[libreoffice] 01/01: add 1:3.5.4+dfsg2-0+deb7u6 (wheezy-security) changes
This is an automated email from the git hooks/post-receive script.
rene pushed a commit to branch debian-wheezy-3.5
in repository libreoffice.
commit 70908ef7c0fc00bc4c9b765c3c1fcf5f068ed99a
Author: Rene Engelhard <rene@debian.org>
Date: Mon Mar 28 14:23:07 2016 +0200
add 1:3.5.4+dfsg2-0+deb7u6 (wheezy-security) changes
---
changelog | 15 ++++++++
patches/V-1lp8t84lh4.diff | 32 +++++++++++++++++
patches/V-a7vjdei7l7.diff | 44 +++++++++++++++++++++++
patches/V-mgylorku1q.diff | 43 ++++++++++++++++++++++
patches/V-pxk0pgyk9d.diff | 91 +++++++++++++++++++++++++++++++++++++++++++++++
patches/series | 4 +++
6 files changed, 229 insertions(+)
diff --git a/changelog b/changelog
index c83e04f..6fa9420 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,18 @@
+libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high
+
+ * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro
+ TabRack Buffer Overflow Vulnerability"
+ * debian/patches/V-pxk0pgyk9d.diff: fix "LibreOffice Writer Lotus Word Pro
+ 'ReadRootData' Buffer Overflow Vulnerability"
+ * debian/patches/V-mgylorku1q.diff: fix "LibreOffice Writer Lotus Word Pro
+ Bullet Buffer Overflow Vulnerability"
+ (CVE-2016-0794)
+ * debian/patches/V-a7vjdei7l7.diff: fix "LibreOffice Writer Lotus Word Pro
+ 'TocSuperLayout' Buffer Overflow Vulnerability"
+ (CVE-2016-0795)
+
+ -- Rene Engelhard <rene@debian.org> Thu, 11 Feb 2016 18:15:48 +0100
+
libreoffice (1:3.5.4+dfsg2-0+deb7u5) wheezy-security; urgency=high
* debian/patches/CVE-2015-4551.diff: backport fix for Arbritary
diff --git a/patches/V-1lp8t84lh4.diff b/patches/V-1lp8t84lh4.diff
new file mode 100644
index 0000000..ef75f58
--- /dev/null
+++ b/patches/V-1lp8t84lh4.diff
@@ -0,0 +1,32 @@
+From 3ed4715779bdd3a3d27cf34e222275c8ba092a70 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Tue, 8 Dec 2015 14:20:52 +0000
+Subject: [PATCH] guard against corrupt m_nNumTabs
+
+Change-Id: I41b8514a127d463ac951e5855f09416fa0456b1b
+---
+ lotuswordpro/source/filter/lwptabrack.cxx | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwptabrack.cxx b/lotuswordpro/source/filter/lwptabrack.cxx
+index b27082c..ab8ab3c 100644
+--- a/lotuswordpro/source/filter/lwptabrack.cxx
++++ b/lotuswordpro/source/filter/lwptabrack.cxx
+@@ -86,11 +86,12 @@ LwpTabRack::LwpTabRack(LwpObjectHeader objHdr, LwpSvStream* pStrm):LwpObject(obj
+
+ void LwpTabRack::Read()
+ {
+-// LwpObjectID m_NextID;
+ m_NextID.ReadIndexed(m_pObjStrm);
+
+ m_nNumTabs = m_pObjStrm->QuickReaduInt16();
+- for( int i=0; i<m_nNumTabs; i++ )
++ if (m_nNumTabs > MaxTabs)
++ throw std::out_of_range("corrupt LwpTabRack");
++ for (int i=0; i<m_nNumTabs; ++i)
+ {
+ m_aTabs[i].Read(m_pObjStrm);
+ m_pObjStrm->SkipExtra();
+--
+2.1.4
+
diff --git a/patches/V-a7vjdei7l7.diff b/patches/V-a7vjdei7l7.diff
new file mode 100644
index 0000000..c91183b
--- /dev/null
+++ b/patches/V-a7vjdei7l7.diff
@@ -0,0 +1,44 @@
+From 6dc998c084ed143ee3d5867edabbb3f7a14a453e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 10 Dec 2015 12:59:21 +0000
+Subject: [PATCH] guard against corrupt LwpTocSuperLayout
+
+Change-Id: I18648e74d16b932cfa6fbd2057d1e9987c498fd4
+---
+ lotuswordpro/source/filter/lwptoc.cxx | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwptoc.cxx b/lotuswordpro/source/filter/lwptoc.cxx
+index 9808023..59926bb 100644
+--- a/lotuswordpro/source/filter/lwptoc.cxx
++++ b/lotuswordpro/source/filter/lwptoc.cxx
+@@ -106,17 +106,22 @@ void LwpTocSuperLayout::Read()
+
+ m_SearchItems.Read(m_pObjStrm);
+
+- sal_uInt16 i;
+ sal_uInt16 count = m_pObjStrm->QuickReaduInt16();
+- for (i = 0; (i < MAX_LEVELS) && (count > 0); i++, count--)
++ if (count > MAX_LEVELS)
++ throw std::range_error("corrupt LwpTocSuperLayout");
++ for (sal_uInt16 i = 0; i < count; ++i)
+ m_DestName[i].Read(m_pObjStrm);
+
+ count = m_pObjStrm->QuickReaduInt16();
+- for (i = 0; (i < MAX_LEVELS) && (count > 0); i++, count--)
++ if (count > MAX_LEVELS)
++ throw std::range_error("corrupt LwpTocSuperLayout");
++ for (sal_uInt16 i = 0; i < count; ++i)
+ m_DestPGName[i].Read(m_pObjStrm);
+
+ count = m_pObjStrm->QuickReaduInt16();
+- for (i = 0; i < count; i++)
++ if (count > MAX_LEVELS)
++ throw std::range_error("corrupt LwpTocSuperLayout");
++ for (sal_uInt16 i = 0; i < count; ++i)
+ m_nFlags[i] = m_pObjStrm->QuickReaduInt32();
+
+ m_pObjStrm->SkipExtra();
+--
+2.1.4
+
diff --git a/patches/V-mgylorku1q.diff b/patches/V-mgylorku1q.diff
new file mode 100644
index 0000000..88c2122
--- /dev/null
+++ b/patches/V-mgylorku1q.diff
@@ -0,0 +1,43 @@
+From ff22ddfa1f86429395bd735a867e71bff60d18c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 9 Dec 2015 12:09:37 +0000
+Subject: [PATCH] guard against corrupt SilverBullet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit 36d55980b1b3498fecc460d3c46667e5f5a17b8e)
+Reviewed-on: https://gerrit.libreoffice.org/20504
+Reviewed-by: Caolán McNamara <caolanm@redhat.com>
+Tested-by: Caolán McNamara <caolanm@redhat.com>
+(cherry picked from commit d387a99fce3f96f4fcd60c70909292255f12840f)
+
+Change-Id: I3af47ab3af5e28a865a77a592f6a92edb46e4f2b
+Reviewed-on: https://gerrit.libreoffice.org/20506
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
+Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
+---
+ lotuswordpro/source/filter/lwpsilverbullet.cxx | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lotuswordpro/source/filter/lwpsilverbullet.cxx b/lotuswordpro/source/filter/lwpsilverbullet.cxx
+index 8aad255..76e24b6 100644
+--- a/lotuswordpro/source/filter/lwpsilverbullet.cxx
++++ b/lotuswordpro/source/filter/lwpsilverbullet.cxx
+@@ -97,7 +97,10 @@ void LwpSilverBullet::Read()
+
+ sal_uInt16 nNumPos = m_pObjStrm->QuickReaduInt16();
+
+- for (sal_uInt8 nC = 0; nC < nNumPos; nC++)
++ if (nNumPos > SAL_N_ELEMENTS(m_pResetPositionFlags))
++ throw std::range_error("corrupt SilverBullet");
++
++ for (sal_uInt16 nC = 0; nC < nNumPos; nC++)
+ m_pResetPositionFlags[nC] = m_pObjStrm->QuickReaduInt8();
+
+ m_nUseCount = m_pObjStrm->QuickReaduInt32();
+--
+2.1.4
+
diff --git a/patches/V-pxk0pgyk9d.diff b/patches/V-pxk0pgyk9d.diff
new file mode 100644
index 0000000..f6d9c4c
--- /dev/null
+++ b/patches/V-pxk0pgyk9d.diff
@@ -0,0 +1,91 @@
+From eef71d6a9fdbda67affadb46534fcde4b2dbdb0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 9 Dec 2015 11:56:52 +0000
+Subject: [PATCH 1/2] guard against corrupt ObjIndexData
+
+Change-Id: I214991e5d34c8e335cdd8ea482f8fa4913ba637b
+(cherry picked from commit c88a23b9d44118e96de41a70ab7f87eb0aafb126)
+Reviewed-on: https://gerrit.libreoffice.org/20502
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+---
+ lotuswordpro/source/filter/lwpidxmgr.cxx | 2 +-
+ lotuswordpro/source/filter/lwpobjstrm.cxx | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwpidxmgr.cxx b/lotuswordpro/source/filter/lwpidxmgr.cxx
+index 07ea4a1..3cc70da 100644
+--- a/lotuswordpro/source/filter/lwpidxmgr.cxx
++++ b/lotuswordpro/source/filter/lwpidxmgr.cxx
+@@ -212,7 +212,7 @@ void LwpIndexManager::ReadObjIndexData(LwpObjectStream* pObjStrm)
+ vObjIndexs[k]->offset = pObjStrm->QuickReaduInt32();
+
+ for (k = 0; k < LeafCount; k++)
+- m_TempVec[k] = pObjStrm->QuickReaduInt32();
++ m_TempVec.at(k) = pObjStrm->QuickReaduInt32();
+ }
+
+ for( sal_uInt16 j=0; j<LeafCount; j++ )
+diff --git a/lotuswordpro/source/filter/lwpobjstrm.cxx b/lotuswordpro/source/filter/lwpobjstrm.cxx
+index 312ae67..cd7001f 100644
+--- a/lotuswordpro/source/filter/lwpobjstrm.cxx
++++ b/lotuswordpro/source/filter/lwpobjstrm.cxx
+@@ -170,7 +170,7 @@ sal_uInt16 LwpObjectStream::QuickRead(void* buf, sal_uInt16 len)
+ memset(buf, 0, len);
+ if( len > m_nBufSize - m_nReadPos )
+ {
+- assert(false);
++ SAL_WARN("lwp", "read request longer than buffer");
+ len = m_nBufSize - m_nReadPos;
+ }
+ if( m_pContentBuf && len)
+--
+2.1.4
+
+From 4070e18e6da9bfb40086c8a2e77bab9dc1a9bc03 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 9 Dec 2015 11:28:52 +0000
+Subject: [PATCH 2/2] guard against corrupt RootData
+
+Change-Id: Iad2788a7e5e7ee3b3107eab37cde2d3d38eae005
+(cherry picked from commit fc943ea85a7924ce0552b08eef99ed8e02f0b965)
+Reviewed-on: https://gerrit.libreoffice.org/20496
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+---
+ lotuswordpro/source/filter/lwpidxmgr.cxx | 5 ++++-
+ lotuswordpro/source/filter/lwptabrack.cxx | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwpidxmgr.cxx b/lotuswordpro/source/filter/lwpidxmgr.cxx
+index 3cc70da..43208ab 100644
+--- a/lotuswordpro/source/filter/lwpidxmgr.cxx
++++ b/lotuswordpro/source/filter/lwpidxmgr.cxx
+@@ -154,7 +154,10 @@ void LwpIndexManager::ReadRootData(LwpObjectStream* pObjStrm)
+ sal_uInt16 KeyCount = pObjStrm->QuickReaduInt16();
+ m_nLeafCount = KeyCount ? KeyCount + 1 : 0;
+
+- if(KeyCount)
++ if (m_nLeafCount > SAL_N_ELEMENTS(m_ChildIndex))
++ throw std::range_error("corrupt RootData");
++
++ if (KeyCount)
+ {
+ //read object keys
+ LwpKey* akey = new LwpKey();
+diff --git a/lotuswordpro/source/filter/lwptabrack.cxx b/lotuswordpro/source/filter/lwptabrack.cxx
+index ab8ab3c..c288bb0 100644
+--- a/lotuswordpro/source/filter/lwptabrack.cxx
++++ b/lotuswordpro/source/filter/lwptabrack.cxx
+@@ -90,7 +90,7 @@ void LwpTabRack::Read()
+
+ m_nNumTabs = m_pObjStrm->QuickReaduInt16();
+ if (m_nNumTabs > MaxTabs)
+- throw std::out_of_range("corrupt LwpTabRack");
++ throw std::range_error("corrupt LwpTabRack");
+ for (int i=0; i<m_nNumTabs; ++i)
+ {
+ m_aTabs[i].Read(m_pObjStrm);
+--
+2.1.4
+
diff --git a/patches/series b/patches/series
index 6a150c7..3a473f3 100644
--- a/patches/series
+++ b/patches/series
@@ -58,3 +58,7 @@ LinkUpdateMode-is-a-global-setting.diff
ww8dontwrap.diff
coverity-1266485.diff
pStatus-vector-offsets.diff
+V-1lp8t84lh4.diff
+V-a7vjdei7l7.diff
+V-mgylorku1q.diff
+V-pxk0pgyk9d.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git
Reply to: