Fix the following four vulnerabilities.

CVE-2007-0002: Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities
 CVE-2007-0238: Manipulated StarCalc files can lead to arbitrary code execution
 CVE-2007-0239: Security Vulnerability in StarOffice/StarSuite URL Handler
 CVE-2007-1466: Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities
                (splitted from CVE-2007-0002)

Fixes for CVE-2007-0238 and CVE-2007-0239 from OOo 2.2.
Fixes for CVE-2007-0002 and CVE-2007-1466 by external libwpd.
Bump PKGREVISION.

misc/openoffice2/Makefile

@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.12 2007/03/23 14:18:51 hira Exp $
+# $NetBSD: Makefile,v 1.13 2007/04/01 23:50:59 hira Exp $
 #
 
 OO_VER=			2.1.0
 DISTNAME=		openoffice-${OO_VER}
 PKGNAME=		openoffice2-${OO_VER}
-PKGREVISION=		4
+PKGREVISION=		5
 CATEGORIES=		misc
 MASTER_SITES=		${MASTER_SITE_OPENOFFICE:=stable/${OO_VER}/}
 DIST_SUBDIR=		${DISTNAME}
@@ -56,6 +56,7 @@ CONFIGURE_ARGS+=	--enable-binfilter
 CONFIGURE_ARGS+=	--enable-cairo
 CONFIGURE_ARGS+=	--disable-ldap
 CONFIGURE_ARGS+=	--with-system-freetype
+CONFIGURE_ARGS+=	--with-system-libwpd
 
 # `portable' supports all platforms.
 CONFIGURE_ARGS+=	--enable-epm --with-package-format=portable
@@ -131,6 +132,7 @@ ARCH=	${MACHINE_ARCH:C/i[3-6]86/i386/g}
 .  include "Makefile.${OPSYS}.${ARCH}"
 .endif
 
+.include "../../converters/libwpd/buildlink3.mk"
 .include "../../fonts/fontconfig/buildlink3.mk"
 .include "../../graphics/MesaLib/buildlink3.mk"
 .include "../../graphics/cairo/buildlink3.mk"

misc/openoffice2/distinfo

@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2007/03/19 16:51:14 hira Exp $
+$NetBSD: distinfo,v 1.9 2007/04/01 23:50:59 hira Exp $
 
 SHA1 (openoffice-2.1.0/OOo_2.1.0_src.tar.bz2) = 9513216ae71267addf3625f5a41c3a43564da3bc
 RMD160 (openoffice-2.1.0/OOo_2.1.0_src.tar.bz2) = 11256b125fdc412480d90983b0f80f35d4833e9a
@@ -57,3 +57,11 @@ SHA1 (patch-bv) = bc035bdbc8420666a52417f2226e3e687d199e33
 SHA1 (patch-bw) = aa286260f21820a8c39812fe82ef62e56921a950
 SHA1 (patch-bx) = 9d01592c69f0ba734ff488980c475a1b768bc229
 SHA1 (patch-by) = 01ee243687c11a63a53f33d6230ad9cc5a5912ba
+SHA1 (patch-bz) = cdedf48e747d8ce4cbc97c3357b8fee86ca6d642
+SHA1 (patch-ca) = 0a037963deba73b3611d28441713ae01b83e6380
+SHA1 (patch-cb) = 219dc174e27b7240eabbeb137b6587e9f6983ea4
+SHA1 (patch-cc) = abe48ee14c5ee74ce9a21a727498b50178bec3a3
+SHA1 (patch-cd) = 9b4078f7837e3d40bcc42b0ea1a6544c390058c1
+SHA1 (patch-ce) = 2ff26e78cad7cf534441cc02d58934e44c534330
+SHA1 (patch-cf) = f1da97c325b1826842ca453bb93f3c2557524678
+SHA1 (patch-cg) = 014197270eced8d78c6fa6cea4002fcab7928f49

misc/openoffice2/patches/patch-bz

@@ -0,0 +1,37 @@
+$NetBSD: patch-bz,v 1.1 2007/04/01 23:50:59 hira Exp $
+
+Security fixes for CVE-2007-0238.  This has been fixed in OOo 2.2.
+
+--- sc/source/filter/starcalc/scflt.cxx.orig	2006-12-02 02:56:27.000000000 +0900
++++ sc/source/filter/starcalc/scflt.cxx	2007-04-02 06:27:54.000000000 +0900
+@@ -4,9 +4,9 @@
+  *
+  *  $RCSfile: patch-bz,v $
+  *
+- *  $Revision: 1.1 $
++ *  $Revision: 1.1 $
+  *
+- *  last change: $Author: hira $ $Date: 2007/04/01 23:50:59 $
++ *  last change: $Author: hira $ $Date: 2007/04/01 23:50:59 $
+  *
+  *  The Contents of this file are made available subject to
+  *  the terms of GNU Lesser General Public License Version 2.1.
+@@ -1770,12 +1770,13 @@
+ 			rStream >> NoteLen;
+ 			if (NoteLen != 0)
+ 			{
+-				sal_Char Note[4096];
+-				rStream.Read(Note, NoteLen);
+-				Note[NoteLen] = 0;
+-			        String aText( SC10TOSTRING(Note));
+-			        ScPostIt aNote(aText, pDoc);
++				sal_Char* pNote = new sal_Char[NoteLen+1];
++				rStream.Read(pNote, NoteLen);
++				pNote[NoteLen] = 0;
++				String aText( SC10TOSTRING(pNote));
++				ScPostIt aNote(aText, pDoc);
+ 				pDoc->SetNote(Col, static_cast<SCROW> (Row), Tab, aNote );
++				delete [] pNote;
+ 			}
+ 		}
+ 		pPrgrsBar->Progress();

misc/openoffice2/patches/patch-ca

@@ -0,0 +1,13 @@
+$NetBSD: patch-ca,v 1.1 2007/04/01 23:50:59 hira Exp $
+
+Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.
+
+--- shell/source/unix/misc/cde-open-url.sh.orig	2006-12-02 02:57:03.000000000 +0900
++++ shell/source/unix/misc/cde-open-url.sh	2007-01-19 22:07:09.000000000 +0900
+@@ -58,5 +58,5 @@
+ fi
+ 
+ if [ -z "$TMPFILE" ]; then exit 1; fi
+-( echo $1 > "$TMPFILE"; dtaction Open "$TMPFILE"; rm -f "$TMPFILE" ) &
++( echo "$1" > "$TMPFILE"; dtaction Open "$TMPFILE"; rm -f "$TMPFILE" ) &
+ exit 0

misc/openoffice2/patches/patch-cb

@@ -0,0 +1,14 @@
+$NetBSD: patch-cb,v 1.1 2007/04/01 23:50:59 hira Exp $
+
+Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.
+
+--- shell/source/unix/misc/gnome-open-url.sh.orig	2006-12-02 02:57:03.000000000 +0900
++++ shell/source/unix/misc/gnome-open-url.sh	2007-01-19 22:07:22.000000000 +0900
+@@ -50,6 +50,6 @@
+ esac
+ 
+ # use gnome-open utility coming with libgnome if available
+-gnome-open $1 2>/dev/null || "$0.bin" $1
++gnome-open "$1" 2>/dev/null || "$0.bin" $1
+ 
+ exit 0

misc/openoffice2/patches/patch-cc

@@ -0,0 +1,18 @@
+$NetBSD: patch-cc,v 1.1 2007/04/01 23:50:59 hira Exp $
+
+Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.
+
+--- shell/source/unix/misc/kde-open-url.sh.orig	2006-12-02 02:57:03.000000000 +0900
++++ shell/source/unix/misc/kde-open-url.sh	2007-01-19 22:07:36.000000000 +0900
+@@ -51,9 +51,9 @@
+ 
+ # special handling for mailto: uris
+ if echo $1 | grep '^mailto:' > /dev/null; then
+-  kmailservice $1 &
++  kmailservice "$1" &
+ else
+-  kfmclient openURL $1 &
++  kfmclient openURL "$1" &
+ fi
+ 
+ exit 0

misc/openoffice2/patches/patch-cd

@@ -0,0 +1,44 @@
+$NetBSD: patch-cd,v 1.1 2007/04/01 23:50:59 hira Exp $
+
+Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.
+
+--- shell/source/unix/misc/open-url.sh.orig	2006-12-02 02:57:03.000000000 +0900
++++ shell/source/unix/misc/open-url.sh	2007-01-19 22:07:49.000000000 +0900
+@@ -96,15 +96,15 @@
+ # special handling for mailto: uris
+ if echo $1 | grep '^mailto:' > /dev/null; then
+   # check $MAILER variable
+-  if [ $MAILER ]; then
+-    $MAILER $1 &
++  if [ ! -z "$MAILER" ]; then
++    $MAILER "$1" &
+     exit 0
+   else
+     # mozilla derivates may need -remote semantics
+     for i in thunderbird mozilla netscape; do
+       mailer=`which $i`
+       if [ ! -z "$mailer" ]; then
+-        run_mozilla $mailer $1
++        run_mozilla "$mailer" "$1"
+         exit 0
+       fi
+     done
+@@ -113,15 +113,15 @@
+   fi
+ else
+   # check $BROWSER variable
+-  if [ $BROWSER ]; then
+-    $BROWSER $1 &
++  if [ ! -z "$BROWSER" ]; then
++    $BROWSER "$1" &
+     exit 0
+   else
+     # mozilla derivates may need -remote semantics
+     for i in firefox mozilla netscape; do
+       browser=`which $i`
+       if [ ! -z "$browser" ]; then
+-        run_mozilla $browser $1
++        run_mozilla "$browser" "$1"
+         exit 0
+       fi
+     done

misc/openoffice2/patches/patch-ce

@@ -0,0 +1,24 @@
+$NetBSD: patch-ce,v 1.1 2007/04/01 23:50:59 hira Exp $
+
+Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.
+
+--- scp2/source/ooo/file_ooo.scp.orig	2007-04-02 07:02:55.000000000 +0900
++++ scp2/source/ooo/file_ooo.scp	2007-04-02 07:05:41.000000000 +0900
+@@ -347,7 +347,7 @@
+     BIN_FILE_BODY;
+     Dir = gid_Dir_Program;
+     Name = "gnome-open-url";
+-    Styles = (PACKED);
++    Styles = (PACKED, PATCH);
+ End
+ 
+ File gid_File_Bin_Gnome_Open_Url_Bin
+@@ -361,7 +361,7 @@
+     BIN_FILE_BODY;
+     Dir = gid_Dir_Program;
+     Name = "kde-open-url";
+-    Styles = (PACKED);
++    Styles = (PACKED, PATCH);
+ End
+ 
+ File gid_File_Bin_Cde_Open_Url

misc/openoffice2/patches/patch-cf

@@ -0,0 +1,38 @@
+$NetBSD: patch-cf,v 1.1 2007/04/01 23:50:59 hira Exp $
+
+Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.
+
+--- shell/source/unix/exec/shellexec.hxx.orig	2006-12-02 02:57:03.000000000 +0900
++++ shell/source/unix/exec/shellexec.hxx	2007-01-19 22:06:24.000000000 +0900
+@@ -4,9 +4,9 @@
+  *
+  *  $RCSfile: patch-cf,v $
+  *
+- *  $Revision: 1.1 $
++ *  $Revision: 1.1 $
+  *
+- *  last change: $Author: hira $ $Date: 2007/04/01 23:50:59 $
++ *  last change: $Author: hira $ $Date: 2007/04/01 23:50:59 $
+  *
+  *  The Contents of this file are made available subject to
+  *  the terms of GNU Lesser General Public License Version 2.1.
+@@ -44,6 +44,10 @@
+ #include <osl/mutex.hxx>
+ #endif
+ 
++#ifndef _RTL_STRBUF_HXX_
++#include <rtl/strbuf.hxx>
++#endif
++
+ #ifndef _COM_SUN_STAR_LANG_XSERVICEINFO_HPP_
+ #include <com/sun/star/lang/XServiceInfo.hpp>
+ #endif
+@@ -90,4 +94,8 @@
+         throw(::com::sun::star::uno::RuntimeException);    
+ }; 
+ 
++
++// helper function - needed for urltest
++void escapeForShell( rtl::OStringBuffer & rBuffer, const rtl::OString & rURL);
++
+ #endif 

misc/openoffice2/patches/patch-cg

@@ -0,0 +1,87 @@
+$NetBSD: patch-cg,v 1.1 2007/04/01 23:51:00 hira Exp $
+
+Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.
+
+--- shell/source/unix/exec/shellexec.cxx.orig	2006-12-02 02:57:03.000000000 +0900
++++ shell/source/unix/exec/shellexec.cxx	2007-01-19 22:06:10.000000000 +0900
+@@ -4,9 +4,9 @@
+  *
+  *  $RCSfile: patch-cg,v $
+  *
+- *  $Revision: 1.1 $
++ *  $Revision: 1.1 $
+  *
+- *  last change: $Author: hira $ $Date: 2007/04/01 23:51:00 $
++ *  last change: $Author: hira $ $Date: 2007/04/01 23:51:00 $
+  *
+  *  The Contents of this file are made available subject to
+  *  the terms of GNU Lesser General Public License Version 2.1.
+@@ -52,10 +52,6 @@
+ #include <osl/file.hxx>
+ #endif
+ 
+-#ifndef _RTL_STRBUF_HXX_
+-#include <rtl/strbuf.hxx>
+-#endif
+-
+ #ifndef _RTL_USTRBUF_HXX_
+ #include <rtl/ustrbuf.hxx>
+ #endif
+@@ -124,6 +120,20 @@
+     }
+ }
+ 
++void escapeForShell( rtl::OStringBuffer & rBuffer, const rtl::OString & rURL)
++{
++    sal_Int32 nmax = rURL.getLength();
++    for(sal_Int32 n=0; n < nmax; ++n)
++    {
++        // escape every non alpha numeric characters (excluding a few "known good") by prepending a '\'
++        sal_Char c = rURL[n];
++        if( ( c < 'A' || c > 'Z' ) && ( c < 'a' || c > 'z' ) && ( c < '0' || c > '9' )  && c != '/' && c != '.' )
++            rBuffer.append( '\\' );
++        
++        rBuffer.append( c );
++    }
++}
++
+ //-----------------------------------------------------------------------------------------
+ // 
+ //-----------------------------------------------------------------------------------------
+@@ -208,7 +218,7 @@
+         OString aTmp = OUStringToOString(aProgram, osl_getThreadTextEncoding());
+         nIndex = aTmp.lastIndexOf('/');
+         if (nIndex > 0)
+-            aBuffer.append(aTmp.copy(0, nIndex+1));
++            escapeForShell(aBuffer, aTmp.copy(0, nIndex+1));
+             
+         // Respect the desktop environment - if there is an executable named 
+         // <desktop-environement-is>-open-url, pass the url to this one instead
+@@ -236,21 +246,19 @@
+              
+         aBuffer.append("open-url");
+ #endif
+-        aBuffer.append(" \'");
+-        aBuffer.append(OUStringToOString(aURL, osl_getThreadTextEncoding()));
+-        aBuffer.append("\'");
++        aBuffer.append(" ");
++        escapeForShell(aBuffer, OUStringToOString(aURL, osl_getThreadTextEncoding()));
+         
+         if ( pDesktopLaunch && *pDesktopLaunch )
+         {
+             aLaunchBuffer.append( pDesktopLaunch );
+-            aLaunchBuffer.append( " \'" );
+-            aLaunchBuffer.append(OUStringToOString(aURL, osl_getThreadTextEncoding()));
+-            aLaunchBuffer.append( "\'" );
++            aLaunchBuffer.append(" ");
++            escapeForShell(aLaunchBuffer, OUStringToOString(aURL, osl_getThreadTextEncoding()));
+         }
+     } else {
+-        aBuffer.append(OUStringToOString(aCommand, osl_getThreadTextEncoding()));
++        escapeForShell(aBuffer, OUStringToOString(aCommand, osl_getThreadTextEncoding()));
+         aBuffer.append(" ");
+-        aBuffer.append(OUStringToOString(aParameter, osl_getThreadTextEncoding()));
++        escapeForShell(aBuffer, OUStringToOString(aParameter, osl_getThreadTextEncoding()));
+     }
+     
+     // Prefer DESKTOP_LAUNCH when available