Package: libreoffice / 1:7.0.4-4+deb11u10

Metadata

Package Version Patches format
libreoffice 1:7.0.4-4+deb11u10 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 CVE 2022 26305 compare authors using Thumbprint.patch | (download)

xmlsecurity/source/component/documentdigitalsignatures.cxx | 23 19 + 4 - 0 !
1 file changed, 19 insertions(+), 4 deletions(-)

 
 [patch 1/4] cve-2022-26305 compare authors using thumbprint
0002 CVE 2022 26307 make hash encoding match decoding.patch | (download)

officecfg/registry/schema/org/openoffice/Office/Common.xcs | 6 6 + 0 - 0 !
svl/source/passwordcontainer/passwordcontainer.cxx | 45 42 + 3 - 0 !
svl/source/passwordcontainer/passwordcontainer.hxx | 6 6 + 0 - 0 !
uui/source/iahndl-authentication.cxx | 5 3 + 2 - 0 !
4 files changed, 57 insertions(+), 5 deletions(-)

 
 [patch 2/4] cve-2022-26307 make hash encoding match decoding

Seeing as old versions of the hash may be in the users config, add a
StorageVersion field to the office config Passwords section which
defaults to 0 to indicate the old hash is in use.

Try the old varient when StorageVersion is 0. When a new encoded master
password it set write StorageVersion of 1 to indicate a new hash is in
use and use the new style when StorageVersion is 1.
0003 CVE 2022 26306 add Initialization Vectors to passwor.patch | (download)

officecfg/registry/schema/org/openoffice/Office/Common.xcs | 10 10 + 0 - 0 !
svl/source/passwordcontainer/passwordcontainer.cxx | 127 88 + 39 - 0 !
svl/source/passwordcontainer/passwordcontainer.hxx | 63 53 + 10 - 0 !
3 files changed, 151 insertions(+), 49 deletions(-)

 
 [patch 3/4] cve-2022-26306 add initialization vectors to password
 storage

old ones default to the current all zero case and continue to work
as before
0004 CVE 2022 2630 6 7 add infobar to prompt to refresh t.patch | (download)

include/sfx2/strings.hrc | 2 2 + 0 - 0 !
include/sfx2/viewfrm.hxx | 1 1 + 0 - 0 !
sfx2/source/view/viewfrm.cxx | 40 40 + 0 - 0 !
3 files changed, 43 insertions(+)

 
 add infobar to prompt to refresh to replace old format

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131976
Tested-by: Jenkins
fix e_book_client_connect_direct_sync sig.diff | (download)

connectivity/source/drivers/evoab2/EApi.h | 2 1 + 1 - 0 !
connectivity/source/drivers/evoab2/NResultSet.cxx | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 
---
ZDI CAN 17859.diff | (download)

desktop/source/app/cmdlineargs.cxx | 10 9 + 1 - 0 !
sfx2/source/appl/macroloader.cxx | 9 7 + 2 - 0 !
sfx2/source/doc/iframe.cxx | 20 15 + 5 - 0 !
sfx2/source/inc/macroloader.hxx | 2 2 + 0 - 0 !
sw/source/filter/html/htmlplug.cxx | 7 6 + 1 - 0 !
sw/source/filter/xml/xmltexti.cxx | 9 7 + 2 - 0 !
wizards/source/access2base/DoCmd.xba | 2 1 + 1 - 0 !
xmloff/source/draw/ximpshap.cxx | 4 4 + 0 - 0 !
8 files changed, 51 insertions(+), 12 deletions(-)

 
 these commands are always urls already

Conflicts:
	wizards/source/scriptforge/SF_Session.xba
hrk euro default.diff | (download)

i18npool/source/localedata/data/hr_HR.xml | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 
 [patch] resolves: tdf#150011 switch default currency hrk croatian
 Kuna to EUR Euro

HR will join Euro area on 2023-01-01.
avoid empty java.class.path.diff | (download)

jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 13 + 3 - 0 !
jvmfwk/source/framework.cxx | 8 6 + 2 - 0 !
jvmfwk/source/fwkbase.cxx | 3 3 + 0 - 0 !
3 files changed, 22 insertions(+), 5 deletions(-)

 
 avoid unnecessary empty -djava.class.path=
CVE 2023 2255.diff | (download)

embeddedobj/source/commonembedding/embedobj.cxx | 60 32 + 28 - 0 !
embeddedobj/source/commonembedding/specialobject.cxx | 9 9 + 0 - 0 !
embeddedobj/source/inc/commonembobj.hxx | 3 3 + 0 - 0 !
embeddedobj/source/inc/specialobject.hxx | 6 6 + 0 - 0 !
include/svx/svdoole2.hxx | 17 14 + 3 - 0 !
include/svx/unoshape.hxx | 2 2 + 0 - 0 !
sc/source/ui/docshell/documentlinkmgr.cxx | 9 8 + 1 - 0 !
sfx2/source/doc/iframe.cxx | 82 50 + 32 - 0 !
svx/source/svdraw/svdoole2.cxx | 104 86 + 18 - 0 !
svx/source/unodraw/shapeimpl.hxx | 5 5 + 0 - 0 !
svx/source/unodraw/unoshap4.cxx | 23 20 + 3 - 0 !
sw/inc/ndole.hxx | 4 2 + 2 - 0 !
sw/source/core/ole/ndole.cxx | 89 80 + 9 - 0 !
xmloff/source/draw/ximpshap.cxx | 29 27 + 2 - 0 !
xmloff/source/draw/ximpshap.hxx | 2 2 + 0 - 0 !
15 files changed, 346 insertions(+), 98 deletions(-)

 
 set referer on loading iframes

so tools, options, security, options,
"block any links from document not..."
applies to their contents.
sc stack parameter count.diff | (download)

formula/source/core/api/token.cxx | 13 5 + 8 - 0 !
sc/source/core/inc/interpre.hxx | 12 12 + 0 - 0 !
sc/source/core/tool/interpr1.cxx | 4 2 + 2 - 0 !
sc/source/core/tool/interpr3.cxx | 4 2 + 2 - 0 !
sc/source/core/tool/interpr4.cxx | 10 9 + 1 - 0 !
5 files changed, 30 insertions(+), 13 deletions(-)

 
 [patch] obtain actual 0-parameter count for or(), and() and
 1-parameter functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OR and AND for legacy infix notation are classified as binary
operators but in fact are functions with parameter count. In case
no argument is supplied, GetByte() returns 0 and for that case the
implicit binary operator 2 parameters were wrongly assumed.
Similar for functions expecting 1 parameter, without argument 1
was assumed. For "real" unary and binary operators the compiler
already checks parameters. Omit OR and AND and 1-parameter
functions from this implicit assumption and return the actual 0
count.
escape url passed to gstreamer.diff | (download)

avmedia/source/gstreamer/gstframegrabber.cxx | 14 9 + 5 - 0 !
1 file changed, 9 insertions(+), 5 deletions(-)

 
 escape url passed to gstreamer
improve macro checks.diff | (download)

include/sfx2/docmacromode.hxx | 7 5 + 2 - 0 !
include/svtools/sfxecode.hxx | 1 1 + 0 - 0 !
sfx2/source/doc/docmacromode.cxx | 23 19 + 4 - 0 !
sfx2/source/doc/objmisc.cxx | 5 3 + 2 - 0 !
svtools/inc/errtxt.hrc | 1 1 + 0 - 0 !
5 files changed, 29 insertions(+), 8 deletions(-)

 
---
floating frame targets unneeded protocols.diff | (download)

include/tools/urlobj.hxx | 5 5 + 0 - 0 !
sfx2/source/doc/iframe.cxx | 6 5 + 1 - 0 !
tools/source/fsys/urlobj.cxx | 8 8 + 0 - 0 !
3 files changed, 18 insertions(+), 1 deletion(-)

 
 add some protocols that don't make sense as floating frame targets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
warn about exotic protocols as well.diff | (download)

sw/source/filter/html/htmlplug.cxx | 2 1 + 1 - 0 !
sw/source/filter/xml/xmltexti.cxx | 2 1 + 1 - 0 !
tools/source/fsys/urlobj.cxx | 3 2 + 1 - 0 !
xmloff/source/draw/ximpshap.cxx | 2 1 + 1 - 0 !
4 files changed, 5 insertions(+), 4 deletions(-)

 
 warn about exotic protocols as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ignore LO special purpose hyperlinks per default.diff | (download)

dbaccess/source/core/dataaccess/ModelImpl.cxx | 3 2 + 1 - 0 !
include/sfx2/docmacromode.hxx | 4 3 + 1 - 0 !
include/sfx2/objsh.hxx | 3 3 + 0 - 0 !
include/sfx2/strings.hrc | 1 1 + 0 - 0 !
sc/source/core/data/global.cxx | 35 34 + 1 - 0 !
sfx2/source/doc/docmacromode.cxx | 8 6 + 2 - 0 !
sfx2/source/doc/objmisc.cxx | 8 7 + 1 - 0 !
sfx2/source/doc/objxtor.cxx | 1 1 + 0 - 0 !
sfx2/source/inc/objshimp.hxx | 3 2 + 1 - 0 !
9 files changed, 59 insertions(+), 7 deletions(-)

 
 default to ignoring libreoffice special-purpose protocols in calc
 hyperlink
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
reuse AllowedLinkProtocolFromDocument 1.diff | (download)

include/sfx2/objsh.hxx | 7 5 + 2 - 0 !
sc/source/core/data/global.cxx | 32 2 + 30 - 0 !
sfx2/source/doc/objmisc.cxx | 27 27 + 0 - 0 !
sw/source/uibase/shells/drwtxtex.cxx | 8 2 + 6 - 0 !
sw/source/uibase/wrtsh/wrtsh2.cxx | 38 24 + 14 - 0 !
5 files changed, 60 insertions(+), 52 deletions(-)

 
 reuse allowedlinkprotocolfromdocument in writer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

reorg calc hyperlink check to reuse elsewhere
reuse AllowedLinkProtocolFromDocument 2.diff | (download)

sd/source/ui/app/sdmod1.cxx | 29 18 + 11 - 0 !
1 file changed, 18 insertions(+), 11 deletions(-)

 
 reuse allowedlinkprotocolfromdocument in impress/draw
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
work around expired certificiate in test.diff | (download)

desktop/qa/desktop_lib/test_desktop_lib.cxx | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 
---
add notify for script use.diff | (download)

xmloff/source/draw/eventimp.cxx | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 
 add notify for script use
remove ability to trust not validated macro signatures in high security.diff | (download)

sfx2/source/doc/docmacromode.cxx | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 
 [patch] remove ability to trust not validated macro signatures in
 high security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Giving the user the option to determine if they should trust an
invalid signature in HIGH macro security doesn't make sense.
CommonName of the signature is the most prominent feature presented
and the CommonName of a certificate can be easily forged for an
invalid signature, tricking the user into accepting an invalid
signature.

in the HIGH macro security setting only show the pop-up to
enable/disable signed macro if the certificate signature can be
validated.

cherry-picked without UI/String altering bits for 24-2