[libreoffice/f19] Resolves: rhbz#1139592 CVE-2014-3575 arbitrary file preview disclosure via ole2 objects
Caolán McNamara
caolanm at fedoraproject.org
Tue Sep 9 13:52:50 UTC 2014
commit 1058a0a036111c2b59ab1e384b11233e1250595a
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Sep 9 14:18:46 2014 +0100
Resolves: rhbz#1139592 CVE-2014-3575 arbitrary file preview disclosure via ole2 objects
...25386-secured-user-request-and-changed-so.patch | 213 ++++++++++++++++++++
libreoffice.spec | 6 +-
2 files changed, 218 insertions(+), 1 deletions(-)
---
diff --git a/0001-Resolves-i125386-secured-user-request-and-changed-so.patch b/0001-Resolves-i125386-secured-user-request-and-changed-so.patch
new file mode 100644
index 0000000..a0844f2
--- /dev/null
+++ b/0001-Resolves-i125386-secured-user-request-and-changed-so.patch
@@ -0,0 +1,213 @@
+From 070f5923eac7a93b64d2f168d91a3983b80a22c0 Mon Sep 17 00:00:00 2001
+From: Armin Le Grand <alg at apache.org>
+Date: Thu, 7 Aug 2014 09:59:26 +0000
+Subject: [PATCH] Resolves: #i125386# secured user request and changed some
+ bools to bitfield
+
+(cherry picked from commit 5e3cbe056c19bea5018dbf1fd4b2bc8f8b030ff3)
+
+Conflicts:
+ comphelper/inc/comphelper/embeddedobjectcontainer.hxx
+ comphelper/source/container/embeddedobjectcontainer.cxx
+ sfx2/source/appl/linkmgr2.cxx
+ svtools/source/misc/embedhlp.cxx
+
+(cherry picked from commit d005acae3aa315921f2c331612131626c470bd22)
+
+Conflicts:
+ include/comphelper/embeddedobjectcontainer.hxx
+
+Change-Id: I7e9b20a87ca6afe8cb91c577860a6c6b72368ee9
+Reviewed-on: https://gerrit.libreoffice.org/10882
+Reviewed-by: David Tardon <dtardon at redhat.com>
+Tested-by: David Tardon <dtardon at redhat.com>
+---
+ .../source/container/embeddedobjectcontainer.cxx | 36 +++++++++++++++++-----
+ include/comphelper/embeddedobjectcontainer.hxx | 3 ++
+ sfx2/source/appl/linkmgr2.cxx | 12 +++++++-
+ svtools/source/misc/embedhlp.cxx | 29 +++++++++++------
+ 4 files changed, 62 insertions(+), 18 deletions(-)
+
+diff --git a/comphelper/source/container/embeddedobjectcontainer.cxx b/comphelper/source/container/embeddedobjectcontainer.cxx
+index c3b4338..4fef6c0 100644
+--- a/comphelper/source/container/embeddedobjectcontainer.cxx
++++ b/comphelper/source/container/embeddedobjectcontainer.cxx
+@@ -85,7 +85,10 @@ struct EmbedImpl
+ uno::WeakReference < uno::XInterface > m_xModel;
+ //EmbeddedObjectContainerNameMap maTempObjectContainer;
+ //uno::Reference < embed::XStorage > mxTempStorage;
+- bool bOwnsStorage;
++
++ /// bitfield
++ bool mbOwnsStorage : 1;
++ bool mbUserAllowsLinkUpdate : 1;
+
+ const uno::Reference < embed::XStorage >& GetReplacements();
+ };
+@@ -116,7 +119,8 @@ EmbeddedObjectContainer::EmbeddedObjectContainer()
+ {
+ pImpl = new EmbedImpl;
+ pImpl->mxStorage = ::comphelper::OStorageHelper::GetTemporaryStorage();
+- pImpl->bOwnsStorage = true;
++ pImpl->mbOwnsStorage = true;
++ pImpl->mbUserAllowsLinkUpdate = true;
+ pImpl->mpTempObjectContainer = 0;
+ }
+
+@@ -124,7 +128,8 @@ EmbeddedObjectContainer::EmbeddedObjectContainer( const uno::Reference < embed::
+ {
+ pImpl = new EmbedImpl;
+ pImpl->mxStorage = rStor;
+- pImpl->bOwnsStorage = false;
++ pImpl->mbOwnsStorage = false;
++ pImpl->mbUserAllowsLinkUpdate = true;
+ pImpl->mpTempObjectContainer = 0;
+ }
+
+@@ -132,7 +137,8 @@ EmbeddedObjectContainer::EmbeddedObjectContainer( const uno::Reference < embed::
+ {
+ pImpl = new EmbedImpl;
+ pImpl->mxStorage = rStor;
+- pImpl->bOwnsStorage = false;
++ pImpl->mbOwnsStorage = false;
++ pImpl->mbUserAllowsLinkUpdate = true;
+ pImpl->mpTempObjectContainer = 0;
+ pImpl->m_xModel = xModel;
+ }
+@@ -141,11 +147,11 @@ void EmbeddedObjectContainer::SwitchPersistence( const uno::Reference < embed::X
+ {
+ ReleaseImageSubStorage();
+
+- if ( pImpl->bOwnsStorage )
++ if ( pImpl->mbOwnsStorage )
+ pImpl->mxStorage->dispose();
+
+ pImpl->mxStorage = rStor;
+- pImpl->bOwnsStorage = false;
++ pImpl->mbOwnsStorage = false;
+ }
+
+ sal_Bool EmbeddedObjectContainer::CommitImageSubStorage()
+@@ -201,7 +207,7 @@ EmbeddedObjectContainer::~EmbeddedObjectContainer()
+ {
+ ReleaseImageSubStorage();
+
+- if ( pImpl->bOwnsStorage )
++ if ( pImpl->mbOwnsStorage )
+ pImpl->mxStorage->dispose();
+
+ delete pImpl->mpTempObjectContainer;
+@@ -1378,7 +1384,7 @@ sal_Bool EmbeddedObjectContainer::StoreAsChildren(sal_Bool _bOasisFormat,sal_Boo
+ xStream = GetGraphicStream( xObj, &aMediaType );
+ }
+
+- if ( !xStream.is() )
++ if ( !xStream.is() && getUserAllowsLinkUpdate() )
+ {
+ // the image must be regenerated
+ // TODO/LATER: another aspect could be used
+@@ -1667,6 +1673,20 @@ sal_Bool EmbeddedObjectContainer::SetPersistentEntries(const uno::Reference< emb
+ }
+ return bError;
+ }
++
++bool EmbeddedObjectContainer::getUserAllowsLinkUpdate() const
++{
++ return pImpl->mbUserAllowsLinkUpdate;
++}
++
++void EmbeddedObjectContainer::setUserAllowsLinkUpdate(bool bNew)
++{
++ if(pImpl->mbUserAllowsLinkUpdate != bNew)
++ {
++ pImpl->mbUserAllowsLinkUpdate = bNew;
++ }
++}
++
+ }
+
+ /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
+diff --git a/include/comphelper/embeddedobjectcontainer.hxx b/include/comphelper/embeddedobjectcontainer.hxx
+index 616ca0f..270ef1b 100644
+--- a/include/comphelper/embeddedobjectcontainer.hxx
++++ b/include/comphelper/embeddedobjectcontainer.hxx
+@@ -177,6 +177,9 @@ public:
+ * \return <FALSE/> if no error occurred, otherwise <TRUE/>.
+ */
+ sal_Bool SetPersistentEntries(const com::sun::star::uno::Reference< com::sun::star::embed::XStorage >& _xStorage,bool _bClearModifedFlag = true);
++
++ bool getUserAllowsLinkUpdate() const;
++ void setUserAllowsLinkUpdate(bool bNew);
+ };
+
+ }
+diff --git a/sfx2/source/appl/linkmgr2.cxx b/sfx2/source/appl/linkmgr2.cxx
+index e1e4606..878479f 100644
+--- a/sfx2/source/appl/linkmgr2.cxx
++++ b/sfx2/source/appl/linkmgr2.cxx
+@@ -328,7 +328,17 @@ void LinkManager::UpdateAllLinks(
+ {
+ int nRet = QueryBox( pParentWin, WB_YES_NO | WB_DEF_YES, SfxResId( STR_QUERY_UPDATE_LINKS ).toString() ).Execute();
+ if( RET_YES != nRet )
+- return ; // nothing should be updated
++ {
++ SfxObjectShell* pShell = pLink->GetLinkManager()->GetPersist();
++
++ if(pShell)
++ {
++ comphelper::EmbeddedObjectContainer& rEmbeddedObjectContainer = pShell->getEmbeddedObjectContainer();
++ rEmbeddedObjectContainer.setUserAllowsLinkUpdate(false);
++ }
++
++ return ; // nothing should be updated
++ }
+ bAskUpdate = false; // once is enough
+ }
+
+diff --git a/svtools/source/misc/embedhlp.cxx b/svtools/source/misc/embedhlp.cxx
+index fb5f3f2..3aa1f12 100644
+--- a/svtools/source/misc/embedhlp.cxx
++++ b/svtools/source/misc/embedhlp.cxx
+@@ -601,19 +601,30 @@ SvStream* EmbeddedObjectRef::GetGraphicStream( bool bUpdate ) const
+ if ( !xStream.is() )
+ {
+ RTL_LOGFILE_CONTEXT_TRACE( aLog, "getting stream from object" );
+- // update wanted or no stream in container storage available
+- xStream = GetGraphicReplacementStream(mpImpl->nViewAspect, mpImpl->mxObj, &mpImpl->aMediaType);
++ bool bUserAllowsLinkUpdate(true);
++ const comphelper::EmbeddedObjectContainer* pContainer = GetContainer();
+
+- if ( xStream.is() )
++ if(pContainer)
+ {
+- if ( mpImpl->pContainer )
+- mpImpl->pContainer->InsertGraphicStream( xStream, mpImpl->aPersistName, mpImpl->aMediaType );
++ bUserAllowsLinkUpdate = pContainer->getUserAllowsLinkUpdate();
++ }
+
+- SvStream* pResult = ::utl::UcbStreamHelper::CreateStream( xStream );
+- if ( pResult && bUpdate )
+- mpImpl->bNeedUpdate = false;
++ if(bUserAllowsLinkUpdate)
++ {
++ // update wanted or no stream in container storage available
++ xStream = GetGraphicReplacementStream(mpImpl->nViewAspect, mpImpl->mxObj, &mpImpl->aMediaType);
+
+- return pResult;
++ if(xStream.is())
++ {
++ if (mpImpl->pContainer)
++ mpImpl->pContainer->InsertGraphicStream(xStream,mpImpl->aPersistName,mpImpl->aMediaType);
++
++ SvStream* pResult = ::utl::UcbStreamHelper::CreateStream( xStream );
++ if (pResult && bUpdate)
++ mpImpl->bNeedUpdate = false;
++
++ return pResult;
++ }
+ }
+ }
+
+--
+1.9.3
+
diff --git a/libreoffice.spec b/libreoffice.spec
index 23c1c72..14e0873 100644
--- a/libreoffice.spec
+++ b/libreoffice.spec
@@ -42,7 +42,7 @@ Summary: Free Software Productivity Suite
Name: libreoffice
Epoch: 1
Version: %{libo_version}.2
-Release: 7%{?libo_prerelease}%{?dist}
+Release: 8%{?libo_prerelease}%{?dist}
License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0
Group: Applications/Productivity
URL: http://www.libreoffice.org/default/
@@ -285,6 +285,7 @@ Patch48: 0001-resolved-fdo-70455-B1-SOMENAME-is-not-a-valid-single.patch
Patch49: 0001-rhbz-1105376-move-FlatODF-filter-config-to-right-pla.patch
Patch50: 0001-Fix-fdo-71423-crash-while-editing-Impress-tables.patch
Patch51: 0001-Use-varying-aElement-name.patch
+Patch52: 0001-Resolves-i125386-secured-user-request-and-changed-so.patch
%define instdir %{_libdir}
%define baseinstdir %{instdir}/libreoffice
@@ -2162,6 +2163,9 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
%endif
%changelog
+* Tue Sep 09 2014 Caolán McNamara <caolanm at redhat.com> - 1:4.1.6.2-8
+- Resolves: rhbz#1139592 CVE-2014-3575 arbitrary file preview disclosure via ole2 objects
+
* Tue Jun 24 2014 Stephan Bergmann <sbergman at redhat.com> - 1:4.1.6.2-7
- Resolves: rhbz#1112450 CVE-2014-0247 VBA macros executed unconditionally
More information about the scm-commits
mailing list