From 163680f15bf12ec554d8326d691ad15cf62bfb57 Mon Sep 17 00:00:00 2001 From: Renbo Date: Sat, 22 Jul 2023 17:25:41 +0800 Subject: [PATCH 1/4] update to libreoffice-7.1.8.1-8.el9_1 Signed-off-by: Renbo --- ...305-compare-authors-using-Thumbprint.patch | 63 ++ 0001-neon-fit-with-older-gnutls.patch | 70 --- ...07-make-hash-encoding-match-decoding.patch | 183 ++++++ ...dd-Initialization-Vectors-to-passwor.patch | 583 ++++++++++++++++++ ...7-add-infobar-to-prompt-to-refresh-t.patch | 113 ++++ dist | 2 +- download | 2 - libreoffice.spec | 63 +- 8 files changed, 969 insertions(+), 110 deletions(-) create mode 100644 0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch delete mode 100644 0001-neon-fit-with-older-gnutls.patch create mode 100644 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch create mode 100644 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch create mode 100644 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch diff --git a/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch b/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch new file mode 100644 index 0000000..5656d0d --- /dev/null +++ b/0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch @@ -0,0 +1,63 @@ +From 77f30ada1156ca1e1357776fea8e9dc113f6898d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 3 Mar 2022 14:22:37 +0000 +Subject: [PATCH 1/5] CVE-2022-26305 compare authors using Thumbprint + +Change-Id: I338f58eb07cbf0a3d13a7dafdaddac09252a8546 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130929 +Tested-by: Jenkins +Reviewed-by: Miklos Vajna +(cherry picked from commit 65442205b5b274ad309308162f150f8d41648f72) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130866 +Reviewed-by: Michael Stahl +(cherry picked from commit a7aaa78acea4c1d51283c2fce54ff9f5339026f8) +--- + .../component/documentdigitalsignatures.cxx | 23 +++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx +index b9066ea92cac..5a21c8421bec 100644 +--- a/xmlsecurity/source/component/documentdigitalsignatures.cxx ++++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx +@@ -19,9 +19,10 @@ + + #include + +-#include ++#include + #include + #include ++#include + #include + #include + #include +@@ -666,9 +667,23 @@ sal_Bool DocumentDigitalSignatures::isAuthorTrusted( + Sequence< SvtSecurityOptions::Certificate > aTrustedAuthors = SvtSecurityOptions().GetTrustedAuthors(); + + return std::any_of(aTrustedAuthors.begin(), aTrustedAuthors.end(), +- [&xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) { +- return xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName()) +- && ( rAuthor[1] == sSerialNum ); ++ [this, &xAuthor, &sSerialNum](const SvtSecurityOptions::Certificate& rAuthor) { ++ if (!xmlsecurity::EqualDistinguishedNames(rAuthor[0], xAuthor->getIssuerName())) ++ return false; ++ if (rAuthor[1] != sSerialNum) ++ return false; ++ ++ DocumentSignatureManager aSignatureManager(mxCtx, {}); ++ if (!aSignatureManager.init()) ++ return false; ++ uno::Reference xCert = aSignatureManager.getSecurityEnvironment()->createCertificateFromAscii(rAuthor[2]); ++ ++ auto pAuthor = dynamic_cast(xAuthor.get()); ++ auto pCert = dynamic_cast(xCert.get()); ++ if (pAuthor && pCert) ++ return pCert->getSHA256Thumbprint() == pAuthor->getSHA256Thumbprint(); ++ ++ return xCert->getSHA1Thumbprint() == xAuthor->getSHA1Thumbprint(); + }); + } + +-- +2.37.3 + diff --git a/0001-neon-fit-with-older-gnutls.patch b/0001-neon-fit-with-older-gnutls.patch deleted file mode 100644 index 56d6e58..0000000 --- a/0001-neon-fit-with-older-gnutls.patch +++ /dev/null @@ -1,70 +0,0 @@ -From d6fb4e010e18309373f4ba581f9fd74fd8212762 Mon Sep 17 00:00:00 2001 -From: Liwei Ge -Date: Mon, 18 Jul 2022 20:34:06 +0800 -Subject: [PATCH] neon: fit with older gnutls - ---- - external/neon/configs/config.h | 2 ++ - external/neon/neon_fit_with_older_gnutls.patch | 15 +++++++++++++++ - 2 files changed, 17 insertions(+) - create mode 100644 external/neon/neon_fit_with_older_gnutls.patch - -diff --git a/external/neon/configs/config.h b/external/neon/configs/config.h -index af8408ad9..662afc516 100644 ---- a/external/neon/configs/config.h -+++ b/external/neon/configs/config.h -@@ -83,6 +83,8 @@ - /* Define if GnuTLS support is enabled */ - #define HAVE_GNUTLS - -+#define HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 -+ - /* Define to 1 if you have the `gnutls_certificate_get_x509_cas' function. */ - /* #undef HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS */ - -diff --git a/external/neon/neon_fit_with_older_gnutls.patch b/external/neon/neon_fit_with_older_gnutls.patch -new file mode 100644 -index 000000000..4eda62a5b ---- /dev/null -+++ b/external/neon/neon_fit_with_older_gnutls.patch -@@ -0,0 +1,26 @@ -+diff -Nur src/ne_gnutls.h src/ne_gnutls.h -+--- src/ne_gnutls.c 2020-06-20 15:09:24.000000000 +0800 -++++ src/ne_gnutls.c 2022-07-18 11:22:00.000000000 +0800 -+@@ -32,6 +32,7 @@ -+ #include -+ -+ #include -++#include -+ #include -+ -+ #ifdef NE_HAVE_TS_SSL -+diff -Nur src/ne_privssl.h src/ne_privssl.h -+--- src/ne_privssl.h 2020-06-20 15:09:24.000000000 +0800 -++++ src/ne_privssl.h 2022-07-18 11:22:00.000000000 +0800 -+@@ -86,9 +86,11 @@ -+ -+ typedef gnutls_session_t ne_ssl_socket; -+ -++#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT -+ NE_PRIVATE ne_ssl_client_cert * -+ ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len, -+ gnutls_privkey_sign_func sign_func, void *userdata); -++#endif -+ -+ #endif /* HAVE_GNUTLS */ -+ -diff --git a/external/neon/UnpackedTarball_neon.mk b/external/neon/UnpackedTarball_neon.mk -index 73cdd81f2..bb15e3f48 100644 ---- a/external/neon/UnpackedTarball_neon.mk -+++ b/external/neon/UnpackedTarball_neon.mk -@@ -21,6 +21,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,neon,\ - external/neon/neon.patch \ - external/neon/neon_with_gnutls.patch \ - external/neon/neon_fix_lock_token_on_if.patch \ -+ external/neon/neon_fit_with_older_gnutls.patch \ - $(if $(filter WNT,$(OS)),external/neon/neon_fix_no_OPENSSL_Applink.patch) \ - )) - --- -2.27.0 diff --git a/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch b/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch new file mode 100644 index 0000000..e2c5eb8 --- /dev/null +++ b/0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch @@ -0,0 +1,183 @@ +From 780c42cdd8006dc60e281be2fe6566f101e909bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 21 Mar 2022 20:58:34 +0000 +Subject: [PATCH 2/5] CVE-2022-26307 make hash encoding match decoding + +Seeing as old versions of the hash may be in the users config, add a +StorageVersion field to the office config Passwords section which +defaults to 0 to indicate the old hash is in use. + +Try the old varient when StorageVersion is 0. When a new encoded master +password it set write StorageVersion of 1 to indicate a new hash is in +use and use the new style when StorageVersion is 1. + +Change-Id: I3174c37a5891bfc849984e0ec5c2c392b9c6e7b1 +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132080 +Tested-by: Jenkins +Reviewed-by: Stephan Bergmann +(cherry picked from commit e890f54dbac57f3ab5acf4fbd31222095d3e8ab6) +--- + .../schema/org/openoffice/Office/Common.xcs | 6 +++ + .../passwordcontainer/passwordcontainer.cxx | 45 +++++++++++++++++-- + .../passwordcontainer/passwordcontainer.hxx | 6 +++ + uui/source/iahndl-authentication.cxx | 5 ++- + 4 files changed, 57 insertions(+), 5 deletions(-) + +diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +index 9097c23c3c6a..922efc33cca7 100644 +--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs ++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +@@ -942,6 +942,12 @@ + + false + ++ ++ ++ Specifies what version of encoding scheme the password container uses. ++ ++ 0 ++ + + + Specifies if there is a valid master password. +diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx +index 51fb129cddb1..b674844f91d3 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.cxx ++++ b/svl/source/passwordcontainer/passwordcontainer.cxx +@@ -17,7 +17,6 @@ + * the License at http://www.apache.org/licenses/LICENSE-2.0 . + */ + +- + #include "passwordcontainer.hxx" + + #include +@@ -259,6 +258,23 @@ bool StorageItem::useStorage() + return aResult; + } + ++sal_Int32 StorageItem::getStorageVersion() ++{ ++ Sequence aNodeNames { "StorageVersion" }; ++ ++ Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames ); ++ ++ if( aPropertyValues.getLength() != aNodeNames.getLength() ) ++ { ++ OSL_FAIL( "Problems during reading" ); ++ return 0; ++ } ++ ++ sal_Int32 nResult = 0; ++ aPropertyValues[0] >>= nResult; ++ ++ return nResult; ++} + + bool StorageItem::getEncodedMP( OUString& aResult ) + { +@@ -291,15 +307,17 @@ bool StorageItem::getEncodedMP( OUString& aResult ) + + void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty ) + { +- Sequence< OUString > sendNames(2); +- Sequence< uno::Any > sendVals(2); ++ Sequence< OUString > sendNames(3); ++ Sequence< uno::Any > sendVals(3); + + sendNames[0] = "HasMaster"; + sendNames[1] = "Master"; ++ sendNames[2] = "StorageVersion"; + + bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty ); + sendVals[0] <<= bHasMaster; + sendVals[1] <<= aEncoded; ++ sendVals[2] <<= nCurrentStorageVersion; + + ConfigItem::SetModified(); + ConfigItem::PutProperties( sendNames, sendVals ); +@@ -800,6 +818,18 @@ OUString PasswordContainer::RequestPasswordFromUser( PasswordRequestMode aRMode, + return aResult; + } + ++// Mangle the key to match an old bug ++static OUString ReencodeAsOldHash(const OUString& rPass) ++{ ++ OUStringBuffer aBuffer; ++ for (int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ++ind) ++ { ++ unsigned char i = static_cast(rPass.copy(ind * 2, 2).toUInt32(16)); ++ aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4))); ++ aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15))); ++ } ++ return aBuffer.makeStringAndClear(); ++} + + OUString const & PasswordContainer::GetMasterPassword( const Reference< XInteractionHandler >& aHandler ) + { +@@ -838,6 +868,9 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac + } + else + { ++ if (m_pStorageFile->getStorageVersion() == 0) ++ aPass = ReencodeAsOldHash(aPass); ++ + std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) ); + if( aRM.empty() || aPass != aRM[0] ) + { +@@ -1042,6 +1075,12 @@ sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::R + + do { + aPass = RequestPasswordFromUser( aRMode, xTmpHandler ); ++ ++ if (!aPass.isEmpty() && m_pStorageFile->getStorageVersion() == 0) ++ { ++ aPass = ReencodeAsOldHash(aPass); ++ } ++ + bResult = ( !aPass.isEmpty() && aPass == m_aMasterPasswd ); + aRMode = PasswordRequestMode_PASSWORD_REENTER; // further questions with error notification + } while( !bResult && !aPass.isEmpty() ); +diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx +index 46ffec888602..bf43b5903602 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.hxx ++++ b/svl/source/passwordcontainer/passwordcontainer.hxx +@@ -168,6 +168,10 @@ public: + typedef ::std::pair< const OUString, ::std::vector< NamePassRecord > > PairUrlRecord; + typedef ::std::map< OUString, ::std::vector< NamePassRecord > > PassMap; + ++// org.openoffice.Office.Common/Passwords/StorageVersion bump if details of ++// how password details are saved changes. Enables migration from previous ++// schemes. ++constexpr sal_Int32 nCurrentStorageVersion = 1; + + class PasswordContainer; + +@@ -196,6 +200,8 @@ public: + void remove( const OUString& url, const OUString& rec ); + void clear(); + ++ sal_Int32 getStorageVersion(); ++ + bool getEncodedMP( OUString& aResult ); + void setEncodedMP( const OUString& aResult, bool bAcceptEmpty = false ); + void setUseStorage( bool bUse ); +diff --git a/uui/source/iahndl-authentication.cxx b/uui/source/iahndl-authentication.cxx +index ad975d3f9ae7..951f0b8a1c6b 100644 +--- a/uui/source/iahndl-authentication.cxx ++++ b/uui/source/iahndl-authentication.cxx +@@ -436,8 +436,9 @@ executeMasterPasswordDialog( + OUStringBuffer aBuffer; + for (sal_uInt8 i : aKey) + { +- aBuffer.append(static_cast< sal_Unicode >('a' + (i >> 4))); +- aBuffer.append(static_cast< sal_Unicode >('a' + (i & 15))); ++ // match PasswordContainer::DecodePasswords aMasterPasswd.copy(index * 2, 2).toUInt32(16)); ++ aBuffer.append(OUString::number(i >> 4, 16)); ++ aBuffer.append(OUString::number(i & 15, 16)); + } + rInfo.SetPassword(aBuffer.makeStringAndClear()); + } +-- +2.37.3 + diff --git a/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch b/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch new file mode 100644 index 0000000..be0c6e5 --- /dev/null +++ b/0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch @@ -0,0 +1,583 @@ +From e809625c2ca9f0c026aab9b5c2d13ced628c13e9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Tue, 22 Mar 2022 17:22:22 +0000 +Subject: [PATCH 3/5] CVE-2022-26306 add Initialization Vectors to password + storage + +old ones default to the current all zero case and continue to work +as before + +Change-Id: I6fe3b02fafcce1b5e7133e77e76a5118177d77af +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131974 +Tested-by: Jenkins +Reviewed-by: Michael Stahl +(cherry picked from commit 192fa1e3bfc6269f2ebb91716471485a56074aea) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132306 +Reviewed-by: Thorsten Behrens +(cherry picked from commit ab77587ec300f5c30084471000663c46ddf25dad) +--- + .../schema/org/openoffice/Office/Common.xcs | 10 ++ + .../passwordcontainer/passwordcontainer.cxx | 127 ++++++++++++------ + .../passwordcontainer/passwordcontainer.hxx | 63 +++++++-- + 3 files changed, 151 insertions(+), 49 deletions(-) + +diff --git a/officecfg/registry/schema/org/openoffice/Office/Common.xcs b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +index 922efc33cca7..8d87d00d5369 100644 +--- a/officecfg/registry/schema/org/openoffice/Office/Common.xcs ++++ b/officecfg/registry/schema/org/openoffice/Office/Common.xcs +@@ -27,6 +27,11 @@ + + Contains a container for passwords. + ++ ++ ++ Contains an initialization vector for the password encryption. ++ ++ + + + Contains a password encoded with the master password. +@@ -954,6 +959,11 @@ + + false + ++ ++ ++ Contains an initialization vector for the master password encryption. ++ ++ + + + Contains the master password encrypted by itself. +diff --git a/svl/source/passwordcontainer/passwordcontainer.cxx b/svl/source/passwordcontainer/passwordcontainer.cxx +index b674844f91d3..ef79470a2cb6 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.cxx ++++ b/svl/source/passwordcontainer/passwordcontainer.cxx +@@ -181,15 +181,18 @@ PassMap StorageItem::getInfo() + + Sequence< OUString > aNodeNames = ConfigItem::GetNodeNames( "Store" ); + sal_Int32 aNodeCount = aNodeNames.getLength(); +- Sequence< OUString > aPropNames( aNodeCount ); ++ Sequence< OUString > aPropNames( aNodeCount * 2); + + std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.begin(), + [](const OUString& rName) -> OUString { + return "Store/Passwordstorage['" + rName + "']/Password"; }); ++ std::transform(aNodeNames.begin(), aNodeNames.end(), aPropNames.getArray() + aNodeCount, ++ [](const OUString& rName) -> OUString { ++ return "Store/Passwordstorage['" + rName + "']/InitializationVector"; }); + + Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aPropNames ); + +- if( aPropertyValues.getLength() != aNodeCount ) ++ if( aPropertyValues.getLength() != aNodeCount * 2) + { + OSL_FAIL( "Problems during reading" ); + return aResult; +@@ -205,14 +208,16 @@ PassMap StorageItem::getInfo() + OUString aName = aUrlUsr[1]; + + OUString aEPasswd; ++ OUString aIV; + aPropertyValues[aNodeInd] >>= aEPasswd; ++ aPropertyValues[aNodeInd + aNodeCount] >>= aIV; + + PassMap::iterator aIter = aResult.find( aUrl ); + if( aIter != aResult.end() ) +- aIter->second.emplace_back( aName, aEPasswd ); ++ aIter->second.emplace_back( aName, aEPasswd, aIV ); + else + { +- NamePassRecord aNewRecord( aName, aEPasswd ); ++ NamePassRecord aNewRecord( aName, aEPasswd, aIV ); + std::vector< NamePassRecord > listToAdd( 1, aNewRecord ); + + aResult.insert( PairUrlRecord( aUrl, listToAdd ) ); +@@ -276,17 +281,19 @@ sal_Int32 StorageItem::getStorageVersion() + return nResult; + } + +-bool StorageItem::getEncodedMP( OUString& aResult ) ++bool StorageItem::getEncodedMP( OUString& aResult, OUString& aResultIV ) + { + if( hasEncoded ) + { + aResult = mEncoded; ++ aResultIV = mEncodedIV; + return true; + } + +- Sequence< OUString > aNodeNames( 2 ); ++ Sequence< OUString > aNodeNames( 3 ); + aNodeNames[0] = "HasMaster"; + aNodeNames[1] = "Master"; ++ aNodeNames[2] = "MasterInitializationVector"; + + Sequence< Any > aPropertyValues = ConfigItem::GetProperties( aNodeNames ); + +@@ -298,32 +305,37 @@ bool StorageItem::getEncodedMP( OUString& aResult ) + + aPropertyValues[0] >>= hasEncoded; + aPropertyValues[1] >>= mEncoded; ++ aPropertyValues[2] >>= mEncodedIV; + + aResult = mEncoded; ++ aResultIV = mEncodedIV; + + return hasEncoded; + } + + +-void StorageItem::setEncodedMP( const OUString& aEncoded, bool bAcceptEmpty ) ++void StorageItem::setEncodedMP( const OUString& aEncoded, const OUString& aEncodedIV, bool bAcceptEmpty ) + { +- Sequence< OUString > sendNames(3); +- Sequence< uno::Any > sendVals(3); ++ Sequence< OUString > sendNames(4); ++ Sequence< uno::Any > sendVals(4); + + sendNames[0] = "HasMaster"; + sendNames[1] = "Master"; +- sendNames[2] = "StorageVersion"; ++ sendNames[2] = "MasterInitializationVector"; ++ sendNames[3] = "StorageVersion"; + + bool bHasMaster = ( !aEncoded.isEmpty() || bAcceptEmpty ); + sendVals[0] <<= bHasMaster; + sendVals[1] <<= aEncoded; +- sendVals[2] <<= nCurrentStorageVersion; ++ sendVals[2] <<= aEncodedIV; ++ sendVals[3] <<= nCurrentStorageVersion; + + ConfigItem::SetModified(); + ConfigItem::PutProperties( sendNames, sendVals ); + + hasEncoded = bHasMaster; + mEncoded = aEncoded; ++ mEncodedIV = aEncodedIV; + } + + +@@ -359,11 +371,13 @@ void StorageItem::update( const OUString& aURL, const NamePassRecord& aRecord ) + forIndex.push_back( aURL ); + forIndex.push_back( aRecord.GetUserName() ); + +- Sequence< beans::PropertyValue > sendSeq(1); ++ Sequence< beans::PropertyValue > sendSeq(2); + +- sendSeq[0].Name = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password"; ++ sendSeq[0].Name = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/InitializationVector"; ++ sendSeq[0].Value <<= aRecord.GetPersistentIV(); + +- sendSeq[0].Value <<= aRecord.GetPersPasswords(); ++ sendSeq[1].Name = "Store/Passwordstorage['" + createIndex( forIndex ) + "']/Password"; ++ sendSeq[1].Value <<= aRecord.GetPersPasswords(); + + ConfigItem::SetModified(); + ConfigItem::SetSetProperties( "Store", sendSeq ); +@@ -424,7 +438,7 @@ void SAL_CALL PasswordContainer::disposing( const EventObject& ) + } + } + +-std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode ) ++std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPasswd, css::task::PasswordRequestMode mode ) + { + if( !aMasterPasswd.isEmpty() ) + { +@@ -439,9 +453,16 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin + for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) + code[ ind ] = static_cast(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16)); + ++ unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0}; ++ if (!aIV.isEmpty()) ++ { ++ for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) ++ iv[ ind ] = static_cast(aIV.copy( ind*2, 2 ).toUInt32(16)); ++ } ++ + rtlCipherError result = rtl_cipher_init ( + aDecoder, rtl_Cipher_DirectionDecode, +- code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 ); ++ code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 ); + + if( result == rtl_Cipher_E_None ) + { +@@ -474,7 +495,7 @@ std::vector< OUString > PasswordContainer::DecodePasswords( const OUString& aLin + "Can't decode!", css::uno::Reference(), mode); + } + +-OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPasswd ) ++OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPasswd) + { + if( !aMasterPasswd.isEmpty() ) + { +@@ -491,9 +512,16 @@ OUString PasswordContainer::EncodePasswords(const std::vector< OUString >& lines + for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) + code[ ind ] = static_cast(aMasterPasswd.copy( ind*2, 2 ).toUInt32(16)); + ++ unsigned char iv[RTL_DIGEST_LENGTH_MD5] = {0}; ++ if (!aIV.isEmpty()) ++ { ++ for( int ind = 0; ind < RTL_DIGEST_LENGTH_MD5; ind++ ) ++ iv[ ind ] = static_cast(aIV.copy( ind*2, 2 ).toUInt32(16)); ++ } ++ + rtlCipherError result = rtl_cipher_init ( + aEncoder, rtl_Cipher_DirectionEncode, +- code, RTL_DIGEST_LENGTH_MD5, nullptr, 0 ); ++ code, RTL_DIGEST_LENGTH_MD5, iv, RTL_DIGEST_LENGTH_MD5 ); + + if( result == rtl_Cipher_E_None ) + { +@@ -561,7 +589,7 @@ void PasswordContainer::UpdateVector( const OUString& aURL, std::vector< NamePas + + if( aRecord.HasPasswords( PERSISTENT_RECORD ) ) + { +- aNPIter.SetPersPasswords( aRecord.GetPersPasswords() ); ++ aNPIter.SetPersPasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV() ); + + if( writeFile ) + { +@@ -594,7 +622,8 @@ UserRecord PasswordContainer::CopyToUserRecord( const NamePassRecord& aRecord, b + { + try + { +- ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ); ++ ::std::vector< OUString > aDecodedPasswords = DecodePasswords( aRecord.GetPersPasswords(), aRecord.GetPersistentIV(), ++ GetMasterPassword( aHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ); + aPasswords.insert( aPasswords.end(), aDecodedPasswords.begin(), aDecodedPasswords.end() ); + } + catch( NoMasterException& ) +@@ -639,6 +668,19 @@ void SAL_CALL PasswordContainer::addPersistent( const OUString& Url, const OUStr + PrivateAdd( Url, UserName, Passwords, PERSISTENT_RECORD, aHandler ); + } + ++OUString PasswordContainer::createIV() ++{ ++ rtlRandomPool randomPool = mRandomPool.get(); ++ unsigned char iv[RTL_DIGEST_LENGTH_MD5]; ++ rtl_random_getBytes(randomPool, iv, RTL_DIGEST_LENGTH_MD5); ++ OUStringBuffer aBuffer; ++ for (sal_uInt8 i : iv) ++ { ++ aBuffer.append(OUString::number(i >> 4, 16)); ++ aBuffer.append(OUString::number(i & 15, 16)); ++ } ++ return aBuffer.makeStringAndClear(); ++} + + void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserName, const Sequence< OUString >& Passwords, char Mode, const Reference< XInteractionHandler >& aHandler ) + { +@@ -646,7 +688,11 @@ void PasswordContainer::PrivateAdd( const OUString& Url, const OUString& UserNam + ::std::vector< OUString > aStorePass = comphelper::sequenceToContainer< std::vector >( Passwords ); + + if( Mode == PERSISTENT_RECORD ) +- aRecord.SetPersPasswords( EncodePasswords( aStorePass, GetMasterPassword( aHandler ) ) ); ++ { ++ OUString sIV = createIV(); ++ OUString sEncodedPasswords = EncodePasswords( aStorePass, sIV, GetMasterPassword( aHandler ) ); ++ aRecord.SetPersPasswords( sEncodedPasswords, sIV ); ++ } + else if( Mode == MEMORY_RECORD ) + aRecord.SetMemPasswords( aStorePass ); + else +@@ -839,10 +885,10 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac + + if( m_aMasterPasswd.isEmpty() && aHandler.is() ) + { +- OUString aEncodedMP; ++ OUString aEncodedMP, aEncodedMPIV; + bool bDefaultPassword = false; + +- if( !m_pStorageFile->getEncodedMP( aEncodedMP ) ) ++ if( !m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ) + aRMode = PasswordRequestMode_PASSWORD_CREATE; + else if ( aEncodedMP.isEmpty() ) + { +@@ -864,14 +910,15 @@ OUString const & PasswordContainer::GetMasterPassword( const Reference< XInterac + m_aMasterPasswd = aPass; + std::vector< OUString > aMaster( 1, m_aMasterPasswd ); + +- m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) ); ++ OUString sIV = createIV(); ++ m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, sIV, m_aMasterPasswd ), sIV ); + } + else + { + if (m_pStorageFile->getStorageVersion() == 0) + aPass = ReencodeAsOldHash(aPass); + +- std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aPass, aRMode ) ); ++ std::vector< OUString > aRM( DecodePasswords( aEncodedMP, aEncodedMPIV, aPass, aRMode ) ); + if( aRM.empty() || aPass != aRM[0] ) + { + bAskAgain = true; +@@ -1028,7 +1075,8 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere + { + sal_Int32 oldLen = aUsers.getLength(); + aUsers.realloc( oldLen + 1 ); +- aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) ); ++ aUsers[ oldLen ] = UserRecord( aNP.GetUserName(), comphelper::containerToSequence( DecodePasswords( aNP.GetPersPasswords(), aNP.GetPersistentIV(), ++ GetMasterPassword( xHandler ), css::task::PasswordRequestMode_PASSWORD_ENTER ) ) ); + } + + if( aUsers.hasElements() ) +@@ -1045,12 +1093,12 @@ Sequence< UrlRecord > SAL_CALL PasswordContainer::getAllPersistent( const Refere + sal_Bool SAL_CALL PasswordContainer::authorizateWithMasterPassword( const uno::Reference< task::XInteractionHandler >& xHandler ) + { + bool bResult = false; +- OUString aEncodedMP; ++ OUString aEncodedMP, aEncodedMPIV; + uno::Reference< task::XInteractionHandler > xTmpHandler = xHandler; + ::osl::MutexGuard aGuard( mMutex ); + + // the method should fail if there is no master password +- if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) ) ++ if( m_pStorageFile && m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ) + { + if ( aEncodedMP.isEmpty() ) + { +@@ -1118,8 +1166,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference< + + bool bCanChangePassword = true; + // if there is already a stored master password it should be entered by the user before the change happen +- OUString aEncodedMP; +- if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP ) ) ++ OUString aEncodedMP, aEncodedMPIV; ++ if( !m_aMasterPasswd.isEmpty() || m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ) + bCanChangePassword = authorizateWithMasterPassword( xTmpHandler ); + + if ( bCanChangePassword ) +@@ -1138,7 +1186,8 @@ sal_Bool SAL_CALL PasswordContainer::changeMasterPassword( const uno::Reference< + // store the new master password + m_aMasterPasswd = aPass; + std::vector< OUString > aMaster( 1, m_aMasterPasswd ); +- m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, m_aMasterPasswd ) ); ++ OUString aIV = createIV(); ++ m_pStorageFile->setEncodedMP( EncodePasswords( aMaster, aIV, m_aMasterPasswd ), aIV ); + + // store all the entries with the new password + for ( const auto& rURL : aPersistent ) +@@ -1163,7 +1212,7 @@ void SAL_CALL PasswordContainer::removeMasterPassword() + if ( m_pStorageFile ) + { + m_aMasterPasswd.clear(); +- m_pStorageFile->setEncodedMP( OUString() ); // let the master password be removed from configuration ++ m_pStorageFile->setEncodedMP( OUString(), OUString() ); // let the master password be removed from configuration + } + } + +@@ -1174,8 +1223,8 @@ sal_Bool SAL_CALL PasswordContainer::hasMasterPassword( ) + if ( !m_pStorageFile ) + throw uno::RuntimeException(); + +- OUString aEncodedMP; +- return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) ); ++ OUString aEncodedMP, aEncodedMPIV; ++ return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) ); + } + + sal_Bool SAL_CALL PasswordContainer::allowPersistentStoring( sal_Bool bAllow ) +@@ -1222,8 +1271,8 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere + + bool bCanChangePassword = true; + // if there is already a stored nondefault master password it should be entered by the user before the change happen +- OUString aEncodedMP; +- if( m_pStorageFile->getEncodedMP( aEncodedMP ) && !aEncodedMP.isEmpty() ) ++ OUString aEncodedMP, aEncodedMPIV; ++ if( m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && !aEncodedMP.isEmpty() ) + bCanChangePassword = authorizateWithMasterPassword( xTmpHandler ); + + if ( bCanChangePassword ) +@@ -1240,7 +1289,7 @@ sal_Bool SAL_CALL PasswordContainer::useDefaultMasterPassword( const uno::Refere + + // store the empty string to flag the default master password + m_aMasterPasswd = aPass; +- m_pStorageFile->setEncodedMP( OUString(), true ); ++ m_pStorageFile->setEncodedMP( OUString(), OUString(), true ); + + // store all the entries with the new password + for ( const auto& rURL : aPersistent ) +@@ -1264,8 +1313,8 @@ sal_Bool SAL_CALL PasswordContainer::isDefaultMasterPasswordUsed() + if ( !m_pStorageFile ) + throw uno::RuntimeException(); + +- OUString aEncodedMP; +- return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP ) && aEncodedMP.isEmpty() ); ++ OUString aEncodedMP, aEncodedMPIV; ++ return ( m_pStorageFile->useStorage() && m_pStorageFile->getEncodedMP( aEncodedMP, aEncodedMPIV ) && aEncodedMP.isEmpty() ); + } + + +diff --git a/svl/source/passwordcontainer/passwordcontainer.hxx b/svl/source/passwordcontainer/passwordcontainer.hxx +index bf43b5903602..0454437b9dc2 100644 +--- a/svl/source/passwordcontainer/passwordcontainer.hxx ++++ b/svl/source/passwordcontainer/passwordcontainer.hxx +@@ -34,6 +34,7 @@ + #include + #include + ++#include + #include + #include + +@@ -52,11 +53,12 @@ class NamePassRecord + ::std::vector< OUString > m_aMemPass; + + // persistent passwords are encrypted in one string +- bool m_bHasPersPass; ++ bool m_bHasPersPass; + OUString m_aPersPass; ++ OUString m_aPersistentIV; + + void InitArrays( bool bHasMemoryList, const ::std::vector< OUString >& aMemoryList, +- bool bHasPersistentList, const OUString& aPersistentList ) ++ bool bHasPersistentList, const OUString& aPersistentList, const OUString& aPersistentIV ) + { + m_bHasMemPass = bHasMemoryList; + if ( bHasMemoryList ) +@@ -64,7 +66,10 @@ class NamePassRecord + + m_bHasPersPass = bHasPersistentList; + if ( bHasPersistentList ) ++ { + m_aPersPass = aPersistentList; ++ m_aPersistentIV = aPersistentIV; ++ } + } + + public: +@@ -76,11 +81,12 @@ public: + { + } + +- NamePassRecord( const OUString& aName, const OUString& aPersistentList ) ++ NamePassRecord( const OUString& aName, const OUString& aPersistentList, const OUString& aPersistentIV ) + : m_aName( aName ) + , m_bHasMemPass( false ) + , m_bHasPersPass( true ) + , m_aPersPass( aPersistentList ) ++ , m_aPersistentIV( aPersistentIV ) + { + } + +@@ -89,7 +95,8 @@ public: + , m_bHasMemPass( false ) + , m_bHasPersPass( false ) + { +- InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass ); ++ InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, ++ aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV ); + } + + NamePassRecord& operator=( const NamePassRecord& aRecord ) +@@ -100,7 +107,9 @@ public: + + m_aMemPass.clear(); + m_aPersPass.clear(); +- InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, aRecord.m_bHasPersPass, aRecord.m_aPersPass ); ++ m_aPersistentIV.clear(); ++ InitArrays( aRecord.m_bHasMemPass, aRecord.m_aMemPass, ++ aRecord.m_bHasPersPass, aRecord.m_aPersPass, aRecord.m_aPersistentIV ); + } + return *this; + } +@@ -136,15 +145,24 @@ public: + return OUString(); + } + ++ OUString GetPersistentIV() const ++ { ++ if ( m_bHasPersPass ) ++ return m_aPersistentIV; ++ ++ return OUString(); ++ } ++ + void SetMemPasswords( const ::std::vector< OUString >& aMemList ) + { + m_aMemPass = aMemList; + m_bHasMemPass = true; + } + +- void SetPersPasswords( const OUString& aPersList ) ++ void SetPersPasswords( const OUString& aPersList, const OUString& aPersIV ) + { + m_aPersPass = aPersList; ++ m_aPersistentIV = aPersIV; + m_bHasPersPass = true; + } + +@@ -159,6 +177,7 @@ public: + { + m_bHasPersPass = false; + m_aPersPass.clear(); ++ m_aPersistentIV.clear(); + } + } + +@@ -182,6 +201,7 @@ private: + PasswordContainer* mainCont; + bool hasEncoded; + OUString mEncoded; ++ OUString mEncodedIV; + + virtual void ImplCommit() override; + +@@ -202,8 +222,8 @@ public: + + sal_Int32 getStorageVersion(); + +- bool getEncodedMP( OUString& aResult ); +- void setEncodedMP( const OUString& aResult, bool bAcceptEmpty = false ); ++ bool getEncodedMP( OUString& aResult, OUString& aResultIV ); ++ void setEncodedMP( const OUString& aResult, const OUString& aResultIV, bool bAcceptEmpty = false ); + void setUseStorage( bool bUse ); + bool useStorage(); + +@@ -224,6 +244,29 @@ private: + css::uno::Reference< css::lang::XComponent > mComponent; + SysCredentialsConfig mUrlContainer; + ++ class RandomPool ++ { ++ private: ++ rtlRandomPool m_aRandomPool; ++ public: ++ RandomPool() : m_aRandomPool(rtl_random_createPool()) ++ { ++ } ++ rtlRandomPool get() ++ { ++ return m_aRandomPool; ++ } ++ ~RandomPool() ++ { ++ // Clean up random pool memory ++ rtl_random_destroyPool(m_aRandomPool); ++ } ++ }; ++ ++ RandomPool mRandomPool; ++ ++ OUString createIV(); ++ + /// @throws css::uno::RuntimeException + css::uno::Sequence< css::task::UserRecord > CopyToUserRecordSequence( + const ::std::vector< NamePassRecord >& original, +@@ -274,10 +317,10 @@ css::task::UrlRecord find( + const css::uno::Reference< css::task::XInteractionHandler >& Handler ); + + /// @throws css::uno::RuntimeException +- static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aMasterPassword, css::task::PasswordRequestMode mode ); ++ static ::std::vector< OUString > DecodePasswords( const OUString& aLine, const OUString& aIV, const OUString& aMasterPassword, css::task::PasswordRequestMode mode ); + + /// @throws css::uno::RuntimeException +- static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aMasterPassword ); ++ static OUString EncodePasswords(const std::vector< OUString >& lines, const OUString& aIV, const OUString& aMasterPassword ); + + public: + PasswordContainer( const css::uno::Reference< css::uno::XComponentContext >& ); +-- +2.37.3 + diff --git a/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch b/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch new file mode 100644 index 0000000..4e4a905 --- /dev/null +++ b/0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch @@ -0,0 +1,113 @@ +From 0aac66b96fcfa7f8c2c265afec59eb4b3f51c131 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 23 Mar 2022 13:03:30 +0000 +Subject: [PATCH 4/5] CVE-2022-2630[6|7] add infobar to prompt to refresh to + replace old format + +Change-Id: Id99cbf2b50a4ebf289dae6fc67e22e20afcda35b +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131976 +Tested-by: Jenkins +Reviewed-by: Michael Stahl +(cherry picked from commit bbd196ff82bda9f66b4ba32a412f10cefe6da60e) +Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132307 +Reviewed-by: Sophie Gautier +Reviewed-by: Christian Lohmaier +(cherry picked from commit c5d01b11db3c83cb4a89d3b388d78e20dd3990b5) +--- + include/sfx2/strings.hrc | 2 ++ + include/sfx2/viewfrm.hxx | 1 + + sfx2/source/view/viewfrm.cxx | 39 +++++++++++++++++++++++++++++++++++- + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/include/sfx2/strings.hrc b/include/sfx2/strings.hrc +index cb627807d8c8..317dd88061df 100644 +--- a/include/sfx2/strings.hrc ++++ b/include/sfx2/strings.hrc +@@ -292,6 +292,8 @@ + #define STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK NC_("STR_SIGNATURE_NOTVALIDATED_PARTIAL_OK", "The certificate could not be validated and the document is only partially signed.") + #define STR_SIGNATURE_OK NC_("STR_SIGNATURE_OK", "This document is digitally signed and the signature is valid.") + #define STR_SIGNATURE_SHOW NC_("STR_SIGNATURE_SHOW", "Show Signatures") ++#define STR_REFRESH_MASTER_PASSWORD NC_("STR_REFRESH_MASTER_PASSWORD", "The master password is stored in an outdated format, you should refresh it") ++#define STR_REFRESH_PASSWORD NC_("STR_REFRESH_PASSWORD", "Refresh Password") + + #define STR_CLOSE_PANE NC_("STR_CLOSE_PANE", "Close Pane") + +diff --git a/include/sfx2/viewfrm.hxx b/include/sfx2/viewfrm.hxx +index aedd362f8781..dc01c088f1f7 100644 +--- a/include/sfx2/viewfrm.hxx ++++ b/include/sfx2/viewfrm.hxx +@@ -64,6 +64,7 @@ protected: + DECL_LINK(WhatsNewHandler, weld::Button&, void); + DECL_LINK(SwitchReadOnlyHandler, weld::Button&, void); + DECL_LINK(SignDocumentHandler, weld::Button&, void); ++ DECL_DLLPRIVATE_LINK(RefreshMasterPasswordHdl, weld::Button&, void); + SAL_DLLPRIVATE void KillDispatcher_Impl(); + + virtual ~SfxViewFrame() override; +diff --git a/sfx2/source/view/viewfrm.cxx b/sfx2/source/view/viewfrm.cxx +index 46a7c4d9dc42..0f90af8bfb34 100644 +--- a/sfx2/source/view/viewfrm.cxx ++++ b/sfx2/source/view/viewfrm.cxx +@@ -32,7 +32,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -1413,6 +1413,22 @@ void SfxViewFrame::Notify( SfxBroadcaster& /*rBC*/, const SfxHint& rHint ) + batch->commit(); + } + ++ if (officecfg::Office::Common::Passwords::HasMaster::get() && ++ officecfg::Office::Common::Passwords::StorageVersion::get() == 0) ++ { ++ // master password stored in deprecated format ++ VclPtr pOldMasterPasswordInfoBar = ++ AppendInfoBar("oldmasterpassword", "", ++ SfxResId(STR_REFRESH_MASTER_PASSWORD), InfobarType::DANGER, false); ++ if (pOldMasterPasswordInfoBar) ++ { ++ weld::Button& rButton = pOldMasterPasswordInfoBar->addButton(); ++ rButton.set_label(SfxResId(STR_REFRESH_PASSWORD)); ++ rButton.connect_clicked(LINK(this, ++ SfxViewFrame, RefreshMasterPasswordHdl)); ++ } ++ } ++ + // read-only infobar if necessary + const SfxViewShell *pVSh; + const SfxShell *pFSh; +@@ -1561,6 +1577,27 @@ IMPL_LINK_NOARG(SfxViewFrame, SignDocumentHandler, weld::Button&, void) + GetDispatcher()->Execute(SID_SIGNATURE); + } + ++IMPL_LINK_NOARG(SfxViewFrame, RefreshMasterPasswordHdl, weld::Button&, void) ++{ ++ bool bChanged = false; ++ try ++ { ++ Reference< task::XPasswordContainer2 > xMasterPasswd( ++ task::PasswordContainer::create(comphelper::getProcessComponentContext())); ++ ++ css::uno::Reference xFrame = GetFrame().GetFrameInterface(); ++ css::uno::Reference xContainerWindow = xFrame->getContainerWindow(); ++ ++ uno::Reference xTmpHandler(task::InteractionHandler::createWithParent(comphelper::getProcessComponentContext(), ++ xContainerWindow)); ++ bChanged = xMasterPasswd->changeMasterPassword(xTmpHandler); ++ } ++ catch (const Exception&) ++ {} ++ if (bChanged) ++ RemoveInfoBar(u"oldmasterpassword"); ++} ++ + void SfxViewFrame::Construct_Impl( SfxObjectShell *pObjSh ) + { + m_pImpl->bResizeInToOut = true; +-- +2.37.3 + diff --git a/dist b/dist index 89c1faf..dbbfc02 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an9 +an9_1 diff --git a/download b/download index 9557ca9..cfe5c0a 100644 --- a/download +++ b/download @@ -4,5 +4,3 @@ d66ae64561a9bccc27c8d0b9b3c691fd libreoffice-help-7.1.8.1.tar.xz ce3404913b8f0f93a1cb9dfdc4f30bf3 libreoffice-help-7.1.8.1.tar.xz.asc 566cabebe62d53a2a62e73a413b3daeb libreoffice-translations-7.1.8.1.tar.xz 92a1ff79401bb8be34de192bb409364e libreoffice-translations-7.1.8.1.tar.xz.asc -c871268f0ba365b71f1ec1bf068d6ab3 neon-0.31.2.tar.gz -b66ec21e0a0ac331afb4b1bc5c9ef966 xmlsec1-1.2.30.tar.gz diff --git a/libreoffice.spec b/libreoffice.spec index 693e443..c35834b 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # download path contains version without the last (fourth) digit %global libo_version 7.1.8 # Should contain .alphaX / .betaX, if this is pre-release (actually @@ -8,11 +7,11 @@ # Should contain any suffix of release tarball name, e.g., -buildfix1. %global libo_buildfix %{nil} # rhbz#715152 state vendor -%if 0%{?anolis} -%global vendoroption --with-vendor="OpenAnolis Community" +%if 0%{?rhel} +%global vendoroption --with-vendor="Red Hat, Inc." %endif %if 0%{?fedora} -%global vendoroption --with-vendor="OpenAnolis Community" +%global vendoroption --with-vendor="The Fedora Project" %endif %global libo_python python3 %global libo_python_executable %{__python3} @@ -58,10 +57,9 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 7%{?libo_prerelease}%{anolis_release}%{?dist} +Release: 8%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ -Excludearch: loongarch64 Source0: %{source_url}/libreoffice-%{version}%{?libo_prerelease}%{?libo_buildfix}.tar.xz Source1: %{source_url}/libreoffice-%{version}%{?libo_prerelease}%{?libo_buildfix}.tar.xz.asc @@ -85,9 +83,6 @@ Source13: %{external_url}/17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zi Source14: %{external_url}/../extern/f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf %global bundling_options %{?bundling_options} --without-system-hsqldb -Source20: http://www.aleksey.com/xmlsec/download/xmlsec1-1.2.30.tar.gz -Source21: https://notroj.github.io/neon/neon-0.31.2.tar.gz - Provides: bundled(hsqldb) = 1.8.0 %if 0%{?fedora} Provides: bundled(rhino) = 1.5 @@ -220,7 +215,7 @@ BuildRequires: pkgconfig(harfbuzz) BuildRequires: pkgconfig(libeot) BuildRequires: pkgconfig(libepubgen-0.1) BuildRequires: pkgconfig(libqxp-0.0) -%if 0%{?fedora} > 33 || 0%{?rhel} > 8 || 0%{?anolis} >= 8 +%if 0%{?fedora} > 33 || 0%{?rhel} > 8 BuildRequires: pkgconfig(liborcus-0.16) %else BuildRequires: pkgconfig(liborcus-0.15) @@ -233,7 +228,7 @@ BuildRequires: ant %if 0%{?fedora} BuildRequires: bsh %endif -BuildRequires: java-11-devel +BuildRequires: java-devel BuildRequires: junit BuildRequires: pentaho-reporting-flow-engine @@ -279,10 +274,13 @@ Patch18: 0001-annocheck-warning-about-missing-.note.gnu.property-s.patch Patch19: 0001-EditTextObjectImpl-copy-ctor-doesn-t-exactly-copy-Ed.patch Patch20: 0001-CVE-2021-25636.patch Patch21: 0001-Resolves-rhbz-2081661-gtk-critical-gtk_tree_view_scr.patch +Patch22: 0001-CVE-2022-26305-compare-authors-using-Thumbprint.patch +Patch23: 0002-CVE-2022-26307-make-hash-encoding-match-decoding.patch +Patch24: 0003-CVE-2022-26306-add-Initialization-Vectors-to-passwor.patch +Patch25: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch -Patch1000: 0001-neon-fit-with-older-gnutls.patch %global instdir %{_libdir} %global baseinstdir %{instdir}/libreoffice @@ -578,7 +576,7 @@ Arch-independent part of %{name}-ure. Summary: Software Development Kit for LibreOffice Requires: %{name}-core%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} -Requires: unzip%{?_isa}, java-11-devel +Requires: unzip%{?_isa}, java-devel %description sdk The LibreOffice SDK is an add-on for the LibreOffice office suite. It provides @@ -1019,25 +1017,22 @@ rm -rf git-hooks */git-hooks %global __scm git_am %__scm_setup_git_am -#Customize Palette to add Anolis colours +#Customize Palette to add Red Hat colours (head -n -1 extras/source/palettes/standard.soc && \ - echo -e ' - - - - ' && \ - tail -n 1 extras/source/palettes/standard.soc) > anolis.soc -mv -f anolis.soc extras/source/palettes/standard.soc -git commit -q -a -m 'add Anolis colors to palette' + echo -e ' + + + + ' && \ + tail -n 1 extras/source/palettes/standard.soc) > redhat.soc +mv -f redhat.soc extras/source/palettes/standard.soc +git commit -q -a -m 'add Red Hat colors to palette' # apply patches %autopatch -M 99 %if 0%{?rhel} %apply_patch -q %{PATCH500} %endif -%if 0%{?anolis} -%apply_patch -q %{PATCH1000} -%endif sed -i -e /CppunitTest_sc_array_functions_test/d sc/Module_sc.mk # ppc64le sed -i -e /CppunitTest_sc_addin_functions_test/d sc/Module_sc.mk # aarch64/ppc64*/s390x @@ -1147,11 +1142,7 @@ touch autogen.lastrun %{distrooptions} \ %{?bundling_options} \ %{?archoptions} \ - %{?flatpakoptions} \ - --with-jdk-home=/usr/lib/jvm/java-11-openjdk \ - --with-system-neon=no \ - --with-system-xmlsec=no - + %{?flatpakoptions} make verbose=true build-nocheck @@ -1564,9 +1555,6 @@ rm -f %{buildroot}%{baseinstdir}/program/classes/smoketest.jar %{baseinstdir}/help/main_transform.xsl %{baseinstdir}/presets %dir %{baseinstdir}/program -%if 0%{?anolis} -%{baseinstdir}/program/libneon.so -%endif %if 0%{?fedora} %{baseinstdir}/program/core.abignore %endif @@ -2286,10 +2274,11 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog -* Thu May 18 2023 Liwei Ge - 1:7.1.8.1-7.0.1 -- Add configuration file and vemdor for Anolis OS -- Fit build on Anolis OS 8 -- Remove loongarch64 arch +* Thu Oct 20 2022 Caolán McNamara - 1:7.1.8.1-8 +- Resolves: rhbz#2134759 Untrusted Macros +- Resolves: rhbz#2134757 Weak Master Keys +- Resolves: rhbz#2134755 Static Initialization Vector +- Resolves: rhbz#2134761 Macro URL arbitrary script execution * Tue May 10 2022 Caolán McNamara - 1:7.1.8.1-7 - Resolves: rhbz#2081661 fix gtk_tree_view_scroll_to_cell assert -- Gitee From e4951aabc61451ad9524eef6b6c4f854b271daef Mon Sep 17 00:00:00 2001 From: yangxiaoxuan Date: Tue, 2 Feb 2021 01:12:37 +0800 Subject: [PATCH 2/4] spec: add configuration file and vemdor for anolis Signed-off-by: yangxiaoxuan Change-Id: I7ab913f7f76a0f10d896c0902d2093dca662fb7d --- libreoffice.spec | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/libreoffice.spec b/libreoffice.spec index c35834b..aed8a1f 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # download path contains version without the last (fourth) digit %global libo_version 7.1.8 # Should contain .alphaX / .betaX, if this is pre-release (actually @@ -7,11 +8,11 @@ # Should contain any suffix of release tarball name, e.g., -buildfix1. %global libo_buildfix %{nil} # rhbz#715152 state vendor -%if 0%{?rhel} -%global vendoroption --with-vendor="Red Hat, Inc." +%if 0%{?anolis} +%global vendoroption --with-vendor="OpenAnolis Community" %endif %if 0%{?fedora} -%global vendoroption --with-vendor="The Fedora Project" +%global vendoroption --with-vendor="OpenAnolis Community" %endif %global libo_python python3 %global libo_python_executable %{__python3} @@ -57,7 +58,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.1 -Release: 8%{?libo_prerelease}%{?dist} +Release: 8%{?libo_prerelease}%{anolis_release}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ @@ -1017,16 +1018,16 @@ rm -rf git-hooks */git-hooks %global __scm git_am %__scm_setup_git_am -#Customize Palette to add Red Hat colours +#Customize Palette to add Anolis colours (head -n -1 extras/source/palettes/standard.soc && \ - echo -e ' - - - - ' && \ - tail -n 1 extras/source/palettes/standard.soc) > redhat.soc -mv -f redhat.soc extras/source/palettes/standard.soc -git commit -q -a -m 'add Red Hat colors to palette' + echo -e ' + + + + ' && \ + tail -n 1 extras/source/palettes/standard.soc) > anolis.soc +mv -f anolis.soc extras/source/palettes/standard.soc +git commit -q -a -m 'add Anolis colors to palette' # apply patches %autopatch -M 99 @@ -2274,6 +2275,9 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %{_includedir}/LibreOfficeKit %changelog +* Sat Jul 22 2023 yangxiaoxuan 1:7.1.8.1-8.0.1 +- Add configuration file and vemdor for Anolis OS + * Thu Oct 20 2022 Caolán McNamara - 1:7.1.8.1-8 - Resolves: rhbz#2134759 Untrusted Macros - Resolves: rhbz#2134757 Weak Master Keys -- Gitee From d23ddc3f202bb2e351e137f3398db482586b4cf3 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Mon, 18 Jul 2022 20:44:51 +0800 Subject: [PATCH 3/4] build: bundle with neon-0.31.2 and xmlsec1-1.2.30 --- 0001-neon-fit-with-older-gnutls.patch | 70 +++++++++++++++++++++++++++ download | 2 + libreoffice.spec | 23 +++++++-- 3 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 0001-neon-fit-with-older-gnutls.patch diff --git a/0001-neon-fit-with-older-gnutls.patch b/0001-neon-fit-with-older-gnutls.patch new file mode 100644 index 0000000..56d6e58 --- /dev/null +++ b/0001-neon-fit-with-older-gnutls.patch @@ -0,0 +1,70 @@ +From d6fb4e010e18309373f4ba581f9fd74fd8212762 Mon Sep 17 00:00:00 2001 +From: Liwei Ge +Date: Mon, 18 Jul 2022 20:34:06 +0800 +Subject: [PATCH] neon: fit with older gnutls + +--- + external/neon/configs/config.h | 2 ++ + external/neon/neon_fit_with_older_gnutls.patch | 15 +++++++++++++++ + 2 files changed, 17 insertions(+) + create mode 100644 external/neon/neon_fit_with_older_gnutls.patch + +diff --git a/external/neon/configs/config.h b/external/neon/configs/config.h +index af8408ad9..662afc516 100644 +--- a/external/neon/configs/config.h ++++ b/external/neon/configs/config.h +@@ -83,6 +83,8 @@ + /* Define if GnuTLS support is enabled */ + #define HAVE_GNUTLS + ++#define HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 ++ + /* Define to 1 if you have the `gnutls_certificate_get_x509_cas' function. */ + /* #undef HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS */ + +diff --git a/external/neon/neon_fit_with_older_gnutls.patch b/external/neon/neon_fit_with_older_gnutls.patch +new file mode 100644 +index 000000000..4eda62a5b +--- /dev/null ++++ b/external/neon/neon_fit_with_older_gnutls.patch +@@ -0,0 +1,26 @@ ++diff -Nur src/ne_gnutls.h src/ne_gnutls.h ++--- src/ne_gnutls.c 2020-06-20 15:09:24.000000000 +0800 +++++ src/ne_gnutls.c 2022-07-18 11:22:00.000000000 +0800 ++@@ -32,6 +32,7 @@ ++ #include ++ ++ #include +++#include ++ #include ++ ++ #ifdef NE_HAVE_TS_SSL ++diff -Nur src/ne_privssl.h src/ne_privssl.h ++--- src/ne_privssl.h 2020-06-20 15:09:24.000000000 +0800 +++++ src/ne_privssl.h 2022-07-18 11:22:00.000000000 +0800 ++@@ -86,9 +86,11 @@ ++ ++ typedef gnutls_session_t ne_ssl_socket; ++ +++#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT ++ NE_PRIVATE ne_ssl_client_cert * ++ ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len, ++ gnutls_privkey_sign_func sign_func, void *userdata); +++#endif ++ ++ #endif /* HAVE_GNUTLS */ ++ +diff --git a/external/neon/UnpackedTarball_neon.mk b/external/neon/UnpackedTarball_neon.mk +index 73cdd81f2..bb15e3f48 100644 +--- a/external/neon/UnpackedTarball_neon.mk ++++ b/external/neon/UnpackedTarball_neon.mk +@@ -21,6 +21,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,neon,\ + external/neon/neon.patch \ + external/neon/neon_with_gnutls.patch \ + external/neon/neon_fix_lock_token_on_if.patch \ ++ external/neon/neon_fit_with_older_gnutls.patch \ + $(if $(filter WNT,$(OS)),external/neon/neon_fix_no_OPENSSL_Applink.patch) \ + )) + +-- +2.27.0 diff --git a/download b/download index cfe5c0a..9557ca9 100644 --- a/download +++ b/download @@ -4,3 +4,5 @@ d66ae64561a9bccc27c8d0b9b3c691fd libreoffice-help-7.1.8.1.tar.xz ce3404913b8f0f93a1cb9dfdc4f30bf3 libreoffice-help-7.1.8.1.tar.xz.asc 566cabebe62d53a2a62e73a413b3daeb libreoffice-translations-7.1.8.1.tar.xz 92a1ff79401bb8be34de192bb409364e libreoffice-translations-7.1.8.1.tar.xz.asc +c871268f0ba365b71f1ec1bf068d6ab3 neon-0.31.2.tar.gz +b66ec21e0a0ac331afb4b1bc5c9ef966 xmlsec1-1.2.30.tar.gz diff --git a/libreoffice.spec b/libreoffice.spec index aed8a1f..3c9bafd 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -84,6 +84,9 @@ Source13: %{external_url}/17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zi Source14: %{external_url}/../extern/f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf %global bundling_options %{?bundling_options} --without-system-hsqldb +Source20: http://www.aleksey.com/xmlsec/download/xmlsec1-1.2.30.tar.gz +Source21: https://notroj.github.io/neon/neon-0.31.2.tar.gz + Provides: bundled(hsqldb) = 1.8.0 %if 0%{?fedora} Provides: bundled(rhino) = 1.5 @@ -216,7 +219,7 @@ BuildRequires: pkgconfig(harfbuzz) BuildRequires: pkgconfig(libeot) BuildRequires: pkgconfig(libepubgen-0.1) BuildRequires: pkgconfig(libqxp-0.0) -%if 0%{?fedora} > 33 || 0%{?rhel} > 8 +%if 0%{?fedora} > 33 || 0%{?rhel} > 8 || 0%{?anolis} >= 8 BuildRequires: pkgconfig(liborcus-0.16) %else BuildRequires: pkgconfig(liborcus-0.15) @@ -229,7 +232,7 @@ BuildRequires: ant %if 0%{?fedora} BuildRequires: bsh %endif -BuildRequires: java-devel +BuildRequires: java-11-devel BuildRequires: junit BuildRequires: pentaho-reporting-flow-engine @@ -282,6 +285,7 @@ Patch25: 0004-CVE-2022-2630-6-7-add-infobar-to-prompt-to-refresh-t.patch # not upstreamed Patch500: 0001-disable-libe-book-support.patch +Patch1000: 0001-neon-fit-with-older-gnutls.patch %global instdir %{_libdir} %global baseinstdir %{instdir}/libreoffice @@ -577,7 +581,7 @@ Arch-independent part of %{name}-ure. Summary: Software Development Kit for LibreOffice Requires: %{name}-core%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-ure%{?_isa} = %{epoch}:%{version}-%{release} -Requires: unzip%{?_isa}, java-devel +Requires: unzip%{?_isa}, java-11-devel %description sdk The LibreOffice SDK is an add-on for the LibreOffice office suite. It provides @@ -1034,6 +1038,9 @@ git commit -q -a -m 'add Anolis colors to palette' %if 0%{?rhel} %apply_patch -q %{PATCH500} %endif +%if 0%{?anolis} +%apply_patch -q %{PATCH1000} +%endif sed -i -e /CppunitTest_sc_array_functions_test/d sc/Module_sc.mk # ppc64le sed -i -e /CppunitTest_sc_addin_functions_test/d sc/Module_sc.mk # aarch64/ppc64*/s390x @@ -1143,7 +1150,11 @@ touch autogen.lastrun %{distrooptions} \ %{?bundling_options} \ %{?archoptions} \ - %{?flatpakoptions} + %{?flatpakoptions} \ + --with-jdk-home=/usr/lib/jvm/java-11-openjdk \ + --with-system-neon=no \ + --with-system-xmlsec=no + make verbose=true build-nocheck @@ -1556,6 +1567,9 @@ rm -f %{buildroot}%{baseinstdir}/program/classes/smoketest.jar %{baseinstdir}/help/main_transform.xsl %{baseinstdir}/presets %dir %{baseinstdir}/program +%if 0%{?anolis} +%{baseinstdir}/program/libneon.so +%endif %if 0%{?fedora} %{baseinstdir}/program/core.abignore %endif @@ -2277,6 +2291,7 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : %changelog * Sat Jul 22 2023 yangxiaoxuan 1:7.1.8.1-8.0.1 - Add configuration file and vemdor for Anolis OS +- Fit build on Anolis OS 8 * Thu Oct 20 2022 Caolán McNamara - 1:7.1.8.1-8 - Resolves: rhbz#2134759 Untrusted Macros -- Gitee From 3b0e0270cbb35605f9557bd44abc777f9df73b5d Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 18 May 2023 16:28:59 +0800 Subject: [PATCH 4/4] spec: remove loongarch64 arch Signed-off-by: Zhao Hang --- libreoffice.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libreoffice.spec b/libreoffice.spec index 3c9bafd..9553f00 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -61,6 +61,7 @@ Version: %{libo_version}.1 Release: 8%{?libo_prerelease}%{anolis_release}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and MPLv2.0 and CC0 URL: http://www.libreoffice.org/ +Excludearch: loongarch64 Source0: %{source_url}/libreoffice-%{version}%{?libo_prerelease}%{?libo_buildfix}.tar.xz Source1: %{source_url}/libreoffice-%{version}%{?libo_prerelease}%{?libo_buildfix}.tar.xz.asc @@ -2292,6 +2293,7 @@ gtk-update-icon-cache -q %{_datadir}/icons/hicolor &>/dev/null || : * Sat Jul 22 2023 yangxiaoxuan 1:7.1.8.1-8.0.1 - Add configuration file and vemdor for Anolis OS - Fit build on Anolis OS 8 +- Remove loongarch64 arch * Thu Oct 20 2022 Caolán McNamara - 1:7.1.8.1-8 - Resolves: rhbz#2134759 Untrusted Macros -- Gitee