Bug#1033506: bullseye-pu: package libreoffice/1:7.0.4-4+deb11u6

2023-04-02 Thread Rene Engelhard 

Hi,

Am 01.04.23 um 20:54 schrieb Adam D. Barratt:

Control: tags -1 + confirmed

On Sun, 2023-03-26 at 14:23 +0200, Rene Engelhard wrote:

This fixes "CVE-2022-38745. Empty entry in Java class path risks
arbitrary code execution" just disclosed by Apache OpenOffice.


Please go ahead.


Uploaded.


Regards,


Rene

Bug#1033506: bullseye-pu: package libreoffice/1:7.0.4-4+deb11u6

2023-04-01 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2023-03-26 at 14:23 +0200, Rene Engelhard wrote:
> This fixes "CVE-2022-38745. Empty entry in Java class path risks
> arbitrary code execution" just disclosed by Apache OpenOffice.
> 

Please go ahead.

Regards,

Adam

Bug#1033506: bullseye-pu: package libreoffice/1:7.0.4-4+deb11u6

2023-03-26 Thread Rene Engelhard 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libreoff...@packages.debian.org
Control: affects -1 + src:libreoffice

Hi,

This fixes "CVE-2022-38745. Empty entry in Java class path risks
arbitrary code execution" just disclosed by Apache OpenOffice.

libreoffice 7.0.4 in bullseye (and buster, but that is EOL) also is affected.

The security team thinks this doesn't warrant a DSA and should be done
here.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
https://cgit.freedesktop.org/libreoffice/core/commit/?id=5e8f64e50f97d39e83a3358697be14db03566878
(which is fixed in  7.2.6 and 7.3.1) backported.

Debdiff:

diff -Nru libreoffice-7.0.4/debian/changelog libreoffice-7.0.4/debian/changelog
--- libreoffice-7.0.4/debian/changelog  2022-11-27 19:37:58.0 +0100
+++ libreoffice-7.0.4/debian/changelog  2023-03-25 14:04:55.0 +0100
@@ -1,3 +1,10 @@
+libreoffice (1:7.0.4-4+deb11u6) bullseye; urgency=medium
+
+  * debian/patches/avoid-empty-java.class.path.diff: apply upstream patch
+avoiding empty -Djava.class.path= (CVE-2022-38745)
+
+ -- Rene Engelhard   Sat, 25 Mar 2023 14:04:55 +0100
+
 libreoffice (1:7.0.4-4+deb11u5) bullseye; urgency=medium

   * debian/patches/hrk-euro-default.diff: default to EUR for .hr
diff -Nru libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff 
libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff
--- libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff   
1970-01-01 01:00:00.0 +0100
+++ libreoffice-7.0.4/debian/patches/avoid-empty-java.class.path.diff   
2023-03-25 14:04:55.0 +0100
@@ -0,0 +1,90 @@
+From 5e8f64e50f97d39e83a3358697be14db03566878 Mon Sep 17 00:00:00 2001
+From: Stephan Bergmann 
+Date: Mon, 21 Feb 2022 11:55:21 +0100
+Subject: Avoid unnecessary empty -Djava.class.path=
+
+Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
+Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
+Tested-by: Jenkins
+Reviewed-by: Stephan Bergmann 
+---
+ jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx | 16 +---
+ jvmfwk/source/framework.cxx |  8 ++--
+ jvmfwk/source/fwkbase.cxx   |  3 +++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx 
b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+index 29de226211f1..e55b914edf13 100644
+--- a/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
 b/jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx
+@@ -712,17 +712,22 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+ // all versions below 1.5.1
+ options.emplace_back("abort", reinterpret_cast(abort_handler));
+ bool hasStackSize = false;
++#ifdef UNX
++// Until java 1.5 we need to put a plugin.jar or javaplugin.jar (<1.4.2)
++// in the class path in order to have applet support:
++OString sAddPath = getPluginJarPath(pInfo->sVendor, 
pInfo->sLocation,pInfo->sVersion);
++#endif
+ for (int i = 0; i < cOptions; i++)
+ {
+ OString opt(arOptions[i].optionString);
+ #ifdef UNX
+-// Until java 1.5 we need to put a plugin.jar or javaplugin.jar 
(<1.4.2)
+-// in the class path in order to have applet support:
+ if (opt.startsWith("-Djava.class.path="))
+ {
+-OString sAddPath = getPluginJarPath(pInfo->sVendor, 
pInfo->sLocation,pInfo->sVersion);
+ if (!sAddPath.isEmpty())
++{
+ opt += OStringChar(SAL_PATHSEPARATOR) + sAddPath;
++sAddPath.clear();
++}
+ }
+ #endif
+ if (opt == "-Xint") {
+@@ -767,6 +772,11 @@ javaPluginError jfw_plugin_startJavaVirtualMachine(
+ }
+ #endif
+ }
++#ifdef UNX
++if (!sAddPath.isEmpty()) {
++options.emplace_back("-Djava.class.path=" + sAddPath, nullptr);
++}
++#endif
+
+ std::unique_ptr sarOptions(new 
JavaVMOption[options.size()]);
+ for (std::vector::size_type i = 0; i != options.size(); ++i) {
+diff --git a/jvmfwk/source/framework.cxx b/jvmfwk/source/framework.cxx
+index 4163eea57b7c..8aa85082b838 100644
+--- a/jvmfwk/source/framework.cxx
 b/jvmfwk/source/framework.cxx
+@@ -195,8 +195,12 @@ javaFrameworkError jfw_startVM(
+ //In direct mode the options are specified by bootstrap 
variables
+ //of the form UNO_JAVA_JFW_PARAMETER_1 .. 
UNO_JAVA_JFW_PARAMETER_n
+ vmParams = jfw::BootParams::getVMParameters();
+-sUserClassPath =
+-"-Djava.class.path=" + jfw::BootParams::getClasspath();
++auto const cp = jfw::BootParams::getClasspath();
++if (!cp.isEmpty())
++