dgit.raspbian.org Git - libreoffice.git/commit

author	Stephan Bergmann <sbergman@redhat.com>
	Mon, 21 Feb 2022 10:55:21 +0000 (11:55 +0100)
committer	Bastien Roucariès <rouca@debian.org>
	Sat, 12 Aug 2023 19:58:29 +0000 (20:58 +0100)
commit	30cf2bd7329fc96fb50a9db9a4f49b785280030b
tree	7a3791a0b0aa0182af291e6ec7224954770a9621	tree \| snapshot
parent	6a282b2009a59cd96511be66118fb1980253e1fa	commit \| diff

From 5e8f64e50f97d39e83a3358697be14db03566878 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann <sbergman@redhat.com> Date: Mon, 21 Feb 2022 11:55:21 +0100 Subject: CVE-2022-38745 Avoid unnecessary empty -Djava.class.path=

Libreoffice may be configured to add an empty entry to the Java class path.
This may lead to run arbitrary Java code from the current directory.

Debian-backport: use char szSep[] = {SAL_PATHSEPARATOR,0}; for building Ostring
path separator.

Change-Id: Idcfe7321077b60381c0273910b1faeb444ef1fd8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130242
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
bug: https://www.libreoffice.org/about-us/security/advisories/CVE-2022-38745
debian-bug-security: https://security-tracker.debian.org/tracker/CVE-2022-38745

Gbp-Pq: Name 0075-From-5e8f64e50f97d39e83a3358697be14db03566878-Mon-Se.patch

jvmfwk/plugins/sunmajor/pluginlib/sunjavaplugin.cxx		diff \| blob \| history
jvmfwk/source/framework.cxx		diff \| blob \| history
jvmfwk/source/fwkbase.cxx		diff \| blob \| history