[ooo-build-commit] .: Branch 'debian-3-1-1' - 3 commits - patches/dev300
René Engelhard
rene at kemper.freedesktop.org
Fri Feb 12 08:35:31 PST 2010
patches/dev300/apply | 7 +
patches/dev300/cws-hb32showstoppers3.diff | 62 ++++++++++++++
patches/dev300/cws-impress178-xpm-and-gif-fix.diff | 71 ++++++++++++++++
patches/dev300/libxmlsec-CVE-2009-0217.diff | 93 +++++++++++++++++++++
4 files changed, 232 insertions(+), 1 deletion(-)
New commits:
commit b2ca7848957fd3511fce0c2cb5b99462346de924
Author: Rene Engelhard <rene at debian.org>
Date: Fri Feb 12 09:51:41 2010 +0100
add security fixes disclosed with OOo 3.2
* patches/dev300/apply:
* patches/dev300/cws-hb32showstoppers3.diff:
* patches/dev300/cws-impress178-xpm-and-gif-fix.diff:
* patches/dev300/libxmlsec-CVE-2009-0217.diff:
diff --git a/patches/dev300/apply b/patches/dev300/apply
index 994682c..304ef97 100644
--- a/patches/dev300/apply
+++ b/patches/dev300/apply
@@ -19,7 +19,7 @@ Common : PreprocessPatches, BuildBits, TemporaryHacks, FixesNotForUpstream, \
OOXML, OOXMLExport, SVGImport, FrameworkFeature, UnitTesting, \
PopupRemoval, LinkWarningDlg, RadioButtons, InternalCairo, \
FedoraCommonFixes, InternalMesaHeaders, LayoutDialogs, Fuzz, \
- CalcRowLimit, Gcc44
+ CalcRowLimit, Gcc44, Security
LinuxCommon : Common, Defaults, TangoIcons, FontConfigTemporaryHacks, \
FedoraLinuxOnlyFixes, LinuxOnly, SystemBits, \
@@ -324,6 +324,11 @@ vba-show-data-form-link-fix.diff, kohei
# Base Table Wizard bug, fixed in dba32d, integrated into DEV300_m52
table-wizard-swap-private-business-i102019.diff
+[ Security ]
+cws-impress178-xpm-and-gif-fix.diff
+cws-hb32showstoppers3.diff
+libxmlsec-CVE-2009-0217.diff
+
[ WPG ]
# libwpg-based import filter for WordPerfect Graphics
libwpg.diff
diff --git a/patches/dev300/cws-hb32showstoppers3.diff b/patches/dev300/cws-hb32showstoppers3.diff
new file mode 100644
index 0000000..af192d9
--- /dev/null
+++ b/patches/dev300/cws-hb32showstoppers3.diff
@@ -0,0 +1,62 @@
+Date: Mon, 9 Nov 2009 12:48:11 GMT
+From: hbrinkm at openoffice.org <hbrinkm at openoffice.org>
+Content-Type: text/plain; charset=UTF-8
+Subject: r277409 - cws/hb32showstoppers3/sw/source/filter/ww8
+
+
+Author: hbrinkm
+Date: Mon Nov 9 12:48:11 2009
+New Revision: 277409
+
+Log:
+#b6898803# ensure to read only as many TCs as are there
+
+Modified:
+ cws/hb32showstoppers3/sw/source/filter/ww8/ww8par2.cxx
+
+Modified: cws/hb32showstoppers3/sw/source/filter/ww8/ww8par2.cxx
+==============================================================================
+--- sw/source/filter/ww8/ww8par2.cxx Mon Nov 9 12:03:02 2009 (r277408)
++++ sw/source/filter/ww8/ww8par2.cxx Mon Nov 9 12:48:11 2009 (r277409)
+@@ -1170,6 +1170,7 @@
+ pS++;
+
+ short nLen = (INT16)SVBT16ToShort( pS - 2 ); // nicht schoen
++
+ BYTE nCols = *pS; // Anzahl der Zellen
+ short nOldCols = nWwCols;
+
+@@ -1200,7 +1201,11 @@
+ setcelldefaults(pTCs,nCols);
+ }
+
+- if( nFileCols )
++ short nColsToRead = nFileCols;
++ if (nColsToRead > nCols)
++ nColsToRead = nCols;
++
++ if( nColsToRead )
+ {
+ // lies TCs ein
+
+@@ -1216,9 +1221,9 @@
+ if( bVer67 )
+ {
+ WW8_TCellVer6* pTc = (WW8_TCellVer6*)pT;
+- for(i=0; i<nFileCols; i++, ++pAktTC,++pTc)
++ for(i=0; i<nColsToRead; i++, ++pAktTC,++pTc)
+ {
+- if( i < nFileCols )
++ if( i < nColsToRead )
+ { // TC aus File ?
+ BYTE aBits1 = SVBT8ToByte( pTc->aBits1Ver6 );
+ pAktTC->bFirstMerged = ( ( aBits1 & 0x01 ) != 0 );
+@@ -1248,7 +1253,7 @@
+ else
+ {
+ WW8_TCellVer8* pTc = (WW8_TCellVer8*)pT;
+- for (int k = 0; k < nFileCols; ++k, ++pAktTC, ++pTc )
++ for (int k = 0; k < nColsToRead; ++k, ++pAktTC, ++pTc )
+ {
+ UINT16 aBits1 = SVBT16ToShort( pTc->aBits1Ver8 );
+ pAktTC->bFirstMerged = ( ( aBits1 & 0x0001 ) != 0 );
diff --git a/patches/dev300/cws-impress178-xpm-and-gif-fix.diff b/patches/dev300/cws-impress178-xpm-and-gif-fix.diff
new file mode 100644
index 0000000..02883a1
--- /dev/null
+++ b/patches/dev300/cws-impress178-xpm-and-gif-fix.diff
@@ -0,0 +1,71 @@
+Index: svtools/source/filter.vcl/ixpm/xpmread.cxx
+===================================================================
+--- svtools/source/filter.vcl/ixpm/xpmread.cxx (.../tags/OOO320_m2/svtools) (Revision 277698)
++++ svtools/source/filter.vcl/ixpm/xpmread.cxx (.../cws/impress178/svtools) (Revision 277698)
+@@ -109,6 +109,10 @@
+ mnColors = ImplGetULONG( 2 );
+ mnCpp = ImplGetULONG( 3 );
+ }
++ if ( mnColors > ( SAL_MAX_UINT32 / ( 4 + mnCpp ) ) )
++ mbStatus = sal_False;
++ if ( ( mnWidth * mnCpp ) >= XPMSTRINGBUF )
++ mbStatus = sal_False;
+ if ( mbStatus && mnWidth && mnHeight && mnColors && mnCpp )
+ {
+ mnIdentifier = XPMCOLORS;
+@@ -118,15 +122,20 @@
+ // 1 Byte -> 0xff wenn Farbe transparent ist
+ // 3 Bytes -> RGB Wert der Farbe
+ mpColMap = new BYTE[ mnColors * ( 4 + mnCpp ) ];
+-
+- for ( ULONG i = 0; i < mnColors; i++ )
++ if ( mpColMap )
+ {
+- if ( ImplGetColor( i ) == FALSE )
++ for ( ULONG i = 0; i < mnColors; i++ )
+ {
+- mbStatus = FALSE;
+- break;
++ if ( ImplGetColor( i ) == FALSE )
++ {
++ mbStatus = FALSE;
++ break;
++ }
+ }
+ }
++ else
++ mbStatus = sal_False;
++
+ if ( mbStatus )
+ {
+ // bei mehr als 256 Farben wird eine 24 Bit Grafik erstellt
+@@ -630,7 +639,7 @@
+ mnStatus &=~XPMSTRING; // end of parameter by eol
+ break;
+ }
+- if ( mnStringSize >= XPMSTRINGBUF )
++ if ( mnStringSize >= ( XPMSTRINGBUF - 1 ) )
+ {
+ mbStatus = FALSE;
+ break;
+Index: svtools/source/filter.vcl/igif/decode.cxx
+===================================================================
+--- svtools/source/filter.vcl/igif/decode.cxx (.../tags/OOO320_m2/svtools) (Revision 277698)
++++ svtools/source/filter.vcl/igif/decode.cxx (.../cws/impress178/svtools) (Revision 277698)
+@@ -51,7 +51,6 @@
+ bEOIFound ( FALSE ),
+ nDataSize ( cDataSize )
+ {
+- pTable = new GIFLZWTableEntry[ 4096 ];
+ pOutBuf = new BYTE[ 4096 ];
+
+ nClearCode = 1 << nDataSize;
+@@ -61,6 +60,8 @@
+ nOldCode = 0xffff;
+ pOutBufData = pOutBuf + 4096;
+
++ pTable = new GIFLZWTableEntry[ 4098 ];
++
+ for( USHORT i = 0; i < nTableSize; i++ )
+ {
+ pTable[i].pPrev = NULL;
diff --git a/patches/dev300/libxmlsec-CVE-2009-0217.diff b/patches/dev300/libxmlsec-CVE-2009-0217.diff
new file mode 100644
index 0000000..7b8208c
--- /dev/null
+++ b/patches/dev300/libxmlsec-CVE-2009-0217.diff
@@ -0,0 +1,93 @@
+Index: xmlsec1-1.2.6.patch
+===================================================================
+RCS file: /cvs/external/libxmlsec/xmlsec1-1.2.6.patch,v
+retrieving revision 1.21
+diff -u -r1.21 xmlsec1-1.2.6.patch
+--- libxmlsec/xmlsec1-1.2.6.patch 5 Jul 2007 08:51:39 -0000 1.21
++++ libxmlsec/xmlsec1-1.2.6.patch 15 Dec 2009 15:28:45 -0000
+@@ -17395,3 +17395,85 @@
+ XMLSEC_NSS_ALIBS = smime3.lib ssl3.lib nss3.lib libnspr4_s.lib libplds4_s.lib libplc4_s.lib kernel32.lib user32.lib gdi32.lib
+
+ XMLSEC_MSCRYPTO_SOLIBS = kernel32.lib user32.lib gdi32.lib Crypt32.lib Advapi32.lib
++diff --git misc/xmlsec1-1.2.6/include/xmlsec/nss/crypto.h misc/build/xmlsec1-1.2.6/include/xmlsec/nss/crypto.h
++index f1cd44e..381ee1f 100644
++--- misc/xmlsec1-1.2.6/include/xmlsec/nss/crypto.h
+++++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/crypto.h
++@@ -191,6 +191,10 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformDsaSha1GetKlass(void);
++ *
++ *******************************************************************/
++ #ifndef XMLSEC_NO_HMAC
+++
+++XMLSEC_CRYPTO_EXPORT int xmlSecNssHmacGetMinOutputLength();
+++XMLSEC_CRYPTO_EXPORT void xmlSecNssHmacSetMinOutputLength(int min_length);
+++
++ /**
++ * xmlSecNssKeyDataHmacId:
++ *
++diff --git misc/xmlsec1-1.2.6/src/nss/hmac.c misc/build/xmlsec1-1.2.6/src/nss/hmac.c
++index f67ec9d..a7c2018 100644
++--- misc/xmlsec1-1.2.6/src/nss/hmac.c
+++++ misc/build/xmlsec1-1.2.6/src/nss/hmac.c
++@@ -26,10 +26,40 @@
++ #include <xmlsec/nss/app.h>
++ #include <xmlsec/nss/crypto.h>
++
+++#define XMLSEC_NSS_MIN_HMAC_SIZE 64
++ #define XMLSEC_NSS_MAX_HMAC_SIZE 128
++
++ /**************************************************************************
++ *
+++ * Configuration
+++ *
+++ *****************************************************************************/
+++static int g_xmlsec_nss_hmac_min_length = XMLSEC_NSS_MIN_HMAC_SIZE;
+++
+++/**
+++ * xmlSecNssHmacGetMinOutputLength:
+++ *
+++ * Returns the min HMAC output length
+++ */
+++int xmlSecNssHmacGetMinOutputLength()
+++{
+++ return g_xmlsec_nss_hmac_min_length;
+++}
+++
+++/**
+++ * xmlSecNssHmacSetMinOutputLength:
+++ *
+++ * @min_length: the new min length
+++ *
+++ * Sets the min HMAC output length
+++ */
+++void xmlSecNssHmacSetMinOutputLength(int min_length)
+++{
+++ g_xmlsec_nss_hmac_min_length = min_length;
+++}
+++
+++/**************************************************************************
+++ *
++ * Internal NSS HMAC CTX
++ *
++ *****************************************************************************/
++@@ -162,7 +192,20 @@ xmlSecNssHmacNodeRead(xmlSecTransformPtr transform, xmlNodePtr node, xmlSecTrans
++ ctx->dgstSize = atoi((char*)content);
++ xmlFree(content);
++ }
++- /* todo: error if dgstSize == 0 ?*/
+++
+++ /* Ensure that HMAC length is greater than min specified.
+++ Otherwise, an attacker can set this lenght to 0 or very
+++ small value
+++ */
+++ if(ctx->dgstSize < xmlSecNssHmacGetMinOutputLength()) {
+++ xmlSecError(XMLSEC_ERRORS_HERE,
+++ xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+++ xmlSecNodeHMACOutputLength,
+++ XMLSEC_ERRORS_R_INVALID_NODE_ATTRIBUTE,
+++ "HMAC output length is too small");
+++ return(-1);
+++ }
+++
++ cur = xmlSecGetNextElementNode(cur->next);
++ }
++
commit 830a9dff000db252dbef5e258cbfdeb617f6a72e
Author: Rene Engelhard <rene at debian.org>
Date: Thu Jan 21 19:17:53 2010 +0100
one more fix for helpcontent2-auxiliary-eu.diff
* patches/dev300/helpcontent2-auxiliary-eu.diff: fix highcontrastblack.css
diff --git a/patches/dev300/helpcontent2-auxiliary-eu.diff b/patches/dev300/helpcontent2-auxiliary-eu.diff
index 86c4437..4d86a34 100644
--- a/patches/dev300/helpcontent2-auxiliary-eu.diff
+++ b/patches/dev300/helpcontent2-auxiliary-eu.diff
@@ -1,7 +1,7 @@
Index: helpcontent2/source/auxiliary/eu/highcontrastblack.css
===================================================================
---- helpcontent2/source/auxiliary/helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
-+++ helpcontent2/source/auxiliary/helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
+--- helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
++++ helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
@@ -0,0 +1,91 @@
+/*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
commit b4faf2f4b57ff1d535d8912f4b74b33b29bf6dc2
Author: Rene Engelhard <rene at debian.org>
Date: Thu Jan 21 16:21:13 2010 +0100
_really_ fix helpcontent2-auxiliary-eu.diff
* patches/dev300/helpcontent2-auxiliary-eu.diff: fix all files....
diff --git a/patches/dev300/helpcontent2-auxiliary-eu.diff b/patches/dev300/helpcontent2-auxiliary-eu.diff
index 4d86a34..86c4437 100644
--- a/patches/dev300/helpcontent2-auxiliary-eu.diff
+++ b/patches/dev300/helpcontent2-auxiliary-eu.diff
@@ -1,7 +1,7 @@
Index: helpcontent2/source/auxiliary/eu/highcontrastblack.css
===================================================================
---- helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
-+++ helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
+--- helpcontent2/source/auxiliary/helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
++++ helpcontent2/source/auxiliary/helpcontent2/source/auxiliary/eu/highcontrastblack.css (Revision 0)
@@ -0,0 +1,91 @@
+/*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
More information about the ooo-build-commit
mailing list