NEW FILE workspace.sjfixes06.patch ---
Index: util/svtools/source/filter.vcl/wmf/winwmf.cxx
diff -u util/svtools/source/filter.vcl/wmf/winwmf.cxx:1.36 util/svtools/source/filter.vcl/wmf/winwmf.cxx:1.36.156.1
--- util/svtools/source/filter.vcl/wmf/winwmf.cxx:1.36 Thu Apr 10 13:59:55 2008
+++ util/svtools/source/filter.vcl/wmf/winwmf.cxx Wed Sep 17 03:24:07 2008
@@ -816,6 +816,16 @@
case W_META_ESCAPE :
{
+ // nRecSize has been checked previously to be greater than 3
+ sal_uInt64 nMetaRecSize = static_cast< sal_uInt64 >( nRecSize - 2 ) * 2;
+ sal_uInt64 nMetaRecEndPos = pWMF->Tell() + nMetaRecSize;
+
+ // taking care that nRecSize does not exceed the maximal stream position
+ if ( nMetaRecEndPos > nEndPos )
+ {
+ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+ break;
+ }
if ( nRecSize >= 12 ) // minimal escape lenght
{
sal_uInt16 nMode, nLen, OO;
@@ -838,7 +848,13 @@
sal_uInt32 nCheckSum = rtl_crc32( 0, &nEsc, 4 );
#endif
sal_Int8* pData = NULL;
- if ( nEscLen )
+
+ if ( ( static_cast< sal_uInt64 >( nEscLen ) + pWMF->Tell() ) > nMetaRecEndPos )
+ {
+ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+ break;
+ }
+ if ( nEscLen > 0 )
{
pData = new sal_Int8[ nEscLen ];
pWMF->Read( pData, nEscLen );
@@ -863,12 +879,14 @@
>> aPt.Y()
>> nStringLen;
- if (nStringLen < STRING_MAXLEN)
+ if ( ( static_cast< sal_uInt64 >( nStringLen ) * sizeof( sal_Unicode ) ) < ( nEscLen - aMemoryStream.Tell() ) )
{
sal_Unicode* pBuf = aString.AllocBuffer( (xub_StrLen)nStringLen );
for ( i = 0; i < nStringLen; i++ )
aMemoryStream >> pBuf[ i ];
aMemoryStream >> nDXCount;
+ if ( ( static_cast< sal_uInt64 >( nDXCount ) * sizeof( sal_Int32 ) ) >= ( nEscLen - aMemoryStream.Tell() ) )
+ nDXCount = 0;
if ( nDXCount )
pDXAry = new sal_Int32[ nDXCount ];
for ( i = 0; i < nDXCount; i++ )
workspace.sjfixes09.patch:
--- NEW FILE workspace.sjfixes09.patch ---
Index: util/svtools/source/filter.vcl/wmf/enhwmf.cxx
diff -u util/svtools/source/filter.vcl/wmf/enhwmf.cxx:1.39 util/svtools/source/filter.vcl/wmf/enhwmf.cxx:1.39.160.2
--- util/svtools/source/filter.vcl/wmf/enhwmf.cxx:1.39 Thu Apr 10 13:58:52 2008
+++ util/svtools/source/filter.vcl/wmf/enhwmf.cxx Wed Sep 24 11:49:05 2008
@@ -336,28 +336,34 @@
// Anzahl der Polygone:
*pWMF >> nPoly >> i;
- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
- pnPoints = new UINT16[ nPoly ];
-
- for ( i = 0; i < nPoly; i++ )
+ // taking the amount of points of each polygon, retrieving the total number of points
+ if ( static_cast< sal_uInt32 >(nPoly) < SAL_MAX_UINT32 / sizeof(UINT16) )
{
- *pWMF >> nPoints;
- pnPoints[ i ] = (UINT16)nPoints;
- }
+ if ( ( static_cast< sal_uInt32 >( nPoly ) * sizeof(UINT16) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+ pnPoints = new UINT16[ nPoly ];
- // Polygonpunkte holen:
+ for ( i = 0; i < nPoly; i++ )
+ {
+ *pWMF >> nPoints;
+ pnPoints[ i ] = (UINT16)nPoints;
+ }
- for ( i = 0; i < nPoly; i++ )
- {
- Polygon aPoly( pnPoints[ i ] );
- for( UINT16 k = 0; k < pnPoints[ i ]; k++ )
- {
- *pWMF >> nX32 >> nY32;
- aPoly[ k ] = Point( nX32, nY32 );
+ // Polygonpunkte holen:
+
+ for ( i = 0; ( i < nPoly ) && !pWMF->IsEof(); i++ )
+ {
+ Polygon aPoly( pnPoints[ i ] );
+ for( UINT16 k = 0; k < pnPoints[ i ]; k++ )
+ {
+ *pWMF >> nX32 >> nY32;
+ aPoly[ k ] = Point( nX32, nY32 );
+ }
+ pOut->DrawPolyLine( aPoly, sal_False, bRecordPath );
+ }
+ delete[] pnPoints;
}
- pOut->DrawPolyLine( aPoly, sal_False, bRecordPath );
}
- delete[] pnPoints;
}
break;
@@ -372,30 +378,35 @@
// Anzahl der Polygone:
*pWMF >> nPoly >> nGesPoints;
- if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
+ if ( ( nGesPoints < SAL_MAX_UINT32 / sizeof(Point) ) && ( nPoly < SAL_MAX_UINT32 / sizeof(UINT16) ) )
{
+ if ( ( nPoly * sizeof(UINT16) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+ pnPoints = new UINT16[ nPoly ];
+
+ for ( i = 0; i < nPoly; i++ )
+ {
+ *pWMF >> nPoints;
+ pnPoints[ i ] = (UINT16)nPoints;
+ }
- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
- pnPoints = new UINT16[ nPoly ];
-
- for ( i = 0; i < nPoly; i++ )
- {
- *pWMF >> nPoints;
- pnPoints[ i ] = (UINT16)nPoints;
- }
- // Polygonpunkte holen:
- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
-
- for ( i = 0; i < nGesPoints; i++ )
- {
- *pWMF >> nX32 >> nY32;
- pPtAry[ i ] = Point( nX32, nY32 );
- }
- // PolyPolygon Actions erzeugen
- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
- delete[] (char*) pPtAry;
- delete[] pnPoints;
+ if ( ( nGesPoints * sizeof(Point) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+ // Polygonpunkte holen:
+ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
+
+ for ( i = 0; i < nGesPoints; i++ )
+ {
+ *pWMF >> nX32 >> nY32;
+ pPtAry[ i ] = Point( nX32, nY32 );
+ }
+ // PolyPolygon Actions erzeugen
+ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+ delete[] (char*) pPtAry;
+ }
+ delete[] pnPoints;
+ }
}
}
break;
@@ -832,32 +843,35 @@
else
{
UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
- char* pBuf = new char[ nSize ];
- SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
- aTmp.ObjectOwnsMemory( TRUE );
- aTmp << (BYTE)'B'
- << (BYTE)'M'
- << (UINT32)cbBitsSrc
- << (UINT16)0
- << (UINT16)0
- << (UINT32)cbBmiSrc + 14;
- pWMF->Seek( nStart + offBmiSrc );
- pWMF->Read( pBuf + 14, cbBmiSrc );
- pWMF->Seek( nStart + offBitsSrc );
- pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
- aTmp.Seek( 0 );
- aBitmap.Read( aTmp, TRUE );
-
- // test if it is sensible to crop
- if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
- ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
- ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
- ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
+ if ( nSize <= ( nEndPos - nStartPos ) )
{
- Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
- aBitmap.Crop( aCropRect );
+ char* pBuf = new char[ nSize ];
+ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
+ aTmp.ObjectOwnsMemory( TRUE );
+ aTmp << (BYTE)'B'
+ << (BYTE)'M'
+ << (UINT32)cbBitsSrc
+ << (UINT16)0
+ << (UINT16)0
+ << (UINT32)cbBmiSrc + 14;
+ pWMF->Seek( nStart + offBmiSrc );
+ pWMF->Read( pBuf + 14, cbBmiSrc );
+ pWMF->Seek( nStart + offBitsSrc );
+ pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
+ aTmp.Seek( 0 );
+ aBitmap.Read( aTmp, TRUE );
+
+ // test if it is sensible to crop
+ if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
+ ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
+ ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
+ ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
+ {
+ Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
+ aBitmap.Crop( aCropRect );
+ }
+ aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
}
- aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
}
}
break;
@@ -883,32 +897,35 @@
else
{
UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
- char* pBuf = new char[ nSize ];
- SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
- aTmp.ObjectOwnsMemory( TRUE );
- aTmp << (BYTE)'B'
- << (BYTE)'M'
- << (UINT32)cbBitsSrc
- << (UINT16)0
- << (UINT16)0
- << (UINT32)cbBmiSrc + 14;
- pWMF->Seek( nStart + offBmiSrc );
- pWMF->Read( pBuf + 14, cbBmiSrc );
- pWMF->Seek( nStart + offBitsSrc );
- pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
- aTmp.Seek( 0 );
- aBitmap.Read( aTmp, TRUE );
-
- // test if it is sensible to crop
- if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
- ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
- ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
- ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
+ if ( nSize <= ( nEndPos - nStartPos ) )
{
- Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
- aBitmap.Crop( aCropRect );
+ char* pBuf = new char[ nSize ];
+ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
+ aTmp.ObjectOwnsMemory( TRUE );
+ aTmp << (BYTE)'B'
+ << (BYTE)'M'
+ << (UINT32)cbBitsSrc
+ << (UINT16)0
+ << (UINT16)0
+ << (UINT32)cbBmiSrc + 14;
+ pWMF->Seek( nStart + offBmiSrc );
+ pWMF->Read( pBuf + 14, cbBmiSrc );
+ pWMF->Seek( nStart + offBitsSrc );
+ pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
+ aTmp.Seek( 0 );
+ aBitmap.Read( aTmp, TRUE );
+
+ // test if it is sensible to crop
+ if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
+ ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
+ ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
+ ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
+ {
+ Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
+ aBitmap.Crop( aCropRect );
+ }
+ aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
}
- aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
}
}
break;
@@ -960,55 +977,64 @@
DBG_ASSERT( ( nOptions & ( ETO_PDY | ETO_GLYPH_INDEX ) ) == 0, "SJ: ETO_PDY || ETO_GLYPH_INDEX in EMF" );
Point aPos( ptlReferenceX, ptlReferenceY );
- if ( nLen )
+ if ( nLen && ( nLen < SAL_MAX_UINT32 / sizeof(sal_Int32) ) )
{
if ( offDx && (( nCurPos + offDx + nLen * 4 ) <= nNextPos ) )
{
pWMF->Seek( nCurPos + offDx );
- pDX = new sal_Int32[ nLen ];
- sal_uInt32 i;
- for ( i = 0; i < nLen; i++ )
- *pWMF >> pDX[ i ];
+ if ( ( nLen * sizeof(sal_uInt32) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+ pDX = new sal_Int32[ nLen ];
+ sal_uInt32 i;
+ for ( i = 0; i < nLen; i++ )
+ *pWMF >> pDX[ i ];
+ }
}
pWMF->Seek( nCurPos + nOffString );
String aText;
if ( bFlag )
{
- sal_Char* pBuf = new sal_Char[ nLen ];
- pWMF->Read( pBuf, nLen );
- aText = String( pBuf, (sal_uInt16)nLen, pOut->GetCharSet() );
- delete[] pBuf;
-
- if ( aText.Len() != nLen )
- {
- sal_uInt16 i, j, k;
- sal_Int32* pOldDx = pDX;
- pDX = new sal_Int32[ aText.Len() ];
- for ( i = 0, j = 0; i < aText.Len(); i++ )
+ if ( nLen <= ( nEndPos - pWMF->Tell() ) )
+ {
+ sal_Char* pBuf = new sal_Char[ nLen ];
+ pWMF->Read( pBuf, nLen );
+ aText = String( pBuf, (sal_uInt16)nLen, pOut->GetCharSet() );
+ delete[] pBuf;
+
+ if ( aText.Len() != nLen )
{
- ByteString aCharacter( aText.GetChar( i ), pOut->GetCharSet() );
- pDX[ i ] = 0;
- for ( k = 0; ( k < aCharacter.Len() ) && ( j < nLen ) && ( i < aText.Len() ); k++ )
- pDX[ i ] += pOldDx[ j++ ];
+ sal_uInt16 i, j, k;
+ sal_Int32* pOldDx = pDX;
+ pDX = new sal_Int32[ aText.Len() ];
+ for ( i = 0, j = 0; i < aText.Len(); i++ )
+ {
+ ByteString aCharacter( aText.GetChar( i ), pOut->GetCharSet() );
+ pDX[ i ] = 0;
+ for ( k = 0; ( k < aCharacter.Len() ) && ( j < nLen ) && ( i < aText.Len() ); k++ )
+ pDX[ i ] += pOldDx[ j++ ];
+ }
+ delete[] pOldDx;
}
- delete[] pOldDx;
}
}
else
{
- sal_Unicode* pBuf = new sal_Unicode[ nLen ];
- pWMF->Read( pBuf, nLen << 1 );
-#ifdef OSL_BIGENDIAN
- sal_Char nTmp, *pTmp = (sal_Char*)( pBuf + nLen );
- while ( pTmp-- != (sal_Char*)pBuf )
+ if ( ( nLen * sizeof(sal_Unicode) ) <= ( nEndPos - pWMF->Tell() ) )
{
- nTmp = *pTmp--;
- pTmp[ 1 ] = *pTmp;
- *pTmp = nTmp;
- }
+ sal_Unicode* pBuf = new sal_Unicode[ nLen ];
+ pWMF->Read( pBuf, nLen << 1 );
+#ifdef OSL_BIGENDIAN
+ sal_Char nTmp, *pTmp = (sal_Char*)( pBuf + nLen );
+ while ( pTmp-- != (sal_Char*)pBuf )
+ {
+ nTmp = *pTmp--;
+ pTmp[ 1 ] = *pTmp;
+ *pTmp = nTmp;
+ }
#endif
- aText = String( pBuf, (xub_StrLen)nLen );
- delete[] pBuf;
+ aText = String( pBuf, (xub_StrLen)nLen );
+ delete[] pBuf;
+ }
}
pOut->DrawText( aPos, aText, pDX, bRecordPath, nGfxMode );
}
@@ -1083,25 +1109,32 @@
pWMF->SeekRel( 0x10 );
// Anzahl der Polygone:
*pWMF >> nPoly >> nGesPoints;
- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
- pnPoints = new UINT16[ nPoly ];
- for ( i = 0; i < nPoly; i++ )
- {
- *pWMF >> nPoints;
- pnPoints[ i ] = (UINT16)nPoints;
- }
- // Polygonpunkte holen:
- for ( i = 0; i < nPoly; i++ )
+
+ // taking the amount of points of each polygon, retrieving the total number of points
+ if ( static_cast< sal_uInt32 >(nPoly) < SAL_MAX_UINT32 / sizeof(UINT16) )
{
- Polygon aPolygon( pnPoints[ i ] );
- for ( UINT16 k = 0; k < pnPoints[ i ]; k++ )
+ if ( ( static_cast< sal_uInt32 >( nPoly ) * sizeof(UINT16) ) <= ( nEndPos - pWMF->Tell() ) )
{
- *pWMF >> nX16 >> nY16;
- aPolygon[ k ] = Point( nX16, nY16 );
+ pnPoints = new UINT16[ nPoly ];
+ for ( i = 0; i < nPoly; i++ )
+ {
+ *pWMF >> nPoints;
+ pnPoints[ i ] = (UINT16)nPoints;
+ }
+ // Polygonpunkte holen:
+ for ( i = 0; ( i < nPoly ) && !pWMF->IsEof(); i++ )
+ {
+ Polygon aPolygon( pnPoints[ i ] );
+ for ( UINT16 k = 0; k < pnPoints[ i ]; k++ )
+ {
+ *pWMF >> nX16 >> nY16;
+ aPolygon[ k ] = Point( nX16, nY16 );
+ }
+ pOut->DrawPolyLine( aPolygon, sal_False, bRecordPath );
+ }
+ delete[] pnPoints;
}
- pOut->DrawPolyLine( aPolygon, sal_False, bRecordPath );
}
- delete[] pnPoints;
}
break;
@@ -1114,28 +1147,33 @@
pWMF->SeekRel( 0x10 );
// Anzahl der Polygone:
*pWMF >> nPoly >> nGesPoints;
- if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
+ if ( ( nGesPoints < SAL_MAX_UINT32 / sizeof(Point) ) && ( nPoly < SAL_MAX_UINT32 / sizeof(UINT16) ) )
{
- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
- pnPoints = new UINT16[ nPoly ];
- for ( i = 0; i < nPoly; i++ )
- {
- *pWMF >> nPoints;
- pnPoints[ i ] = (UINT16)nPoints;
- }
- // Polygonpunkte holen:
- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
- for ( i = 0; i < nGesPoints; i++ )
- {
- *pWMF >> nX16 >> nY16;
- pPtAry[ i ] = Point( nX16, nY16 );
- }
-
- // PolyPolygon Actions erzeugen
- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
- delete[] (char*) pPtAry;
- delete[] pnPoints;
+ if ( ( static_cast< sal_uInt32 >( nPoly ) * sizeof( UINT16 ) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+ pnPoints = new UINT16[ nPoly ];
+ for ( i = 0; i < nPoly; i++ )
+ {
+ *pWMF >> nPoints;
+ pnPoints[ i ] = (UINT16)nPoints;
+ }
+ if ( ( nGesPoints * sizeof(Point) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+ // Polygonpunkte holen:
+ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
+ for ( i = 0; i < nGesPoints; i++ )
+ {
+ *pWMF >> nX16 >> nY16;
+ pPtAry[ i ] = Point( nX16, nY16 );
+ }
+
+ // PolyPolygon Actions erzeugen
+ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+ delete[] (char*) pPtAry;
+ }
+ delete[] pnPoints;
+ }
}
}
break;
@@ -1266,6 +1304,13 @@
*pWMF >> nUINT32; // nVersion
*pWMF >> nEndPos; // size of metafile
nEndPos += nStartPos;
+
+ sal_uInt32 nStrmPos = pWMF->Tell(); // checking if nEndPos is valid
+ pWMF->Seek( STREAM_SEEK_TO_END );
+ if ( pWMF->Tell() < nEndPos )
+ nEndPos = pWMF->Tell();
+ pWMF->Seek( nStrmPos );
+
*pWMF >> nRecordCount;
if ( !nRecordCount )
Index: openoffice.org.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openoffice.org/F-8/openoffice.org.spec,v
retrieving revision 1.1358
retrieving revision 1.1359
diff -u -r1.1358 -r1.1359
--- openoffice.org.spec 27 Aug 2008 19:08:07 -0000 1.1358
+++ openoffice.org.spec 29 Oct 2008 09:39:13 -0000 1.1359
@@ -1,6 +1,6 @@
%define oootag OOG680
%define ooomilestone 6
-%define rh_rpm_release 16
+%define rh_rpm_release 17
# undef to get english only and no-langpacks for a faster smoketest build
%define langpacks 1
@@ -175,6 +175,8 @@
Patch93: workspace.sjfixes03.patch
Patch94: workspace.mhu18.patch
Patch95: openoffice.org-2.4.1.ooo92217.sal.alloc.patch
+Patch96: workspace.sjfixes06.patch
+Patch97: workspace.sjfixes09.patch
%define instdir %{_libdir}/openoffice.org
@@ -1145,6 +1147,8 @@
%patch93 -p1 -b .workspace.sjfixes03.patch
%patch94 -p1 -b .workspace.mhu18.patch
%patch95 -p1 -b .ooo92217.sal.alloc.patch
+%patch96 -p1 -b .workspace.sjfixes06.patch
+%patch97 -p1 -b .workspace.sjfixes09.patch
%if %{linkopt}
chmod a+x solenv/bin/mklinkscript.pl
@@ -2859,6 +2863,10 @@
%{instdir}/share/registry/modules/org/openoffice/Office/Scripting/Scripting-python.xcu
%changelog
+* Wed Oct 29 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.17
+- CVE-2008-2237: Manipulated WMF files
+- CVE-2008-2238: Manipulated EMF files
+
* Wed Aug 27 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.16
- Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator
- Previous message: rpms/openoffice.org/F-9 openoffice.org.spec, 1.1509, 1.1510 openoffice.org-2.4.0.ooo93119.shell.echos.patch, 1.1, NONE openoffice.org-3.0.0.ooo90071.chart2.negativecount.patch, 1.1, NONE
- Next message: rpms/ladvd/F-10 ladvd-0.6.1-bonding.patch, NONE, 1.1 ladvd.fc, NONE, 1.1 ladvd.if, NONE, 1.1 ladvd.init, NONE, 1.1 ladvd.spec, NONE, 1.1 ladvd.sysconfig, NONE, 1.1 ladvd.te, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list