dgit.raspbian.org Git - libreoffice.git/commit

author	Stephan Bergmann <sbergman@redhat.com>
	Mon, 21 Feb 2022 10:55:21 +0000 (11:55 +0100)
committer	Bastien Roucariès <rouca@debian.org>
	Fri, 29 Dec 2023 09:39:36 +0000 (09:39 +0000)
commit	18b015b56b5d96938c8fb6c6835dd3ac5d889181
tree	4ecaf6d8d1046a4661f0982d97ab760dc997e1df	tree \| snapshot
parent	4d074aa134cb09673ec5b5e24431c151caf7c3d1	commit \| diff

From 5e8f64e50f97d39e83a3358697be14db03566878 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann <sbergman@redhat.com> Date: Mon, 21 Feb 2022 11:55:21 +0100 Subject: CVE-2022-38745 Avoid unnecessary empty -Djava.class.path=

Libreoffice may be configured to add an empty entry to the Java class path.
This may lead to run arbitrary Java code from the current directory.

Debian-backport: use char szSep[] = {SAL_PATHSEPARATOR,0}; for building Ostring
path separator.

Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
bug: https://www.libreoffice.org/about-us/security/advisories/CVE-2022-38745
debian-bug-security: https://security-tracker.debian.org/tracker/CVE-2022-38745

Gbp-Pq: Name 0075-From-5e8f64e50f97d39e83a3358697be14db03566878-Mon-Se.patch

jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx		diff \| blob \| history
jvmfwk/source/framework.cxx		diff \| blob \| history
jvmfwk/source/fwkbase.cxx		diff \| blob \| history