bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Marius Bakke <mbakke@fastmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1589 bytes --]

[the café I'm at is blocking outgoing email, so resending through a browser]

On Sun, Feb 11, 2018, at 1:27 AM, Marius Bakke wrote:
> 
> 
> On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari 
> <leo@famulari.name> wrote:
> >I'm trying to update LibreOffice to 5.4.5.1.
> >
> >This version of LibreOffice requires cppunit to be updated to 1.14.0.
> >
> >However, this new version of cppunit requires C++11.
> >
> >This is not the default C++ standard in GCC 5, so this update requires
> >sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.
> 
> Could we package the newer version separately and override CXXFLAGS for 
> libreoffice only?

I gave this a go, and there were (of course) a lot more changes
necessary to make this newer libreoffice build.  In particular, it now
works with an external xmlsec (albeit NSS only), and it wants to build
PDFium(!) in the same fashion as xmlsec was previously.

However PDFium fails to build due to requiring newer C++ features, and
my attempts at patching "external/pdfium/Library_pdfium.mk" to add
CXXFLAGS were unsuccessful.  So in the end I disabled PDFium support.

It also required libjpeg-turbo instead of libjpeg, although this is
supposedly fixed in 6.0.1:
<https://bugs.documentfoundation.org/show_bug.cgi?id=115416>.

Then there were some other problems related to not finding GPGME
headers, as well as an upstream regression when GTK2 support is
disabled.

Without further ado, here is the patch.  I'm still building it, but plan
to push shortly if there are no further issues. 

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch --]
[-- Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch", Size: 10141 bytes --]

From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sun, 11 Feb 2018 11:46:27 +0100
Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].

* gnu/packages/check.scm (cppunit-1.14): New public variable.
* gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
(libreoffice): Update to 5.4.5.1.
[native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
[inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Replace
LIBJPEG with LIBJPEG-TURBO.
[arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
"--disable-pdfium" to #:configure-flags.
* gnu/packages/xml.scm (xmlsec-nss): New public variable.
---
 gnu/packages/check.scm       | 17 ++++++++++++
 gnu/packages/libreoffice.scm | 61 ++++++++++++++++++++------------------------
 gnu/packages/xml.scm         | 12 ++++++++-
 3 files changed, 56 insertions(+), 34 deletions(-)

diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 1276c0fda..8f21baa09 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -157,6 +157,23 @@ unit testing.  Test output is in XML for automatic testing and GUI based for
 supervised tests.")
     (license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball
 
+;; Some packages require this newer version of cppunit.  However, it needs
+;; C++11 support, which is not enabled by default in our current GCC, and
+;; updating in-place would require adding CXXFLAGS to many dependent packages.
+;; Thus, keep as a separate variable for now.
+;; TODO: Remove this when our default GCC is updated to 6 or higher.
+(define-public cppunit-1.14
+  (package
+    (inherit cppunit)
+    (version "1.14.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://dev-www.libreoffice.org/src/"
+                                  "cppunit-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix"))))))
+
 (define-public catch-framework
   (package
     (name "catch")
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 799b06243..b2546e146 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -54,6 +54,7 @@
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gnome)
   #:use-module (gnu packages gperf)
+  #:use-module (gnu packages gnupg)
   #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages gstreamer)
   #:use-module (gnu packages gtk)
@@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.")
     (license (non-copyleft "file://COPYING"
                            "See COPYING in the distribution."))))
 
-;; LibreOffice requires an xmlsec source tarball; it does not even check
-;; for the presence of an externally compiled library.
-(define xmlsec-src-libreoffice
-  (origin
-    (method url-fetch)
-    (uri
-      (string-append
-       "http://dev-www.libreoffice.org/src/"
-       "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz"))
-    (sha256 (base32
-             "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21"))))
-
 (define-public libreoffice
   (package
     (name "libreoffice")
-    (version "5.3.7.2")
+    (version "5.4.5.1")
     (source
      (origin
       (method url-fetch)
@@ -863,7 +852,7 @@ and to return information on pronunciations, meanings and synonyms.")
           "https://download.documentfoundation.org/libreoffice/src/"
           (version-prefix version 3) "/libreoffice-" version ".tar.xz"))
       (sha256 (base32
-               "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3"))))
+               "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb"))))
     (build-system gnu-build-system)
     (native-inputs
      `(;; autoreconf is run by the LibreOffice build system, since after
@@ -872,7 +861,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("autoconf" ,autoconf)
        ("automake" ,automake)
        ("bison" ,bison)
-       ("cppunit" ,cppunit)
+       ("cppunit" ,cppunit-1.14)
        ("flex" ,flex)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -888,6 +877,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("glew" ,glew)
        ("glm" ,glm)
        ("gperf" ,gperf)
+       ("gpgme" ,gpgme)
        ("graphite2" ,graphite2)
        ("gst-plugins-base" ,gst-plugins-base)
        ("gtk+" ,gtk+)
@@ -897,7 +887,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("libabw" ,libabw)
        ("libcdr" ,libcdr)
        ("libcmis" ,libcmis)
-       ("libjpeg" ,libjpeg)
+       ("libjpeg-turbo" ,libjpeg-turbo)
        ("libe-book" ,libe-book)
        ("libetonyek" ,libetonyek)
        ("libexttextcat" ,libexttextcat)
@@ -935,7 +925,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("unixodbc" ,unixodbc)
        ("unzip" ,unzip)
        ("vigra" ,vigra)
-       ("xmlsec-src" ,xmlsec-src-libreoffice)
+       ("xmlsec" ,xmlsec-nss)
        ("zip" ,zip)))
     (arguments
      `(#:tests? #f ; Building the tests already fails.
@@ -944,26 +934,27 @@ and to return information on pronunciations, meanings and synonyms.")
          (modify-phases %standard-phases
            (add-before 'configure 'prepare-src
              (lambda* (#:key inputs #:allow-other-keys)
-               (let ((xmlsec (assoc-ref inputs "xmlsec-src")))
+               (let ((gpgme (assoc-ref inputs "gpgme")))
                  (substitute*
                    (list "sysui/CustomTarget_share.mk"
                          "solenv/gbuild/gbuild.mk"
                          "solenv/gbuild/platform/unxgcc.mk")
                    (("/bin/sh") (which "sh")))
-                 (mkdir "external/tarballs")
-                 (symlink
-                   xmlsec
-                   (string-append "external/tarballs/"
-                                  "86b1daaa438f5a7bea9a52d7b9799ac0-"
-                                  "xmlsec1-1.2.23.tar.gz"))
-                 ;; The following is required for building xmlsec from the
-                 ;; unpatched external tarball; since "configure" starts with
-                 ;; "/bin/sh", it needs to be executed by a command invoking
-                 ;; the shell.
-                 (setenv "SHELL" (which "bash"))
-                 (setenv "CONFIG_SHELL" (which "bash"))
-                 (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk"
-                   (("./configure") "$(CONFIG_SHELL) ./configure" ))
+
+                 ;; GPGME++ headers are installed in a gpgme++ subdirectory,
+                 ;; but files in "xmlsecurity/source/gpg/" expect to find them
+                 ;; on the include path without a prefix.
+                 (substitute* "xmlsecurity/Library_xsec_xmlsec.mk"
+                   (("\\$\\$\\(INCLUDE\\)")
+                    (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++")))
+
+                 ;; XXX: When GTK2 is disabled, one header file is not included.
+                 ;; This is likely fixed in later versions.  See also
+                 ;; <https://bugs.gentoo.org/641812>.
+                 (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx"
+                   (("#include <unx/gtk/gtkgdi.hxx>")
+                    "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>"))
+
                  #t)))
            (add-after 'install 'bin-and-desktop-install
              ;; Create 'soffice' and 'libreoffice' symlinks to the executable
@@ -1037,6 +1028,10 @@ and to return information on pronunciations, meanings and synonyms.")
           "--disable-coinmp"
           "--disable-firebird-sdbc" ; embedded firebird
           "--disable-gltf"
+          ;; XXX: PDFium support requires fetching an external tarball and
+          ;; patching the build scripts to work with GCC5.  Try enabling this
+          ;; when our default compiler is >=GCC 6.
+          "--disable-pdfium"
           "--disable-gtk" ; disable use of GTK+ 2
           "--without-doxygen")))
     (home-page "https://www.libreoffice.org/")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index a0937582f..39cfc4530 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -40,6 +40,7 @@
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages perl-check)
   #:use-module (gnu packages python)
@@ -970,6 +971,15 @@ Libxml2).")
     (license (license:x11-style "file://COPYING"
                                 "See 'COPYING' in the distribution."))))
 
+(define-public xmlsec-nss
+  (package
+    (inherit xmlsec)
+    (name "xmlsec-nss")
+    (inputs
+     `(("nss" ,nss)
+       ("libltdl" ,libltdl)))
+    (synopsis "XML Security Library (using NSS instead of GnuTLS)")))
+
 (define-public minixml
   (package
     (name "minixml")
-- 
2.16.1