[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[libreoffice] 01/01: add 1:4.3.3-2+deb8u3 (jessie-security) changes

This is an automated email from the git hooks/post-receive script.

rene pushed a commit to branch debian-jessie-4.3.3
in repository libreoffice.

commit afdb4f01a91ffa5e0bd1a9d2b710cbf0c63a2992
Author: Rene Engelhard <rene@debian.org>
Date:   Mon Mar 28 14:06:21 2016 +0200

    add 1:4.3.3-2+deb8u3 (jessie-security) changes
---
 changelog                 | 15 ++++++++
 patches/V-1lp8t84lh4.diff | 32 +++++++++++++++++
 patches/V-a7vjdei7l7.diff | 44 +++++++++++++++++++++++
 patches/V-mgylorku1q.diff | 43 ++++++++++++++++++++++
 patches/V-pxk0pgyk9d.diff | 91 +++++++++++++++++++++++++++++++++++++++++++++++
 patches/series            |  4 +++
 6 files changed, 229 insertions(+)

diff --git a/changelog b/changelog
index a35bb71..9770009 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,18 @@
+libreoffice (1:4.3.3-2+deb8u3) jessie-security; urgency=high
+
+  * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro
+    TabRack Buffer Overflow Vulnerability"
+  * debian/patches/V-pxk0pgyk9d.diff: fix "LibreOffice Writer Lotus Word Pro
+    'ReadRootData' Buffer Overflow Vulnerability"
+  * debian/patches/V-mgylorku1q.diff: fix "LibreOffice Writer Lotus Word Pro
+    Bullet Buffer Overflow Vulnerability"
+  (CVE-2016-0794)
+  * debian/patches/V-a7vjdei7l7.diff: fix "LibreOffice Writer Lotus Word Pro
+    'TocSuperLayout' Buffer Overflow Vulnerability"
+  (CVE-2016-0795)
+
+ -- Rene Engelhard <rene@debian.org>  Thu, 11 Feb 2016 18:15:56 +0100
+
 libreoffice (1:4.3.3-2+deb8u2) jessie-security; urgency=high
 
   * debian/patches/CVE-2015-4551.diff: backport fix for Arbritary
diff --git a/patches/V-1lp8t84lh4.diff b/patches/V-1lp8t84lh4.diff
new file mode 100644
index 0000000..ef75f58
--- /dev/null
+++ b/patches/V-1lp8t84lh4.diff
@@ -0,0 +1,32 @@
+From 3ed4715779bdd3a3d27cf34e222275c8ba092a70 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 8 Dec 2015 14:20:52 +0000
+Subject: [PATCH] guard against corrupt m_nNumTabs
+
+Change-Id: I41b8514a127d463ac951e5855f09416fa0456b1b
+---
+ lotuswordpro/source/filter/lwptabrack.cxx | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwptabrack.cxx b/lotuswordpro/source/filter/lwptabrack.cxx
+index b27082c..ab8ab3c 100644
+--- a/lotuswordpro/source/filter/lwptabrack.cxx
++++ b/lotuswordpro/source/filter/lwptabrack.cxx
+@@ -86,11 +86,12 @@ LwpTabRack::LwpTabRack(LwpObjectHeader objHdr, LwpSvStream* pStrm):LwpObject(obj
+ 
+ void LwpTabRack::Read()
+ {
+-//  LwpObjectID     m_NextID;
+     m_NextID.ReadIndexed(m_pObjStrm);
+ 
+     m_nNumTabs = m_pObjStrm->QuickReaduInt16();
+-    for( int i=0; i<m_nNumTabs; i++ )
++    if (m_nNumTabs > MaxTabs)
++        throw std::out_of_range("corrupt LwpTabRack");
++    for (int i=0; i<m_nNumTabs; ++i)
+     {
+         m_aTabs[i].Read(m_pObjStrm);
+         m_pObjStrm->SkipExtra();
+-- 
+2.1.4
+
diff --git a/patches/V-a7vjdei7l7.diff b/patches/V-a7vjdei7l7.diff
new file mode 100644
index 0000000..c91183b
--- /dev/null
+++ b/patches/V-a7vjdei7l7.diff
@@ -0,0 +1,44 @@
+From 6dc998c084ed143ee3d5867edabbb3f7a14a453e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 10 Dec 2015 12:59:21 +0000
+Subject: [PATCH] guard against corrupt LwpTocSuperLayout
+
+Change-Id: I18648e74d16b932cfa6fbd2057d1e9987c498fd4
+---
+ lotuswordpro/source/filter/lwptoc.cxx | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwptoc.cxx b/lotuswordpro/source/filter/lwptoc.cxx
+index 9808023..59926bb 100644
+--- a/lotuswordpro/source/filter/lwptoc.cxx
++++ b/lotuswordpro/source/filter/lwptoc.cxx
+@@ -106,17 +106,22 @@ void LwpTocSuperLayout::Read()
+ 
+     m_SearchItems.Read(m_pObjStrm);
+ 
+-    sal_uInt16 i;
+     sal_uInt16 count = m_pObjStrm->QuickReaduInt16();
+-    for (i = 0; (i < MAX_LEVELS) && (count > 0); i++, count--)
++    if (count > MAX_LEVELS)
++        throw std::range_error("corrupt LwpTocSuperLayout");
++    for (sal_uInt16 i = 0; i < count; ++i)
+         m_DestName[i].Read(m_pObjStrm);
+ 
+     count = m_pObjStrm->QuickReaduInt16();
+-    for (i = 0; (i < MAX_LEVELS) && (count > 0); i++, count--)
++    if (count > MAX_LEVELS)
++        throw std::range_error("corrupt LwpTocSuperLayout");
++    for (sal_uInt16 i = 0; i < count; ++i)
+         m_DestPGName[i].Read(m_pObjStrm);
+ 
+     count = m_pObjStrm->QuickReaduInt16();
+-    for (i = 0; i < count; i++)
++    if (count > MAX_LEVELS)
++        throw std::range_error("corrupt LwpTocSuperLayout");
++    for (sal_uInt16 i = 0; i < count; ++i)
+         m_nFlags[i] = m_pObjStrm->QuickReaduInt32();
+ 
+     m_pObjStrm->SkipExtra();
+-- 
+2.1.4
+
diff --git a/patches/V-mgylorku1q.diff b/patches/V-mgylorku1q.diff
new file mode 100644
index 0000000..88c2122
--- /dev/null
+++ b/patches/V-mgylorku1q.diff
@@ -0,0 +1,43 @@
+From ff22ddfa1f86429395bd735a867e71bff60d18c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 9 Dec 2015 12:09:37 +0000
+Subject: [PATCH] guard against corrupt SilverBullet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit 36d55980b1b3498fecc460d3c46667e5f5a17b8e)
+Reviewed-on: https://gerrit.libreoffice.org/20504
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit d387a99fce3f96f4fcd60c70909292255f12840f)
+
+Change-Id: I3af47ab3af5e28a865a77a592f6a92edb46e4f2b
+Reviewed-on: https://gerrit.libreoffice.org/20506
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
+Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
+---
+ lotuswordpro/source/filter/lwpsilverbullet.cxx | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lotuswordpro/source/filter/lwpsilverbullet.cxx b/lotuswordpro/source/filter/lwpsilverbullet.cxx
+index 8aad255..76e24b6 100644
+--- a/lotuswordpro/source/filter/lwpsilverbullet.cxx
++++ b/lotuswordpro/source/filter/lwpsilverbullet.cxx
+@@ -97,7 +97,10 @@ void LwpSilverBullet::Read()
+ 
+     sal_uInt16 nNumPos = m_pObjStrm->QuickReaduInt16();
+ 
+-    for (sal_uInt8 nC = 0; nC < nNumPos; nC++)
++    if (nNumPos > SAL_N_ELEMENTS(m_pResetPositionFlags))
++        throw std::range_error("corrupt SilverBullet");
++
++    for (sal_uInt16 nC = 0; nC < nNumPos; nC++)
+         m_pResetPositionFlags[nC] = m_pObjStrm->QuickReaduInt8();
+ 
+     m_nUseCount = m_pObjStrm->QuickReaduInt32();
+-- 
+2.1.4
+
diff --git a/patches/V-pxk0pgyk9d.diff b/patches/V-pxk0pgyk9d.diff
new file mode 100644
index 0000000..f6d9c4c
--- /dev/null
+++ b/patches/V-pxk0pgyk9d.diff
@@ -0,0 +1,91 @@
+From eef71d6a9fdbda67affadb46534fcde4b2dbdb0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 9 Dec 2015 11:56:52 +0000
+Subject: [PATCH 1/2] guard against corrupt ObjIndexData
+
+Change-Id: I214991e5d34c8e335cdd8ea482f8fa4913ba637b
+(cherry picked from commit c88a23b9d44118e96de41a70ab7f87eb0aafb126)
+Reviewed-on: https://gerrit.libreoffice.org/20502
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+---
+ lotuswordpro/source/filter/lwpidxmgr.cxx  | 2 +-
+ lotuswordpro/source/filter/lwpobjstrm.cxx | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwpidxmgr.cxx b/lotuswordpro/source/filter/lwpidxmgr.cxx
+index 07ea4a1..3cc70da 100644
+--- a/lotuswordpro/source/filter/lwpidxmgr.cxx
++++ b/lotuswordpro/source/filter/lwpidxmgr.cxx
+@@ -212,7 +212,7 @@ void LwpIndexManager::ReadObjIndexData(LwpObjectStream* pObjStrm)
+             vObjIndexs[k]->offset = pObjStrm->QuickReaduInt32();
+ 
+         for (k = 0; k < LeafCount; k++)
+-            m_TempVec[k] = pObjStrm->QuickReaduInt32();
++            m_TempVec.at(k) = pObjStrm->QuickReaduInt32();
+     }
+ 
+     for( sal_uInt16 j=0; j<LeafCount; j++ )
+diff --git a/lotuswordpro/source/filter/lwpobjstrm.cxx b/lotuswordpro/source/filter/lwpobjstrm.cxx
+index 312ae67..cd7001f 100644
+--- a/lotuswordpro/source/filter/lwpobjstrm.cxx
++++ b/lotuswordpro/source/filter/lwpobjstrm.cxx
+@@ -170,7 +170,7 @@ sal_uInt16 LwpObjectStream::QuickRead(void* buf, sal_uInt16 len)
+     memset(buf, 0, len);
+     if( len > m_nBufSize - m_nReadPos )
+     {
+-        assert(false);
++        SAL_WARN("lwp", "read request longer than buffer");
+         len = m_nBufSize - m_nReadPos;
+     }
+     if( m_pContentBuf && len)
+-- 
+2.1.4
+
+From 4070e18e6da9bfb40086c8a2e77bab9dc1a9bc03 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 9 Dec 2015 11:28:52 +0000
+Subject: [PATCH 2/2] guard against corrupt RootData
+
+Change-Id: Iad2788a7e5e7ee3b3107eab37cde2d3d38eae005
+(cherry picked from commit fc943ea85a7924ce0552b08eef99ed8e02f0b965)
+Reviewed-on: https://gerrit.libreoffice.org/20496
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+---
+ lotuswordpro/source/filter/lwpidxmgr.cxx  | 5 ++++-
+ lotuswordpro/source/filter/lwptabrack.cxx | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwpidxmgr.cxx b/lotuswordpro/source/filter/lwpidxmgr.cxx
+index 3cc70da..43208ab 100644
+--- a/lotuswordpro/source/filter/lwpidxmgr.cxx
++++ b/lotuswordpro/source/filter/lwpidxmgr.cxx
+@@ -154,7 +154,10 @@ void LwpIndexManager::ReadRootData(LwpObjectStream* pObjStrm)
+     sal_uInt16 KeyCount = pObjStrm->QuickReaduInt16();
+     m_nLeafCount = KeyCount ? KeyCount + 1 : 0;
+ 
+-    if(KeyCount)
++    if (m_nLeafCount > SAL_N_ELEMENTS(m_ChildIndex))
++        throw std::range_error("corrupt RootData");
++
++    if (KeyCount)
+     {
+         //read object keys
+         LwpKey* akey = new LwpKey();
+diff --git a/lotuswordpro/source/filter/lwptabrack.cxx b/lotuswordpro/source/filter/lwptabrack.cxx
+index ab8ab3c..c288bb0 100644
+--- a/lotuswordpro/source/filter/lwptabrack.cxx
++++ b/lotuswordpro/source/filter/lwptabrack.cxx
+@@ -90,7 +90,7 @@ void LwpTabRack::Read()
+ 
+     m_nNumTabs = m_pObjStrm->QuickReaduInt16();
+     if (m_nNumTabs > MaxTabs)
+-        throw std::out_of_range("corrupt LwpTabRack");
++        throw std::range_error("corrupt LwpTabRack");
+     for (int i=0; i<m_nNumTabs; ++i)
+     {
+         m_aTabs[i].Read(m_pObjStrm);
+-- 
+2.1.4
+
diff --git a/patches/series b/patches/series
index daad6bc..2a5c78b 100644
--- a/patches/series
+++ b/patches/series
@@ -41,3 +41,7 @@ CVE-2015-4551.diff
 ww8dontwrap.diff
 coverity-1266485.diff
 pStatus-vector-offsets.diff
+V-1lp8t84lh4.diff
+V-a7vjdei7l7.diff
+V-mgylorku1q.diff
+V-pxk0pgyk9d.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git
Reply to: