[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1033506: marked as done (bullseye-pu: package libreoffice/1:7.0.4-4+deb11u6)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1033506,
regarding bullseye-pu: package libreoffice/1:7.0.4-4+deb11u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1033506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033506
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libreoffice@packages.debian.org
Control: affects -1 + src:libreoffice

Hi,

This fixes "CVE-2022-38745. Empty entry in Java class path risks
arbitrary code execution" just disclosed by Apache OpenOffice.

libreoffice 7.0.4 in bullseye (and buster, but that is EOL) also is affected.

The security team thinks this doesn't warrant a DSA and should be done
here.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
https://cgit.freedesktop.org/libreoffice/core/commit/?id=5e8f64e50f97d39e83a3358697be14db03566878
(which is fixed in  7.2.6 and 7.3.1) backported.

Debdiff:

diff -Nru libreoffice-7.0.4/debian/changelog libreoffice-7.0.4/debian/changelog
--- libreoffice-7.0.4/debian/changelog	2022-11-27 19:37:58.000000000 +0100
+++ libreoffice-7.0.4/debian/changelog	2023-03-25 14:04:55.000000000 +0100
@@ -1,3 +1,10 @@
+libreoffice (1:7.0.4-4+deb11u6) bullseye; urgency=medium
+
+  * debian/patches/avoid-empty-java.class.path.diff: apply upstream patch
+    avoiding empty -Djava.class.path= (CVE-2022-38745)
+
+ -- Rene Engelhard <rene@debian.org>  Sat, 25 Mar 2023 14:04:55 +0100
+
 libreoffice (1:7.0.4-4+deb11u5) bullseye; urgency=medium

   * debian/patches/hrk-euro-default.diff: default to EUR for .hr
diff -Nru libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff
--- libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff	1970-01-01 01:00:00.000000000 +0100
+++ libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff	2023-03-25 14:04:55.000000000 +0100
@@ -0,0 +1,90 @@
+From 5e8f64e50f97d39e83a3358697be14db03566878 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <sbergman@redhat.com>
+Date: Mon, 21 Feb 2022 11:55:21 +0100
+Subject: Avoid unnecessary empty -Djava.class.path=
+
+Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
+---
+ jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 +++++++++++++---
+ jvmfwk/source/framework.cxx                         |  8 ++++++--
+ jvmfwk/source/fwkbase.cxx                           |  3 +++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+index 29de226211f1..e55b914edf13 100644
+--- a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
++++ b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+@@ -712,17 +712,22 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+     // all versions below 1.5.1
+     options.emplace_back("abort", reinterpret_cast<void*>(abort_handler));
+     bool hasStackSize = false;
++#ifdef UNX
++    // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
++    // in the class path in order to have applet support:
++    OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
++#endif
+     for (int i = 0; i < cOptions; i++)
+     {
+         OString opt(arOptions[i].optionString);
+ #ifdef UNX
+-        // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
+-        // in the class path in order to have applet support:
+         if (opt.startsWith("-Djava.class.path="))
+         {
+-            OString sAddPath = getPluginJarPath(pInfo->sVendor, pInfo->sLocation,pInfo->sVersion);
+             if (!sAddPath.isEmpty())
++            {
+                 opt += OStringChar(SAL_PATHSEPARATOR) + sAddPath;
++                sAddPath.clear();
++            }
+         }
+ #endif
+         if (opt == "-Xint") {
+@@ -767,6 +772,11 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+         }
+ #endif
+     }
++#ifdef UNX
++    if (!sAddPath.isEmpty()) {
++        options.emplace_back("-Djava.class.path=" + sAddPath, nullptr);
++    }
++#endif
+
+     std::unique_ptr<JavaVMOption[]> sarOptions(new JavaVMOption[options.size()]);
+     for (std::vector<Option>::size_type i = 0; i != options.size(); ++i) {
+diff --git a/jvmfwk/source/framework.cxx b/jvmfwk/source/framework.cxx
+index 4163eea57b7c..8aa85082b838 100644
+--- a/jvmfwk/source/framework.cxx
++++ b/jvmfwk/source/framework.cxx
+@@ -195,8 +195,12 @@ javaFrameworkError jfw_startVM(
+                 //In direct mode the options are specified by bootstrap variables
+                 //of the form UNO_JAVA_JFW_PARAMETER_1 .. UNO_JAVA_JFW_PARAMETER_n
+                 vmParams = jfw::BootParams::getVMParameters();
+-                sUserClassPath =
+-                    "-Djava.class.path=" + jfw::BootParams::getClasspath();
++                auto const cp = jfw::BootParams::getClasspath();
++                if (!cp.isEmpty())
++                {
++                    sUserClassPath =
++                        "-Djava.class.path=" + cp;
++                }
+             }
+             else
+                 OSL_ASSERT(false);
+diff --git a/jvmfwk/source/fwkbase.cxx b/jvmfwk/source/fwkbase.cxx
+index 0af34a443f3c..bb5df10a9c4d 100644
+--- a/jvmfwk/source/fwkbase.cxx
++++ b/jvmfwk/source/fwkbase.cxx
+@@ -460,6 +460,9 @@
+
+     sPaths = OUStringToOString(
+         sBufCP.makeStringAndClear(), osl_getThreadTextEncoding());
++    if (sPaths.isEmpty()) {
++        return "";
++    }
+
+     OString sOptionClassPath = "-Djava.class.path=" + sPaths;
+     return sOptionClassPath;
diff -Nru libreoffice-7.0.4/debian/patches/series libreoffice-7.0.4/debian/patches/series
--- libreoffice-7.0.4/debian/patches/series	2022-11-27 19:37:58.000000000 +0100
+++ libreoffice-7.0.4/debian/patches/series	2023-03-25 14:04:55.000000000 +0100
@@ -65,3 +65,4 @@
 fix-e_book_client_connect_direct_sync-sig.diff
 ZDI-CAN-17859.diff
 hrk-euro-default.diff
+avoid-empty-java.class.path.diff

Regards,

Rene

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: