download.lst | 6 +- external/libxml2/ExternalPackage_libxml2.mk | 2 external/libxml2/libxml2-android.patch | 6 +- external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch | 29 +++++++++ external/zlib/UnpackedTarball_zlib.mk | 7 ++ external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch | 32 +++++++++++ sc/source/core/tool/interpr7.cxx | 2 test/source/xmltesttools.cxx | 2 unoxml/source/xpath/xpathobject.cxx | 2 9 files changed, 80 insertions(+), 8 deletions(-)
New commits: commit 67aa6a4706bed9fc29d6162e93619c8e92ea774f Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Wed Sep 14 11:10:57 2022 +0200 Commit: Thorsten Behrens <thorsten.behr...@allotropia.de> CommitDate: Thu Sep 15 09:13:54 2022 +0200 zlib: add patch for CVE-2022-37434 Change-Id: If09c419ba00fc9be021249e4d4da27d1650b9080 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139913 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 521e920dda79f44a0ad637b6062f3dcb574f884b) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139848 Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de> diff --git a/external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch b/external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch new file mode 100644 index 000000000000..c5c95a92b28a --- /dev/null +++ b/external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch @@ -0,0 +1,29 @@ +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 +From: Mark Adler <f...@madler.net> +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. +--- + inflate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7a7289749..2a3c4fe98 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/external/zlib/UnpackedTarball_zlib.mk b/external/zlib/UnpackedTarball_zlib.mk index dd9fc1c31445..10ee74b9568a 100644 --- a/external/zlib/UnpackedTarball_zlib.mk +++ b/external/zlib/UnpackedTarball_zlib.mk @@ -16,6 +16,11 @@ $(eval $(call gb_UnpackedTarball_set_post_action,zlib,\ cp $(addsuffix .c,adler32 compress crc32 deflate inffast inflate inftrees trees zutil) x64 \ )) -$(eval $(call gb_UnpackedTarball_set_patchlevel,zlib,0)) +$(eval $(call gb_UnpackedTarball_set_patchlevel,zlib,1)) + +$(eval $(call gb_UnpackedTarball_add_patches,zlib,\ + external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch \ + external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch \ +)) # vim: set noet sw=4 ts=4: diff --git a/external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch b/external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch new file mode 100644 index 000000000000..dc84d3a1d385 --- /dev/null +++ b/external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch @@ -0,0 +1,32 @@ +From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 +From: Mark Adler <f...@madler.net> +Date: Sat, 30 Jul 2022 15:51:11 -0700 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7be8c6366..7a7289749 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,9 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); commit 6a3e7e80131f54608a5e68189a2fca88b3ed79b8 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Wed Sep 14 10:27:02 2022 +0200 Commit: Thorsten Behrens <thorsten.behr...@allotropia.de> CommitDate: Thu Sep 15 09:13:42 2022 +0200 libxml2: upgrade to release 2.10.2 Fixes CVE-2022-2309 Change-Id: I180218be275d3b6d38f8f74aa51c57e50d2734ee Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139911 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit d621a8839cebf96fe3ac374026f344f8e68bf011) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139847 Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de> diff --git a/download.lst b/download.lst index c2cabe844f63..3af8236e81a5 100644 --- a/download.lst +++ b/download.lst @@ -162,9 +162,9 @@ export LIBWEBP_SHA256SUM := 7656532f837af5f4cec3ff6bafe552c044dc39bf453587bd5b77 export LIBWEBP_TARBALL := libwebp-1.2.2.tar.gz export XMLSEC_SHA256SUM := 52ced4943f35bd7d0818a38298c1528ca4ac8a54440fd71134a07d2d1370a262 export XMLSEC_TARBALL := xmlsec1-1.2.34.tar.gz -export LIBXML_SHA256SUM := 60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee -export LIBXML_VERSION_MICRO := 14 -export LIBXML_TARBALL := libxml2-2.9.$(LIBXML_VERSION_MICRO).tar.xz +export LIBXML_SHA256SUM := d240abe6da9c65cb1900dd9bf3a3501ccf88b3c2a1cb98317d03f272dda5b265 +export LIBXML_VERSION_MICRO := 2 +export LIBXML_TARBALL := libxml2-2.10.$(LIBXML_VERSION_MICRO).tar.xz export LIBXSLT_SHA256SUM := 8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79 export LIBXSLT_VERSION_MICRO := 35 export LIBXSLT_TARBALL := libxslt-1.1.$(LIBXSLT_VERSION_MICRO).tar.xz diff --git a/external/libxml2/ExternalPackage_libxml2.mk b/external/libxml2/ExternalPackage_libxml2.mk index d38eb68df0cb..6338fb20b9df 100644 --- a/external/libxml2/ExternalPackage_libxml2.mk +++ b/external/libxml2/ExternalPackage_libxml2.mk @@ -21,7 +21,7 @@ else # COM=MSC $(eval $(call gb_ExternalPackage_add_file,libxml2,$(LIBO_URE_LIB_FOLDER)/libxml2.dll,win32/bin.msvc/libxml2.dll)) endif else # OS!=WNT -$(eval $(call gb_ExternalPackage_add_file,libxml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.$(LIBXML_VERSION_MICRO))) +$(eval $(call gb_ExternalPackage_add_file,libxml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.10.$(LIBXML_VERSION_MICRO))) endif endif # DISABLE_DYNLOADING diff --git a/external/libxml2/libxml2-android.patch b/external/libxml2/libxml2-android.patch index 42af83274026..acf9b17e02db 100644 --- a/external/libxml2/libxml2-android.patch +++ b/external/libxml2/libxml2-android.patch @@ -2,9 +2,9 @@ +++ misc/build/libxml2-2.7.6/Makefile.in @@ -1635,7 +1635,7 @@ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-recursive --all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(SCRIPTS) $(MANS) $(DATA) \ + $(MAKE) $(AM_MAKEFLAGS) check-local + check: check-recursive +-all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(SCRIPTS) $(DATA) \ +all-am: Makefile $(LTLIBRARIES) \ config.h install-binPROGRAMS: install-libLTLIBRARIES diff --git a/sc/source/core/tool/interpr7.cxx b/sc/source/core/tool/interpr7.cxx index 315afed32284..352c7cf70e45 100644 --- a/sc/source/core/tool/interpr7.cxx +++ b/sc/source/core/tool/interpr7.cxx @@ -219,6 +219,7 @@ void ScInterpreter::ScFilterXML() case XPATH_STRING: PushString(OUString::createFromAscii(reinterpret_cast<char*>(pXPathObj->stringval))); break; +#if LIBXML_VERSION < 21000 || defined(LIBXML_XPTR_LOCS_ENABLED) case XPATH_POINT: PushNoValue(); break; @@ -228,6 +229,7 @@ void ScInterpreter::ScFilterXML() case XPATH_LOCATIONSET: PushNoValue(); break; +#endif case XPATH_USERS: PushNoValue(); break; diff --git a/test/source/xmltesttools.cxx b/test/source/xmltesttools.cxx index ab9e5dcff8b8..07dc1f1f59f2 100644 --- a/test/source/xmltesttools.cxx +++ b/test/source/xmltesttools.cxx @@ -148,9 +148,11 @@ OUString XmlTestTools::getXPathContent(const xmlDocUniquePtr& pXmlDoc, const OSt xmlXPathFreeObject(pXmlObj); return convertedVal; } +#if LIBXML_VERSION < 21000 || defined(LIBXML_XPTR_LOCS_ENABLED) case XPATH_POINT: case XPATH_RANGE: case XPATH_LOCATIONSET: +#endif case XPATH_USERS: case XPATH_XSLT_TREE: xmlXPathFreeObject(pXmlObj); diff --git a/unoxml/source/xpath/xpathobject.cxx b/unoxml/source/xpath/xpathobject.cxx index b71f8b80d5cf..1184129a08db 100644 --- a/unoxml/source/xpath/xpathobject.cxx +++ b/unoxml/source/xpath/xpathobject.cxx @@ -44,12 +44,14 @@ namespace XPath return XPathObjectType_XPATH_NUMBER; case XPATH_STRING: return XPathObjectType_XPATH_STRING; +#if LIBXML_VERSION < 21000 || defined(LIBXML_XPTR_LOCS_ENABLED) case XPATH_POINT: return XPathObjectType_XPATH_POINT; case XPATH_RANGE: return XPathObjectType_XPATH_RANGE; case XPATH_LOCATIONSET: return XPathObjectType_XPATH_LOCATIONSET; +#endif case XPATH_USERS: return XPathObjectType_XPATH_USERS; case XPATH_XSLT_TREE: