From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Date: Sun, 11 Feb 2018 15:34:42 +0000 Message-ID: <1518363282.185370.1267018608.237C7FC5@webmail.messagingengine.com> References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> <20180211144214.GA21042@jasmine.lan> <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47150) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ektek-0007dJ-29 for bug-guix@gnu.org; Sun, 11 Feb 2018 10:35:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekteg-0003OF-T6 for bug-guix@gnu.org; Sun, 11 Feb 2018 10:35:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:58799) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ekteg-0003N2-KS for bug-guix@gnu.org; Sun, 11 Feb 2018 10:35:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ekteg-0001ne-Bt for bug-guix@gnu.org; Sun, 11 Feb 2018 10:35:02 -0500 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: In-Reply-To: <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 30414-done@debbugs.gnu.org On Sun, Feb 11, 2018, at 3:08 PM, Marius Bakke wrote: > Leo Famulari writes: > > >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 > >> From: Marius Bakke > >> Date: Sun, 11 Feb 2018 11:46:27 +0100 > >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. > >> > >> * gnu/packages/check.scm (cppunit-1.14): New public variable. > >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. > >> (libreoffice): Update to 5.4.5.1. > >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. > >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace > >> LIBJPEG with LIBJPEG-TURBO. > >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ > >> headers are found. Add workaround for . Add > >> "--disable-pdfium" to #:configure-flags. > >> * gnu/packages/xml.scm (xmlsec-nss): New public variable. > > > > The only change I suggest is to remove the obsolete comment at the > > beginning of libreoffice's native-inputs about the xmlsec tarball. > > Good catch. It seems the autoconf and automake inputs are no longer > required. But I unfortunately spoke too soon earlier, it failed very > late in the build: > > [build CMP] filter/source/xsltdialog/xsltdlg > ld: cannot find -lltdl > collect2: error: ld returned 1 exit status > make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/ > libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix- > build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/ > libxsec_xmlsec.so] Error 1 > make[1]: *** Waiting for unfinished jobs.... > make: *** [Makefile:269: build] Error 2 > phase `build' failed after 2114.1 seconds > > I've attached a revised patch that adds libltdl, and removes the > automake inputs. However, I have to leave now, so could you please > verify that it works and push? I can provide moral support on #guix if > nothing else :-) > > TIA! Never mind, it was actually completed by the time I packed up. I pushed it (and fixed the merge conflict in xml.scm, sorry about that!). Thanks for staying on top of the never-ending CVE stream :-)