Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id
<502b8fb37ece620c9723446611a9287974ba5a0c.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1033506,
regarding bullseye-pu: package libreoffice/1:7.0.4-4+deb11u6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033506
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libreoffice
Hi,
This fixes "CVE-2022-38745. Empty entry in Java class path risks
arbitrary code execution" just disclosed by Apache OpenOffice.
libreoffice 7.0.4 in bullseye (and buster, but that is EOL) also is affected.
The security team thinks this doesn't warrant a DSA and should be done
here.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
https://cgit.freedesktop.org/libreoffice/core/commit/?id=5e8f64e50f97d39e83a3358697be14db03566878
(which is fixed in 7.2.6 and 7.3.1) backported.
Debdiff:
diff -Nru libreoffice-7.0.4/debian/changelog libreoffice-7.0.4/debian/changelog
--- libreoffice-7.0.4/debian/changelog 2022-11-27 19:37:58.000000000 +0100
+++ libreoffice-7.0.4/debian/changelog 2023-03-25 14:04:55.000000000 +0100
@@ -1,3 +1,10 @@
+libreoffice (1:7.0.4-4+deb11u6) bullseye; urgency=medium
+
+ * debian/patches/avoid-empty-java.class.path.diff: apply upstream patch
+ avoiding empty -Djava.class.path= (CVE-2022-38745)
+
+ -- Rene Engelhard <[email protected]> Sat, 25 Mar 2023 14:04:55 +0100
+
libreoffice (1:7.0.4-4+deb11u5) bullseye; urgency=medium
* debian/patches/hrk-euro-default.diff: default to EUR for .hr
diff -Nru libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff
libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff
--- libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff
1970-01-01 01:00:00.000000000 +0100
+++ libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff
2023-03-25 14:04:55.000000000 +0100
@@ -0,0 +1,90 @@
+From 5e8f64e50f97d39e83a3358697be14db03566878 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann <[email protected]>
+Date: Mon, 21 Feb 2022 11:55:21 +0100
+Subject: Avoid unnecessary empty -Djava.class.path=
+
+Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann <[email protected]>
+---
+ jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 +++++++++++++---
+ jvmfwk/source/framework.cxx | 8 ++++++--
+ jvmfwk/source/fwkbase.cxx | 3 +++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+index 29de226211f1..e55b914edf13 100644
+--- a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
++++ b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+@@ -712,17 +712,22 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+ // all versions below 1.5.1
+ options.emplace_back("abort", reinterpret_cast<void*>(abort_handler));
+ bool hasStackSize = false;
++#ifdef UNX
++ // Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
++ // in the class path in order to have applet support:
++ OString sAddPath = getPluginJarPath(pInfo->sVendor,
pInfo->sLocation,pInfo->sVersion);
++#endif
+ for (int i = 0; i < cOptions; i++)
+ {
+ OString opt(arOptions[i].optionString);
+ #ifdef UNX
+- // Until java 1.5 we need to put a plugin.jar or javaplugin.jar
(<1.4.2)
+- // in the class path in order to have applet support:
+ if (opt.startsWith("-Djava.class.path="))
+ {
+- OString sAddPath = getPluginJarPath(pInfo->sVendor,
pInfo->sLocation,pInfo->sVersion);
+ if (!sAddPath.isEmpty())
++ {
+ opt += OStringChar(SAL_PATHSEPARATOR) + sAddPath;
++ sAddPath.clear();
++ }
+ }
+ #endif
+ if (opt == "-Xint") {
+@@ -767,6 +772,11 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+ }
+ #endif
+ }
++#ifdef UNX
++ if (!sAddPath.isEmpty()) {
++ options.emplace_back("-Djava.class.path=" + sAddPath, nullptr);
++ }
++#endif
+
+ std::unique_ptr<JavaVMOption[]> sarOptions(new
JavaVMOption[options.size()]);
+ for (std::vector<Option>::size_type i = 0; i != options.size(); ++i) {
+diff --git a/jvmfwk/source/framework.cxx b/jvmfwk/source/framework.cxx
+index 4163eea57b7c..8aa85082b838 100644
+--- a/jvmfwk/source/framework.cxx
++++ b/jvmfwk/source/framework.cxx
+@@ -195,8 +195,12 @@ javaFrameworkError jfw_startVM(
+ //In direct mode the options are specified by bootstrap
variables
+ //of the form UNO_JAVA_JFW_PARAMETER_1 ..
UNO_JAVA_JFW_PARAMETER_n
+ vmParams = jfw::BootParams::getVMParameters();
+- sUserClassPath =
+- "-Djava.class.path=" + jfw::BootParams::getClasspath();
++ auto const cp = jfw::BootParams::getClasspath();
++ if (!cp.isEmpty())
++ {
++ sUserClassPath =
++ "-Djava.class.path=" + cp;
++ }
+ }
+ else
+ OSL_ASSERT(false);
+diff --git a/jvmfwk/source/fwkbase.cxx b/jvmfwk/source/fwkbase.cxx
+index 0af34a443f3c..bb5df10a9c4d 100644
+--- a/jvmfwk/source/fwkbase.cxx
++++ b/jvmfwk/source/fwkbase.cxx
+@@ -460,6 +460,9 @@
+
+ sPaths = OUStringToOString(
+ sBufCP.makeStringAndClear(), osl_getThreadTextEncoding());
++ if (sPaths.isEmpty()) {
++ return "";
++ }
+
+ OString sOptionClassPath = "-Djava.class.path=" + sPaths;
+ return sOptionClassPath;
diff -Nru libreoffice-7.0.4/debian/patches/series
libreoffice-7.0.4/debian/patches/series
--- libreoffice-7.0.4/debian/patches/series 2022-11-27 19:37:58.000000000
+0100
+++ libreoffice-7.0.4/debian/patches/series 2023-03-25 14:04:55.000000000
+0100
@@ -65,3 +65,4 @@
fix-e_book_client_connect_direct_sync-sig.diff
ZDI-CAN-17859.diff
hrk-euro-default.diff
+avoid-empty-java.class.path.diff
Regards,
Rene
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.7
Hi,
Each of the updates referred to in these requests was included in this
morning's 11.7 point release.
Regards,
Adam
--- End Message ---
