------------------------------------------------------------
revno: 2070
committer: Rene Engelhard <r...@debian.org>
branch nick: debian
timestamp: Thu 2010-08-19 10:21:15 +0200
message:
add fix for SA40775
added:
patches/SA40775.diff
modified:
changelog
patches/series
=== modified file 'changelog'
--- a/changelog 2010-08-18 20:05:11 +0000
+++ b/changelog 2010-08-19 08:21:15 +0000
@@ -1,4 +1,4 @@
-openoffice.org (1:3.2.1-6) UNRELEASED; urgency=low
+openoffice.org (1:3.2.1-6) UNRELEASED; urgency=high
* debian/patches/reduce-height-on-dialogs-for-netbooks.diff: add
patch from ooo-build-3-2-1 branch to reduce the PDF export and Recovery
@@ -7,6 +7,8 @@
(closes: #593440)
* debian/patches/shift-translations.diff: some translations must be shifted
in the itemlist; backported from ooo-build-3-2-1 branch (closes: #593234)
+ * debian/patches/SA40775.diff: fix CVE-2010-2935 and CVE-2010-2936
+ aka SA40775: two buffer-overflow vulnerabilities in OpenOffice.org Impress
* merge from Ubuntu (thanks Loic Minier):
- Pass the same -v to "dh_makeshlibs --" (for dpkg-gensymbols) as to
=== added file 'patches/SA40775.diff'
--- a/patches/SA40775.diff 1970-01-01 00:00:00 +0000
+++ b/patches/SA40775.diff 2010-08-19 08:21:15 +0000
@@ -0,0 +1,225 @@
+--- /dev/null 2010-08-16 13:41:41.277183513 +0200
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/SA40775.diff
2010-08-17 18:54:25.000000000 +0200
+@@ -0,0 +1,204 @@
++diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
++--- sd/source/filter/ppt/propread.cxx Fri Aug 06 14:53:07 2010 +0200
+++++ sd/source/filter/ppt/propread.cxx Mon Aug 09 14:04:21 2010 +0200
++@@ -29,6 +29,7 @@
++ #include "precompiled_sd.hxx"
++ #include <propread.hxx>
++ #include <tools/bigint.hxx>
+++#include "tools/debug.hxx"
++ #include "rtl/tencinfo.h"
++ #include "rtl/textenc.h"
++
++@@ -90,6 +91,17 @@
++
++ // -----------------------------------------------------------------------
++
+++static xub_StrLen lcl_getMaxSafeStrLen(sal_uInt32 nSize)
+++{
+++ nSize -= 1; //Drop NULL terminator
+++
+++ //If it won't fit in a string, clip it to the max size that does
+++ if (nSize > STRING_MAXLEN)
+++ nSize = STRING_MAXLEN;
+++
+++ return nSize;
+++}
+++
++ BOOL PropItem::Read( String& rString, sal_uInt32 nStringType, sal_Bool
bAlign )
++ {
++ sal_uInt32 i, nItemSize, nType, nItemPos;
++@@ -108,36 +120,43 @@
++ {
++ case VT_LPSTR :
++ {
++- if ( (sal_uInt16)nItemSize )
+++ if ( nItemSize )
++ {
++- sal_Char* pString = new sal_Char[
(sal_uInt16)nItemSize ];
++- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+++ try
++ {
++- nItemSize >>= 1;
++- if ( (sal_uInt16)nItemSize > 1 )
+++ sal_Char* pString = new sal_Char[
nItemSize ];
+++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2
)
++ {
++- sal_Unicode* pWString =
(sal_Unicode*)pString;
++- for ( i = 0; i <
(sal_uInt16)nItemSize; i++ )
++- *this >> pWString[ i ];
++- rString = String( pWString,
(sal_uInt16)nItemSize - 1 );
++- }
++- else
++- rString = String();
++- bRetValue = sal_True;
++- }
++- else
++- {
++- SvMemoryStream::Read( pString,
(sal_uInt16)nItemSize );
++- if ( pString[ (sal_uInt16)nItemSize - 1
] == 0 )
++- {
++- if ( (sal_uInt16)nItemSize > 1 )
++- rString = String(
ByteString( pString ), mnTextEnc );
+++ nItemSize >>= 1;
+++ if ( nItemSize > 1 )
+++ {
+++ sal_Unicode* pWString =
(sal_Unicode*)pString;
+++ for ( i = 0; i <
nItemSize; i++ )
+++ *this >>
pWString[ i ];
+++ rString = String(
pWString, lcl_getMaxSafeStrLen(nItemSize) );
+++ }
++ else
++ rString = String();
++ bRetValue = sal_True;
++ }
+++ else
+++ {
+++ SvMemoryStream::Read( pString,
nItemSize );
+++ if ( pString[ nItemSize - 1 ]
== 0 )
+++ {
+++ if ( nItemSize > 1 )
+++ rString =
String( ByteString( pString ), mnTextEnc );
+++ else
+++ rString =
String();
+++ bRetValue = sal_True;
+++ }
+++ }
+++ delete[] pString;
++ }
++- delete[] pString;
+++ catch( const std::bad_alloc& )
+++ {
+++ DBG_ERROR( "sd PropItem::Read bad
alloc" );
+++ }
++ }
++ if ( bAlign )
++ SeekRel( ( 4 - ( nItemSize & 3 ) ) & 3 );
// dword align
++@@ -148,18 +167,25 @@
++ {
++ if ( nItemSize )
++ {
++- sal_Unicode* pString = new sal_Unicode[
(sal_uInt16)nItemSize ];
++- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
++- *this >> pString[ i ];
++- if ( pString[ i - 1 ] == 0 )
+++ try
++ {
++- if ( (sal_uInt16)nItemSize > 1 )
++- rString = String( pString,
(sal_uInt16)nItemSize - 1 );
++- else
++- rString = String();
++- bRetValue = sal_True;
+++ sal_Unicode* pString = new sal_Unicode[
nItemSize ];
+++ for ( i = 0; i < nItemSize; i++ )
+++ *this >> pString[ i ];
+++ if ( pString[ i - 1 ] == 0 )
+++ {
+++ if ( (sal_uInt16)nItemSize > 1 )
+++ rString = String(
pString, lcl_getMaxSafeStrLen(nItemSize) );
+++ else
+++ rString = String();
+++ bRetValue = sal_True;
+++ }
+++ delete[] pString;
++ }
++- delete[] pString;
+++ catch( const std::bad_alloc& )
+++ {
+++ DBG_ERROR( "sd PropItem::Read bad
alloc" );
+++ }
++ }
++ if ( bAlign && ( nItemSize & 1 ) )
++ SeekRel( 2 );
// dword align
++@@ -349,24 +375,31 @@
++ for ( sal_uInt32 i = 0; i < nDictCount; i++ )
++ {
++ aStream >> nId >> nSize;
++- if ( (sal_uInt16)nSize )
+++ if ( nSize )
++ {
++ String aString;
++ nPos = aStream.Tell();
++- sal_Char* pString = new sal_Char[
(sal_uInt16)nSize ];
++- aStream.Read( pString, (sal_uInt16)nSize );
++- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+++ try
++ {
++- nSize >>= 1;
++- aStream.Seek( nPos );
++- sal_Unicode* pWString =
(sal_Unicode*)pString;
++- for ( i = 0; i < (sal_uInt16)nSize; i++
)
++- aStream >> pWString[ i ];
++- aString = String( pWString,
(sal_uInt16)nSize - 1 );
+++ sal_Char* pString = new sal_Char[ nSize
];
+++ aStream.Read( pString, nSize );
+++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2
)
+++ {
+++ nSize >>= 1;
+++ aStream.Seek( nPos );
+++ sal_Unicode* pWString =
(sal_Unicode*)pString;
+++ for ( i = 0; i < nSize; i++ )
+++ aStream >> pWString[ i
];
+++ aString = String( pWString,
lcl_getMaxSafeStrLen(nSize) );
+++ }
+++ else
+++ aString = String( ByteString(
pString, lcl_getMaxSafeStrLen(nSize) ), mnTextEnc );
+++ delete[] pString;
++ }
++- else
++- aString = String( ByteString( pString,
(sal_uInt16)nSize - 1 ), mnTextEnc );
++- delete[] pString;
+++ catch( const std::bad_alloc& )
+++ {
+++ DBG_ERROR( "sd Section::GetDictionary
bad alloc" );
+++ }
++ if ( !aString.Len() )
++ break;
++ aDict.AddProperty( nId, aString );
++@@ -502,6 +502,11 @@
++ }
++ if ( nPropSize )
++ {
+++ if ( nPropSize > nStrmSize )
+++ {
+++ nPropCount = 0;
+++ break;
+++ }
++ pStrm->Seek( nPropOfs + nSecOfs );
++ // make sure we don't overflow the section size
++ if( nPropSize > nSecSize - nSecOfs )
++diff -r 5b1ceed28385 tools/source/generic/poly.cxx
++--- tools/source/generic/poly.cxx Fri Aug 06 14:53:07 2010 +0200
+++++ tools/source/generic/poly.cxx Mon Aug 09 14:04:21 2010 +0200
++@@ -243,6 +243,11 @@
++ void ImplPolygon::ImplSplit( USHORT nPos, USHORT nSpace, ImplPolygon*
pInitPoly )
++ {
++ const ULONG nSpaceSize = nSpace * sizeof( Point );
+++
+++ //Can't fit this in :-(, throw ?
+++ if (mnPoints + nSpace > USHRT_MAX)
+++ return;
+++
++ const USHORT nNewSize = mnPoints + nSpace;
++
++ if( nPos >= mnPoints )
++
+--- openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply
2010-08-17 18:59:01.000000000 +0200
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply
2010-08-17 18:59:19.000000000 +0200
+@@ -19,7 +19,7 @@
+ PopupRemoval, LinkWarningDlg, InternalCairo, Lockdown, \
+ FedoraCommonFixes, InternalMesaHeaders, LayoutDialogs, Fuzz, \
+ CalcRowLimit, Gcc44, Gcc45, BuildFix, WriterDocComparison, \
+- OptionalIconThemes, Toolbars, MySQL, BorderTypes
++ OptionalIconThemes, Toolbars, MySQL, BorderTypes, Security
+
+ LinuxCommon : Common, Defaults, TangoIcons, FontConfigTemporaryHacks, \
+ FedoraLinuxOnlyFixes, LinuxOnly, SystemBits, \
+@@ -4070,3 +4070,6 @@
+
+ [ OpenGLTransitions ]
+ transogl-transitions-newsflash-pptin.diff
++
++[ Security ]
++SA40775.diff
=== modified file 'patches/series'
--- a/patches/series 2010-08-18 20:05:11 +0000
+++ b/patches/series 2010-08-19 08:21:15 +0000
@@ -8,3 +8,4 @@
reduce-height-on-dialogs-for-netbooks.diff
regcomp-fix-spelling.diff
shift-translations.diff
+SA40775.diff
