From: Marius Bakke <mbakke@fastmail.com>
To: Leo Famulari <leo@famulari.name>
Cc: 30414@debbugs.gnu.org
Subject: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]
Date: Sun, 11 Feb 2018 15:08:59 +0000 [thread overview]
Message-ID: <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> (raw)
In-Reply-To: <20180211144214.GA21042@jasmine.lan>
[-- Attachment #1: Type: text/plain, Size: 1871 bytes --]
Leo Famulari <leo@famulari.name> writes:
>> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sun, 11 Feb 2018 11:46:27 +0100
>> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
>>
>> * gnu/packages/check.scm (cppunit-1.14): New public variable.
>> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
>> (libreoffice): Update to 5.4.5.1.
>> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
>> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace
>> LIBJPEG with LIBJPEG-TURBO.
>> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++
>> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add
>> "--disable-pdfium" to #:configure-flags.
>> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
>
> The only change I suggest is to remove the obsolete comment at the
> beginning of libreoffice's native-inputs about the xmlsec tarball.
Good catch. It seems the autoconf and automake inputs are no longer
required. But I unfortunately spoke too soon earlier, it failed very
late in the build:
[build CMP] filter/source/xsltdialog/xsltdlg
ld: cannot find -lltdl
collect2: error: ld returned 1 exit status
make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/libxsec_xmlsec.so] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:269: build] Error 2
phase `build' failed after 2114.1 seconds
I've attached a revised patch that adds libltdl, and removes the
automake inputs. However, I have to leave now, so could you please
verify that it works and push? I can provide moral support on #guix if
nothing else :-)
TIA!
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch --]
[-- Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch", Size: 10526 bytes --]
From 78a216026cc5d4be4e1623fbe8b3632f47b99ef8 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sun, 11 Feb 2018 11:46:27 +0100
Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
* gnu/packages/check.scm (cppunit-1.14): New public variable.
* gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
(libreoffice): Update to 5.4.5.1.
[native-inputs]: Change CPPUNIT to CPPUNIT-1.14. Remove AUTOCONF and AUTOMAKE.
[inputs]: Add GPGME, XMLSEC-NSS and LIBLTDL. Remove XMLSEC-SRC-LIBREOFFICE.
Replace LIBJPEG with LIBJPEG-TURBO.
[arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++
headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add
"--disable-pdfium" to #:configure-flags.
* gnu/packages/xml.scm (xmlsec-nss): New public variable.
---
gnu/packages/check.scm | 17 +++++++++++
gnu/packages/libreoffice.scm | 70 ++++++++++++++++++++------------------------
gnu/packages/xml.scm | 12 +++++++-
3 files changed, 59 insertions(+), 40 deletions(-)
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 1276c0fda..92f493592 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -157,6 +157,23 @@ unit testing. Test output is in XML for automatic testing and GUI based for
supervised tests.")
(license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball
+;; Some packages require this newer version of cppunit. However, it needs
+;; C++11 support, which is not enabled by default in our current GCC, and
+;; updating in-place would require adding CXXFLAGS to many dependent packages.
+;; Thus, keep as a separate variable for now.
+;; TODO: Remove this when our default GCC is updated to 6 or higher.
+(define-public cppunit-1.14
+ (package
+ (inherit cppunit)
+ (version "1.14.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://dev-www.libreoffice.org/src/"
+ "cppunit-" version ".tar.gz"))
+ (sha256
+ (base32
+ "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix"))))))
+
(define-public catch-framework
(package
(name "catch")
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 799b06243..47dd21b3b 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2017 Andy Wingo <wingo@igalia.com>
;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
;;;
;;; This file is part of GNU Guix.
@@ -54,6 +54,7 @@
#:use-module (gnu packages glib)
#:use-module (gnu packages gnome)
#:use-module (gnu packages gperf)
+ #:use-module (gnu packages gnupg)
#:use-module (gnu packages gnuzilla)
#:use-module (gnu packages gstreamer)
#:use-module (gnu packages gtk)
@@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.")
(license (non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
-;; LibreOffice requires an xmlsec source tarball; it does not even check
-;; for the presence of an externally compiled library.
-(define xmlsec-src-libreoffice
- (origin
- (method url-fetch)
- (uri
- (string-append
- "http://dev-www.libreoffice.org/src/"
- "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz"))
- (sha256 (base32
- "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21"))))
-
(define-public libreoffice
(package
(name "libreoffice")
- (version "5.3.7.2")
+ (version "5.4.5.1")
(source
(origin
(method url-fetch)
@@ -863,16 +852,11 @@ and to return information on pronunciations, meanings and synonyms.")
"https://download.documentfoundation.org/libreoffice/src/"
(version-prefix version 3) "/libreoffice-" version ".tar.xz"))
(sha256 (base32
- "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3"))))
+ "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb"))))
(build-system gnu-build-system)
(native-inputs
- `(;; autoreconf is run by the LibreOffice build system, since after
- ;; unpacking the external xmlsec tarball, it applies a series of
- ;; patches to Makefile.am, configure.in, config.guess and config.sub.
- ("autoconf" ,autoconf)
- ("automake" ,automake)
- ("bison" ,bison)
- ("cppunit" ,cppunit)
+ `(("bison" ,bison)
+ ("cppunit" ,cppunit-1.14)
("flex" ,flex)
("pkg-config" ,pkg-config)
("python" ,python-wrapper)
@@ -888,6 +872,7 @@ and to return information on pronunciations, meanings and synonyms.")
("glew" ,glew)
("glm" ,glm)
("gperf" ,gperf)
+ ("gpgme" ,gpgme)
("graphite2" ,graphite2)
("gst-plugins-base" ,gst-plugins-base)
("gtk+" ,gtk+)
@@ -897,12 +882,14 @@ and to return information on pronunciations, meanings and synonyms.")
("libabw" ,libabw)
("libcdr" ,libcdr)
("libcmis" ,libcmis)
- ("libjpeg" ,libjpeg)
+ ("libjpeg-turbo" ,libjpeg-turbo)
("libe-book" ,libe-book)
("libetonyek" ,libetonyek)
("libexttextcat" ,libexttextcat)
("libfreehand" ,libfreehand)
("liblangtag" ,liblangtag)
+ ;; XXX: Perhaps this should be propagated from xmlsec.
+ ("libltdl" ,libltdl)
("libmspub" ,libmspub)
("libmwaw" ,libmwaw)
("libodfgen" ,libodfgen)
@@ -935,7 +922,7 @@ and to return information on pronunciations, meanings and synonyms.")
("unixodbc" ,unixodbc)
("unzip" ,unzip)
("vigra" ,vigra)
- ("xmlsec-src" ,xmlsec-src-libreoffice)
+ ("xmlsec" ,xmlsec-nss)
("zip" ,zip)))
(arguments
`(#:tests? #f ; Building the tests already fails.
@@ -944,26 +931,27 @@ and to return information on pronunciations, meanings and synonyms.")
(modify-phases %standard-phases
(add-before 'configure 'prepare-src
(lambda* (#:key inputs #:allow-other-keys)
- (let ((xmlsec (assoc-ref inputs "xmlsec-src")))
+ (let ((gpgme (assoc-ref inputs "gpgme")))
(substitute*
(list "sysui/CustomTarget_share.mk"
"solenv/gbuild/gbuild.mk"
"solenv/gbuild/platform/unxgcc.mk")
(("/bin/sh") (which "sh")))
- (mkdir "external/tarballs")
- (symlink
- xmlsec
- (string-append "external/tarballs/"
- "86b1daaa438f5a7bea9a52d7b9799ac0-"
- "xmlsec1-1.2.23.tar.gz"))
- ;; The following is required for building xmlsec from the
- ;; unpatched external tarball; since "configure" starts with
- ;; "/bin/sh", it needs to be executed by a command invoking
- ;; the shell.
- (setenv "SHELL" (which "bash"))
- (setenv "CONFIG_SHELL" (which "bash"))
- (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk"
- (("./configure") "$(CONFIG_SHELL) ./configure" ))
+
+ ;; GPGME++ headers are installed in a gpgme++ subdirectory,
+ ;; but files in "xmlsecurity/source/gpg/" expect to find them
+ ;; on the include path without a prefix.
+ (substitute* "xmlsecurity/Library_xsec_xmlsec.mk"
+ (("\\$\\$\\(INCLUDE\\)")
+ (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++")))
+
+ ;; XXX: When GTK2 is disabled, one header file is not included.
+ ;; This is likely fixed in later versions. See also
+ ;; <https://bugs.gentoo.org/641812>.
+ (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx"
+ (("#include <unx/gtk/gtkgdi.hxx>")
+ "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>"))
+
#t)))
(add-after 'install 'bin-and-desktop-install
;; Create 'soffice' and 'libreoffice' symlinks to the executable
@@ -1037,6 +1025,10 @@ and to return information on pronunciations, meanings and synonyms.")
"--disable-coinmp"
"--disable-firebird-sdbc" ; embedded firebird
"--disable-gltf"
+ ;; XXX: PDFium support requires fetching an external tarball and
+ ;; patching the build scripts to work with GCC5. Try enabling this
+ ;; when our default compiler is >=GCC 6.
+ "--disable-pdfium"
"--disable-gtk" ; disable use of GTK+ 2
"--without-doxygen")))
(home-page "https://www.libreoffice.org/")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index a0937582f..39cfc4530 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -40,6 +40,7 @@
#:use-module (gnu packages autotools)
#:use-module (gnu packages compression)
#:use-module (gnu packages gnupg)
+ #:use-module (gnu packages gnuzilla)
#:use-module (gnu packages perl)
#:use-module (gnu packages perl-check)
#:use-module (gnu packages python)
@@ -970,6 +971,15 @@ Libxml2).")
(license (license:x11-style "file://COPYING"
"See 'COPYING' in the distribution."))))
+(define-public xmlsec-nss
+ (package
+ (inherit xmlsec)
+ (name "xmlsec-nss")
+ (inputs
+ `(("nss" ,nss)
+ ("libltdl" ,libltdl)))
+ (synopsis "XML Security Library (using NSS instead of GnuTLS)")))
+
(define-public minixml
(package
(name "minixml")
--
2.16.1
next prev parent reply other threads:[~2018-02-11 15:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-10 18:52 bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Leo Famulari
2018-02-10 21:49 ` Leo Famulari
2018-02-11 1:27 ` Marius Bakke
2018-02-11 3:54 ` Leo Famulari
2018-02-11 14:29 ` Marius Bakke
2018-02-11 14:42 ` Leo Famulari
2018-02-11 15:08 ` Marius Bakke [this message]
2018-02-11 15:34 ` Marius Bakke
2018-02-11 15:55 ` Leo Famulari
2018-02-11 15:36 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518361739.176445.1267005016.063B804B@webmail.messagingengine.com \
--to=mbakke@fastmail.com \
--cc=30414@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).