unoconv: add CVE-2019-17400 patch

2019-10-29 00:52:47 +00:00 · 2019-10-29 00:52:47 +00:00 · 72de297707
parent 4853db22a0
commit 72de297707
2 changed files with 119 additions and 2 deletions
--- a/srcpkgs/unoconv/patches/0001-change-default-updateDocMode-behavior-and-add-new-op.patch
+++ b/srcpkgs/unoconv/patches/0001-change-default-updateDocMode-behavior-and-add-new-op.patch
@ -0,0 +1,117 @@
 From 3351c5e5eef88690ed860bfee99d905202518a22 Mon Sep 17 00:00:00 2001
 From: Samuel Erb <samrerb@erbbysam.com>
 Date: Tue, 17 Sep 2019 12:22:12 -0400
 Subject: [PATCH] change default updateDocMode behavior and add new option to
 keep old behavior (#510)
 ---
 unoconv | 51 ++++++++++++++++++++++++++++++---------------------
 1 file changed, 30 insertions(+), 21 deletions(-)
 diff --git a/unoconv b/unoconv
 index f844d0f..762dc85 100755
 --- unoconv
 +++ unoconv
@@ -543,6 +543,8 @@ class Options:
         self.template = None
         self.timeout = 6
         self.verbose = 0
 +        self.userProfile = None
 +        self.updateDocMode = NO_UPDATE
         self.setprinter = False
         self.paperformat = None
@@ -555,8 +557,8 @@ class Options:
                 ['connection=', 'debug', 'doctype=', 'export=', 'field=', 'format=',
                  'help', 'import=', 'import-filter-name=', 'listener', 'meta=', 'no-launch',
                  'output=', 'outputpath', 'password=', 'pipe=', 'port=', 'preserve',
 -                 'server=', 'timeout=', 'show', 'stdin', 'stdout', 'template', 'printer=',
 -                 'verbose', 'version'] )
 +                 'server=', 'timeout=', 'user-profile=', 'show', 'stdin',
 +                 'stdout', 'template', 'printer=', 'unsafe-quiet-update', 'verbose', 'version'] )
         except getopt.error as exc:
             print('unoconv: %s, try unoconv -h for a list of all the options' % str(exc))
             sys.exit(255)
@@ -646,6 +648,10 @@ class Options:
                 self.template = arg
             elif opt in ['-T', '--timeout']:
                 self.timeout = int(arg)
 +            elif opt in ['--unsafe-quiet-update']:
 +                # ref https://www.openoffice.org/api/docs/common/ref/com/sun/star/document/UpdateDocMode.html
 +                print('Warning: Do not use the option --unsafe-quiet-update with untrusted input.')
 +                self.updateDocMode = QUIET_UPDATE
             elif opt in ['-v', '--verbose']:
                 self.verbose = self.verbose + 1
             elif opt in ['-V', '--version']:
@@ -760,6 +766,7 @@ unoconv options:
       --stdout                        write output to stdout
   -t, --template=file                 import the styles from template (.ott)
   -T, --timeout=secs                  timeout after secs if connection to listener fails
 +      --unsafe-quiet-update           allow rendered document to fetch external resources (Warning: this is unsafe with untrusted input)
   -v, --verbose                       be more and more verbose (-vvv for debugging)
       --version                       display version number of unoconv, OOo/LO and platform details
   -P, --printer                       printer options
@@ -930,7 +937,7 @@ class Convertor:
             phase = "import"
             ### Load inputfile
 -            inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=QUIET_UPDATE)
 +            inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=op.updateDocMode)
             if op.password:
                 inputprops += UnoProps(Password=op.password)
@@ -983,23 +990,25 @@ class Convertor:
 #            except AttributeError:
 #                pass
 -            ### Update document links
 -            phase = "update-links"
 -            try:
 -                document.updateLinks()
 -                # Found that when converting HTML files with external images, OO would only load five or six of
 -                # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
 -                # through all the image references in the document seems to force OO to actually load them. Found
 -                # some helpful guidance in this thread:
 -                # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
 -                # Ideally we would like to have the option to embed the images into the document, but I have not been
 -                # able to figure out how to do this yet.
 -                graphObjs = document.GraphicObjects
 -                for i in range(0, graphObjs.getCount()):
 -                    graphObj = graphObjs.getByIndex(i)
 -            except AttributeError:
 -                # the document doesn't implement the XLinkUpdate interface
 -                pass
 +            ### Update document links if appropriate
 +            if op.updateDocMode != NO_UPDATE:
 +                phase = "update-links"
 +                try:
 +                    document.updateLinks()
 +                    # Found that when converting HTML files with external images, OO would only load five or six of
 +                    # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
 +                    # through all the image references in the document seems to force OO to actually load them. Found
 +                    # some helpful guidance in this thread:
 +                    # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
 +                    # Ideally we would like to have the option to embed the images into the document, but I have not been
 +                    # able to figure out how to do this yet.
 +                    if op.updatehtmllinks:
 +                        graphObjs = document.GraphicObjects
 +                        for i in range(0, graphObjs.getCount()):
 +                            graphObj = graphObjs.getByIndex(i)
 +                except AttributeError:
 +                    # the document doesn't implement the XLinkUpdate interface
 +                    pass
             ### Add/Replace variables
             phase = "replace-fields"
@@ -1347,7 +1356,7 @@ if __name__ == '__main__':
     ### Now that we have found a working pyuno library, let's import some classes
     from com.sun.star.beans import PropertyValue
     from com.sun.star.connection import NoConnectException
 -    from com.sun.star.document.UpdateDocMode import QUIET_UPDATE
 +    from com.sun.star.document.UpdateDocMode import NO_UPDATE, QUIET_UPDATE
     from com.sun.star.lang import DisposedException, IllegalArgumentException
     from com.sun.star.io import IOException, XOutputStream
     from com.sun.star.script import CannotConvertException
 -- 
 2.23.0
--- a/srcpkgs/unoconv/template
+++ b/srcpkgs/unoconv/template
@ -1,14 +1,14 @@
 # Template file for 'unoconv'
 pkgname=unoconv
 version=0.8.2
-revision=1
+revision=2
 archs=noarch
 build_style=gnu-makefile
 hostmakedepends="asciidoc git"
 depends="python"
 short_desc="Convert between document formats supported by LibreOffice/OpenOffice"
 maintainer="Antonio Malcolm <antonio@antoniomalcolm.com>"
-license="GPL-2"
+license="GPL-2.0-only"
 homepage="https://github.com/dagwieers/unoconv"
 distfiles="${homepage}/archive/${version}.tar.gz>${pkgname}-${version}.tar.gz"
 checksum=5381c0338d50e9b05cd30f8724b796e3bf426e9dde3d51169b3511de22de14a6