download.lst | 6 +-
external/libxml2/ExternalPackage_libxml2.mk | 2
external/libxml2/libxml2-android.patch | 6 +-
external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch | 29 +++++++++
external/zlib/UnpackedTarball_zlib.mk | 7 ++
external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch | 32 +++++++++++
sc/source/core/tool/interpr7.cxx | 2
test/source/xmltesttools.cxx | 2
unoxml/source/xpath/xpathobject.cxx | 2
9 files changed, 80 insertions(+), 8 deletions(-)
New commits:
commit 67aa6a4706bed9fc29d6162e93619c8e92ea774f
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Sep 14 11:10:57 2022 +0200
Commit: Thorsten Behrens <thorsten.behr...@allotropia.de>
CommitDate: Thu Sep 15 09:13:54 2022 +0200
zlib: add patch for CVE-2022-37434
Change-Id: If09c419ba00fc9be021249e4d4da27d1650b9080
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139913
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 521e920dda79f44a0ad637b6062f3dcb574f884b)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139848
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
diff --git a/external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch
b/external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch
new file mode 100644
index 000000000000..c5c95a92b28a
--- /dev/null
+++ b/external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch
@@ -0,0 +1,29 @@
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <f...@madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a7289749..2a3c4fe98 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
+- len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+ state->head->extra != Z_NULL &&
+- len < state->head->extra_max) {
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
diff --git a/external/zlib/UnpackedTarball_zlib.mk
b/external/zlib/UnpackedTarball_zlib.mk
index dd9fc1c31445..10ee74b9568a 100644
--- a/external/zlib/UnpackedTarball_zlib.mk
+++ b/external/zlib/UnpackedTarball_zlib.mk
@@ -16,6 +16,11 @@ $(eval $(call gb_UnpackedTarball_set_post_action,zlib,\
cp $(addsuffix .c,adler32 compress crc32 deflate inffast inflate
inftrees trees zutil) x64 \
))
-$(eval $(call gb_UnpackedTarball_set_patchlevel,zlib,0))
+$(eval $(call gb_UnpackedTarball_set_patchlevel,zlib,1))
+
+$(eval $(call gb_UnpackedTarball_add_patches,zlib,\
+ external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch \
+ external/zlib/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch \
+))
# vim: set noet sw=4 ts=4:
diff --git a/external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch
b/external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch
new file mode 100644
index 000000000000..dc84d3a1d385
--- /dev/null
+++ b/external/zlib/eff308af425b67093bab25f80f1ae950166bece1.patch
@@ -0,0 +1,32 @@
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <f...@madler.net>
+Date: Sat, 30 Jul 2022 15:51:11 -0700
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7be8c6366..7a7289749 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
++ len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+- state->head->extra != Z_NULL) {
+- len = state->head->extra_len - state->length;
++ state->head->extra != Z_NULL &&
++ len < state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
commit 6a3e7e80131f54608a5e68189a2fca88b3ed79b8
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Sep 14 10:27:02 2022 +0200
Commit: Thorsten Behrens <thorsten.behr...@allotropia.de>
CommitDate: Thu Sep 15 09:13:42 2022 +0200
libxml2: upgrade to release 2.10.2
Fixes CVE-2022-2309
Change-Id: I180218be275d3b6d38f8f74aa51c57e50d2734ee
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139911
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit d621a8839cebf96fe3ac374026f344f8e68bf011)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139847
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
diff --git a/download.lst b/download.lst
index c2cabe844f63..3af8236e81a5 100644
--- a/download.lst
+++ b/download.lst
@@ -162,9 +162,9 @@ export LIBWEBP_SHA256SUM :=
7656532f837af5f4cec3ff6bafe552c044dc39bf453587bd5b77
export LIBWEBP_TARBALL := libwebp-1.2.2.tar.gz
export XMLSEC_SHA256SUM :=
52ced4943f35bd7d0818a38298c1528ca4ac8a54440fd71134a07d2d1370a262
export XMLSEC_TARBALL := xmlsec1-1.2.34.tar.gz
-export LIBXML_SHA256SUM :=
60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee
-export LIBXML_VERSION_MICRO := 14
-export LIBXML_TARBALL := libxml2-2.9.$(LIBXML_VERSION_MICRO).tar.xz
+export LIBXML_SHA256SUM :=
d240abe6da9c65cb1900dd9bf3a3501ccf88b3c2a1cb98317d03f272dda5b265
+export LIBXML_VERSION_MICRO := 2
+export LIBXML_TARBALL := libxml2-2.10.$(LIBXML_VERSION_MICRO).tar.xz
export LIBXSLT_SHA256SUM :=
8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79
export LIBXSLT_VERSION_MICRO := 35
export LIBXSLT_TARBALL := libxslt-1.1.$(LIBXSLT_VERSION_MICRO).tar.xz
diff --git a/external/libxml2/ExternalPackage_libxml2.mk
b/external/libxml2/ExternalPackage_libxml2.mk
index d38eb68df0cb..6338fb20b9df 100644
--- a/external/libxml2/ExternalPackage_libxml2.mk
+++ b/external/libxml2/ExternalPackage_libxml2.mk
@@ -21,7 +21,7 @@ else # COM=MSC
$(eval $(call
gb_ExternalPackage_add_file,libxml2,$(LIBO_URE_LIB_FOLDER)/libxml2.dll,win32/bin.msvc/libxml2.dll))
endif
else # OS!=WNT
-$(eval $(call
gb_ExternalPackage_add_file,libxml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.$(LIBXML_VERSION_MICRO)))
+$(eval $(call
gb_ExternalPackage_add_file,libxml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.10.$(LIBXML_VERSION_MICRO)))
endif
endif # DISABLE_DYNLOADING
diff --git a/external/libxml2/libxml2-android.patch
b/external/libxml2/libxml2-android.patch
index 42af83274026..acf9b17e02db 100644
--- a/external/libxml2/libxml2-android.patch
+++ b/external/libxml2/libxml2-android.patch
@@ -2,9 +2,9 @@
+++ misc/build/libxml2-2.7.6/Makefile.in
@@ -1635,7 +1635,7 @@
$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
- check: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) check-recursive
--all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(SCRIPTS) $(MANS) $(DATA) \
+ $(MAKE) $(AM_MAKEFLAGS) check-local
+ check: check-recursive
+-all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(SCRIPTS) $(DATA) \
+all-am: Makefile $(LTLIBRARIES) \
config.h
install-binPROGRAMS: install-libLTLIBRARIES
diff --git a/sc/source/core/tool/interpr7.cxx b/sc/source/core/tool/interpr7.cxx
index 315afed32284..352c7cf70e45 100644
--- a/sc/source/core/tool/interpr7.cxx
+++ b/sc/source/core/tool/interpr7.cxx
@@ -219,6 +219,7 @@ void ScInterpreter::ScFilterXML()
case XPATH_STRING:
PushString(OUString::createFromAscii(reinterpret_cast<char*>(pXPathObj->stringval)));
break;
+#if LIBXML_VERSION < 21000 || defined(LIBXML_XPTR_LOCS_ENABLED)
case XPATH_POINT:
PushNoValue();
break;
@@ -228,6 +229,7 @@ void ScInterpreter::ScFilterXML()
case XPATH_LOCATIONSET:
PushNoValue();
break;
+#endif
case XPATH_USERS:
PushNoValue();
break;
diff --git a/test/source/xmltesttools.cxx b/test/source/xmltesttools.cxx
index ab9e5dcff8b8..07dc1f1f59f2 100644
--- a/test/source/xmltesttools.cxx
+++ b/test/source/xmltesttools.cxx
@@ -148,9 +148,11 @@ OUString XmlTestTools::getXPathContent(const
xmlDocUniquePtr& pXmlDoc, const OSt
xmlXPathFreeObject(pXmlObj);
return convertedVal;
}
+#if LIBXML_VERSION < 21000 || defined(LIBXML_XPTR_LOCS_ENABLED)
case XPATH_POINT:
case XPATH_RANGE:
case XPATH_LOCATIONSET:
+#endif
case XPATH_USERS:
case XPATH_XSLT_TREE:
xmlXPathFreeObject(pXmlObj);
diff --git a/unoxml/source/xpath/xpathobject.cxx
b/unoxml/source/xpath/xpathobject.cxx
index b71f8b80d5cf..1184129a08db 100644
--- a/unoxml/source/xpath/xpathobject.cxx
+++ b/unoxml/source/xpath/xpathobject.cxx
@@ -44,12 +44,14 @@ namespace XPath
return XPathObjectType_XPATH_NUMBER;
case XPATH_STRING:
return XPathObjectType_XPATH_STRING;
+#if LIBXML_VERSION < 21000 || defined(LIBXML_XPTR_LOCS_ENABLED)
case XPATH_POINT:
return XPathObjectType_XPATH_POINT;
case XPATH_RANGE:
return XPathObjectType_XPATH_RANGE;
case XPATH_LOCATIONSET:
return XPathObjectType_XPATH_LOCATIONSET;
+#endif
case XPATH_USERS:
return XPathObjectType_XPATH_USERS;
case XPATH_XSLT_TREE:
