* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] @ 2018-02-10 18:52 Leo Famulari 2018-02-10 21:49 ` Leo Famulari 0 siblings, 1 reply; 10+ messages in thread From: Leo Famulari @ 2018-02-10 18:52 UTC (permalink / raw) To: 30414 [-- Attachment #1: Type: text/plain, Size: 382 bytes --] We need to fix CVE-2018-6871 in our LibreOffice package. This bug allows remote attackers to read any file accessible from LibreOffice by supplying a crafted file to open in LibreOffice. Apparently the bug is fixed in LibreOffice 5.4.5 or 6.0.1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871 https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-10 18:52 bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Leo Famulari @ 2018-02-10 21:49 ` Leo Famulari 2018-02-11 1:27 ` Marius Bakke 0 siblings, 1 reply; 10+ messages in thread From: Leo Famulari @ 2018-02-10 21:49 UTC (permalink / raw) To: 30414 [-- Attachment #1: Type: text/plain, Size: 459 bytes --] I'm trying to update LibreOffice to 5.4.5.1. This version of LibreOffice requires cppunit to be updated to 1.14.0. However, this new version of cppunit requires C++11. This is not the default C++ standard in GCC 5, so this update requires sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT. I'd rather try cherry-picking a patch from LibreOffice upstream but their Git repo is several gigabytes and it will take hours for me to download it. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-10 21:49 ` Leo Famulari @ 2018-02-11 1:27 ` Marius Bakke 2018-02-11 3:54 ` Leo Famulari 2018-02-11 14:29 ` Marius Bakke 0 siblings, 2 replies; 10+ messages in thread From: Marius Bakke @ 2018-02-11 1:27 UTC (permalink / raw) To: 30414, leo On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari <leo@famulari.name> wrote: >I'm trying to update LibreOffice to 5.4.5.1. > >This version of LibreOffice requires cppunit to be updated to 1.14.0. > >However, this new version of cppunit requires C++11. > >This is not the default C++ standard in GCC 5, so this update requires >sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT. Could we package the newer version separately and override CXXFLAGS for libreoffice only? >I'd rather try cherry-picking a patch from LibreOffice upstream but >their Git repo is several gigabytes and it will take hours for me to >download it. I was digging through the GitHub mirror, but haven't been able to find the commit(s) in question: https://github.com/LibreOffice/core Thanks for working on it! -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-11 1:27 ` Marius Bakke @ 2018-02-11 3:54 ` Leo Famulari 2018-02-11 14:29 ` Marius Bakke 1 sibling, 0 replies; 10+ messages in thread From: Leo Famulari @ 2018-02-11 3:54 UTC (permalink / raw) To: Marius Bakke; +Cc: 30414 [-- Attachment #1: Type: text/plain, Size: 192 bytes --] On Sun, Feb 11, 2018 at 02:27:44AM +0100, Marius Bakke wrote: > I was digging through the GitHub mirror, but haven't been able to find the commit(s) in question: I haven't found them either. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-11 1:27 ` Marius Bakke 2018-02-11 3:54 ` Leo Famulari @ 2018-02-11 14:29 ` Marius Bakke 2018-02-11 14:42 ` Leo Famulari 1 sibling, 1 reply; 10+ messages in thread From: Marius Bakke @ 2018-02-11 14:29 UTC (permalink / raw) To: Leo Famulari, 30414 [-- Attachment #1: Type: text/plain, Size: 1589 bytes --] [the café I'm at is blocking outgoing email, so resending through a browser] On Sun, Feb 11, 2018, at 1:27 AM, Marius Bakke wrote: > > > On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari > <leo@famulari.name> wrote: > >I'm trying to update LibreOffice to 5.4.5.1. > > > >This version of LibreOffice requires cppunit to be updated to 1.14.0. > > > >However, this new version of cppunit requires C++11. > > > >This is not the default C++ standard in GCC 5, so this update requires > >sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT. > > Could we package the newer version separately and override CXXFLAGS for > libreoffice only? I gave this a go, and there were (of course) a lot more changes necessary to make this newer libreoffice build. In particular, it now works with an external xmlsec (albeit NSS only), and it wants to build PDFium(!) in the same fashion as xmlsec was previously. However PDFium fails to build due to requiring newer C++ features, and my attempts at patching "external/pdfium/Library_pdfium.mk" to add CXXFLAGS were unsuccessful. So in the end I disabled PDFium support. It also required libjpeg-turbo instead of libjpeg, although this is supposedly fixed in 6.0.1: <https://bugs.documentfoundation.org/show_bug.cgi?id=115416>. Then there were some other problems related to not finding GPGME headers, as well as an upstream regression when GTK2 support is disabled. Without further ado, here is the patch. I'm still building it, but plan to push shortly if there are no further issues. [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch --] [-- Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch", Size: 10141 bytes --] From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 From: Marius Bakke <mbakke@fastmail.com> Date: Sun, 11 Feb 2018 11:46:27 +0100 Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. * gnu/packages/check.scm (cppunit-1.14): New public variable. * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. (libreoffice): Update to 5.4.5.1. [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace LIBJPEG with LIBJPEG-TURBO. [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add "--disable-pdfium" to #:configure-flags. * gnu/packages/xml.scm (xmlsec-nss): New public variable. --- gnu/packages/check.scm | 17 ++++++++++++ gnu/packages/libreoffice.scm | 61 ++++++++++++++++++++------------------------ gnu/packages/xml.scm | 12 ++++++++- 3 files changed, 56 insertions(+), 34 deletions(-) diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm index 1276c0fda..8f21baa09 100644 --- a/gnu/packages/check.scm +++ b/gnu/packages/check.scm @@ -157,6 +157,23 @@ unit testing. Test output is in XML for automatic testing and GUI based for supervised tests.") (license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball +;; Some packages require this newer version of cppunit. However, it needs +;; C++11 support, which is not enabled by default in our current GCC, and +;; updating in-place would require adding CXXFLAGS to many dependent packages. +;; Thus, keep as a separate variable for now. +;; TODO: Remove this when our default GCC is updated to 6 or higher. +(define-public cppunit-1.14 + (package + (inherit cppunit) + (version "1.14.0") + (source (origin + (method url-fetch) + (uri (string-append "http://dev-www.libreoffice.org/src/" + "cppunit-" version ".tar.gz")) + (sha256 + (base32 + "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix")))))) + (define-public catch-framework (package (name "catch") diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm index 799b06243..b2546e146 100644 --- a/gnu/packages/libreoffice.scm +++ b/gnu/packages/libreoffice.scm @@ -7,7 +7,7 @@ ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2017 Andy Wingo <wingo@igalia.com> ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org> -;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> +;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com> ;;; ;;; This file is part of GNU Guix. @@ -54,6 +54,7 @@ #:use-module (gnu packages glib) #:use-module (gnu packages gnome) #:use-module (gnu packages gperf) + #:use-module (gnu packages gnupg) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages gstreamer) #:use-module (gnu packages gtk) @@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.") (license (non-copyleft "file://COPYING" "See COPYING in the distribution.")))) -;; LibreOffice requires an xmlsec source tarball; it does not even check -;; for the presence of an externally compiled library. -(define xmlsec-src-libreoffice - (origin - (method url-fetch) - (uri - (string-append - "http://dev-www.libreoffice.org/src/" - "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz")) - (sha256 (base32 - "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21")))) - (define-public libreoffice (package (name "libreoffice") - (version "5.3.7.2") + (version "5.4.5.1") (source (origin (method url-fetch) @@ -863,7 +852,7 @@ and to return information on pronunciations, meanings and synonyms.") "https://download.documentfoundation.org/libreoffice/src/" (version-prefix version 3) "/libreoffice-" version ".tar.xz")) (sha256 (base32 - "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3")))) + "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb")))) (build-system gnu-build-system) (native-inputs `(;; autoreconf is run by the LibreOffice build system, since after @@ -872,7 +861,7 @@ and to return information on pronunciations, meanings and synonyms.") ("autoconf" ,autoconf) ("automake" ,automake) ("bison" ,bison) - ("cppunit" ,cppunit) + ("cppunit" ,cppunit-1.14) ("flex" ,flex) ("pkg-config" ,pkg-config) ("python" ,python-wrapper) @@ -888,6 +877,7 @@ and to return information on pronunciations, meanings and synonyms.") ("glew" ,glew) ("glm" ,glm) ("gperf" ,gperf) + ("gpgme" ,gpgme) ("graphite2" ,graphite2) ("gst-plugins-base" ,gst-plugins-base) ("gtk+" ,gtk+) @@ -897,7 +887,7 @@ and to return information on pronunciations, meanings and synonyms.") ("libabw" ,libabw) ("libcdr" ,libcdr) ("libcmis" ,libcmis) - ("libjpeg" ,libjpeg) + ("libjpeg-turbo" ,libjpeg-turbo) ("libe-book" ,libe-book) ("libetonyek" ,libetonyek) ("libexttextcat" ,libexttextcat) @@ -935,7 +925,7 @@ and to return information on pronunciations, meanings and synonyms.") ("unixodbc" ,unixodbc) ("unzip" ,unzip) ("vigra" ,vigra) - ("xmlsec-src" ,xmlsec-src-libreoffice) + ("xmlsec" ,xmlsec-nss) ("zip" ,zip))) (arguments `(#:tests? #f ; Building the tests already fails. @@ -944,26 +934,27 @@ and to return information on pronunciations, meanings and synonyms.") (modify-phases %standard-phases (add-before 'configure 'prepare-src (lambda* (#:key inputs #:allow-other-keys) - (let ((xmlsec (assoc-ref inputs "xmlsec-src"))) + (let ((gpgme (assoc-ref inputs "gpgme"))) (substitute* (list "sysui/CustomTarget_share.mk" "solenv/gbuild/gbuild.mk" "solenv/gbuild/platform/unxgcc.mk") (("/bin/sh") (which "sh"))) - (mkdir "external/tarballs") - (symlink - xmlsec - (string-append "external/tarballs/" - "86b1daaa438f5a7bea9a52d7b9799ac0-" - "xmlsec1-1.2.23.tar.gz")) - ;; The following is required for building xmlsec from the - ;; unpatched external tarball; since "configure" starts with - ;; "/bin/sh", it needs to be executed by a command invoking - ;; the shell. - (setenv "SHELL" (which "bash")) - (setenv "CONFIG_SHELL" (which "bash")) - (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk" - (("./configure") "$(CONFIG_SHELL) ./configure" )) + + ;; GPGME++ headers are installed in a gpgme++ subdirectory, + ;; but files in "xmlsecurity/source/gpg/" expect to find them + ;; on the include path without a prefix. + (substitute* "xmlsecurity/Library_xsec_xmlsec.mk" + (("\\$\\$\\(INCLUDE\\)") + (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++"))) + + ;; XXX: When GTK2 is disabled, one header file is not included. + ;; This is likely fixed in later versions. See also + ;; <https://bugs.gentoo.org/641812>. + (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx" + (("#include <unx/gtk/gtkgdi.hxx>") + "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>")) + #t))) (add-after 'install 'bin-and-desktop-install ;; Create 'soffice' and 'libreoffice' symlinks to the executable @@ -1037,6 +1028,10 @@ and to return information on pronunciations, meanings and synonyms.") "--disable-coinmp" "--disable-firebird-sdbc" ; embedded firebird "--disable-gltf" + ;; XXX: PDFium support requires fetching an external tarball and + ;; patching the build scripts to work with GCC5. Try enabling this + ;; when our default compiler is >=GCC 6. + "--disable-pdfium" "--disable-gtk" ; disable use of GTK+ 2 "--without-doxygen"))) (home-page "https://www.libreoffice.org/") diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index a0937582f..39cfc4530 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net> ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> -;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com> +;;; Copyright © 2016, 2017, 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com> ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net> ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> @@ -40,6 +40,7 @@ #:use-module (gnu packages autotools) #:use-module (gnu packages compression) #:use-module (gnu packages gnupg) + #:use-module (gnu packages gnuzilla) #:use-module (gnu packages perl) #:use-module (gnu packages perl-check) #:use-module (gnu packages python) @@ -970,6 +971,15 @@ Libxml2).") (license (license:x11-style "file://COPYING" "See 'COPYING' in the distribution.")))) +(define-public xmlsec-nss + (package + (inherit xmlsec) + (name "xmlsec-nss") + (inputs + `(("nss" ,nss) + ("libltdl" ,libltdl))) + (synopsis "XML Security Library (using NSS instead of GnuTLS)"))) + (define-public minixml (package (name "minixml") -- 2.16.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-11 14:29 ` Marius Bakke @ 2018-02-11 14:42 ` Leo Famulari 2018-02-11 15:08 ` Marius Bakke 0 siblings, 1 reply; 10+ messages in thread From: Leo Famulari @ 2018-02-11 14:42 UTC (permalink / raw) To: Marius Bakke; +Cc: 30414 [-- Attachment #1: Type: text/plain, Size: 2012 bytes --] On Sun, Feb 11, 2018 at 02:29:02PM +0000, Marius Bakke wrote: > I gave this a go, and there were (of course) a lot more changes > necessary to make this newer libreoffice build. In particular, it now > works with an external xmlsec (albeit NSS only), and it wants to build > PDFium(!) in the same fashion as xmlsec was previously. > > However PDFium fails to build due to requiring newer C++ features, and > my attempts at patching "external/pdfium/Library_pdfium.mk" to add > CXXFLAGS were unsuccessful. So in the end I disabled PDFium support. > > It also required libjpeg-turbo instead of libjpeg, although this is > supposedly fixed in 6.0.1: > <https://bugs.documentfoundation.org/show_bug.cgi?id=115416>. > > Then there were some other problems related to not finding GPGME > headers, as well as an upstream regression when GTK2 support is > disabled. > > Without further ado, here is the patch. I'm still building it, but plan > to push shortly if there are no further issues. Wow, thank you! > From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 > From: Marius Bakke <mbakke@fastmail.com> > Date: Sun, 11 Feb 2018 11:46:27 +0100 > Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. > > * gnu/packages/check.scm (cppunit-1.14): New public variable. > * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. > (libreoffice): Update to 5.4.5.1. > [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. > [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace > LIBJPEG with LIBJPEG-TURBO. > [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ > headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add > "--disable-pdfium" to #:configure-flags. > * gnu/packages/xml.scm (xmlsec-nss): New public variable. The only change I suggest is to remove the obsolete comment at the beginning of libreoffice's native-inputs about the xmlsec tarball. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-11 14:42 ` Leo Famulari @ 2018-02-11 15:08 ` Marius Bakke 2018-02-11 15:34 ` Marius Bakke 2018-02-11 15:36 ` Leo Famulari 0 siblings, 2 replies; 10+ messages in thread From: Marius Bakke @ 2018-02-11 15:08 UTC (permalink / raw) To: Leo Famulari; +Cc: 30414 [-- Attachment #1: Type: text/plain, Size: 1871 bytes --] Leo Famulari <leo@famulari.name> writes: >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke <mbakke@fastmail.com> >> Date: Sun, 11 Feb 2018 11:46:27 +0100 >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. >> >> * gnu/packages/check.scm (cppunit-1.14): New public variable. >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. >> (libreoffice): Update to 5.4.5.1. >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace >> LIBJPEG with LIBJPEG-TURBO. >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ >> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add >> "--disable-pdfium" to #:configure-flags. >> * gnu/packages/xml.scm (xmlsec-nss): New public variable. > > The only change I suggest is to remove the obsolete comment at the > beginning of libreoffice's native-inputs about the xmlsec tarball. Good catch. It seems the autoconf and automake inputs are no longer required. But I unfortunately spoke too soon earlier, it failed very late in the build: [build CMP] filter/source/xsltdialog/xsltdlg ld: cannot find -lltdl collect2: error: ld returned 1 exit status make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/libxsec_xmlsec.so] Error 1 make[1]: *** Waiting for unfinished jobs.... make: *** [Makefile:269: build] Error 2 phase `build' failed after 2114.1 seconds I've attached a revised patch that adds libltdl, and removes the automake inputs. However, I have to leave now, so could you please verify that it works and push? I can provide moral support on #guix if nothing else :-) TIA! [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch --] [-- Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch", Size: 10526 bytes --] From 78a216026cc5d4be4e1623fbe8b3632f47b99ef8 Mon Sep 17 00:00:00 2001 From: Marius Bakke <mbakke@fastmail.com> Date: Sun, 11 Feb 2018 11:46:27 +0100 Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. * gnu/packages/check.scm (cppunit-1.14): New public variable. * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. (libreoffice): Update to 5.4.5.1. [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. Remove AUTOCONF and AUTOMAKE. [inputs]: Add GPGME, XMLSEC-NSS and LIBLTDL. Remove XMLSEC-SRC-LIBREOFFICE. Replace LIBJPEG with LIBJPEG-TURBO. [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add "--disable-pdfium" to #:configure-flags. * gnu/packages/xml.scm (xmlsec-nss): New public variable. --- gnu/packages/check.scm | 17 +++++++++++ gnu/packages/libreoffice.scm | 70 ++++++++++++++++++++------------------------ gnu/packages/xml.scm | 12 +++++++- 3 files changed, 59 insertions(+), 40 deletions(-) diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm index 1276c0fda..92f493592 100644 --- a/gnu/packages/check.scm +++ b/gnu/packages/check.scm @@ -157,6 +157,23 @@ unit testing. Test output is in XML for automatic testing and GUI based for supervised tests.") (license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball +;; Some packages require this newer version of cppunit. However, it needs +;; C++11 support, which is not enabled by default in our current GCC, and +;; updating in-place would require adding CXXFLAGS to many dependent packages. +;; Thus, keep as a separate variable for now. +;; TODO: Remove this when our default GCC is updated to 6 or higher. +(define-public cppunit-1.14 + (package + (inherit cppunit) + (version "1.14.0") + (source (origin + (method url-fetch) + (uri (string-append "https://dev-www.libreoffice.org/src/" + "cppunit-" version ".tar.gz")) + (sha256 + (base32 + "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix")))))) + (define-public catch-framework (package (name "catch") diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm index 799b06243..47dd21b3b 100644 --- a/gnu/packages/libreoffice.scm +++ b/gnu/packages/libreoffice.scm @@ -7,7 +7,7 @@ ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2017 Andy Wingo <wingo@igalia.com> ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org> -;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> +;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com> ;;; ;;; This file is part of GNU Guix. @@ -54,6 +54,7 @@ #:use-module (gnu packages glib) #:use-module (gnu packages gnome) #:use-module (gnu packages gperf) + #:use-module (gnu packages gnupg) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages gstreamer) #:use-module (gnu packages gtk) @@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.") (license (non-copyleft "file://COPYING" "See COPYING in the distribution.")))) -;; LibreOffice requires an xmlsec source tarball; it does not even check -;; for the presence of an externally compiled library. -(define xmlsec-src-libreoffice - (origin - (method url-fetch) - (uri - (string-append - "http://dev-www.libreoffice.org/src/" - "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz")) - (sha256 (base32 - "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21")))) - (define-public libreoffice (package (name "libreoffice") - (version "5.3.7.2") + (version "5.4.5.1") (source (origin (method url-fetch) @@ -863,16 +852,11 @@ and to return information on pronunciations, meanings and synonyms.") "https://download.documentfoundation.org/libreoffice/src/" (version-prefix version 3) "/libreoffice-" version ".tar.xz")) (sha256 (base32 - "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3")))) + "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb")))) (build-system gnu-build-system) (native-inputs - `(;; autoreconf is run by the LibreOffice build system, since after - ;; unpacking the external xmlsec tarball, it applies a series of - ;; patches to Makefile.am, configure.in, config.guess and config.sub. - ("autoconf" ,autoconf) - ("automake" ,automake) - ("bison" ,bison) - ("cppunit" ,cppunit) + `(("bison" ,bison) + ("cppunit" ,cppunit-1.14) ("flex" ,flex) ("pkg-config" ,pkg-config) ("python" ,python-wrapper) @@ -888,6 +872,7 @@ and to return information on pronunciations, meanings and synonyms.") ("glew" ,glew) ("glm" ,glm) ("gperf" ,gperf) + ("gpgme" ,gpgme) ("graphite2" ,graphite2) ("gst-plugins-base" ,gst-plugins-base) ("gtk+" ,gtk+) @@ -897,12 +882,14 @@ and to return information on pronunciations, meanings and synonyms.") ("libabw" ,libabw) ("libcdr" ,libcdr) ("libcmis" ,libcmis) - ("libjpeg" ,libjpeg) + ("libjpeg-turbo" ,libjpeg-turbo) ("libe-book" ,libe-book) ("libetonyek" ,libetonyek) ("libexttextcat" ,libexttextcat) ("libfreehand" ,libfreehand) ("liblangtag" ,liblangtag) + ;; XXX: Perhaps this should be propagated from xmlsec. + ("libltdl" ,libltdl) ("libmspub" ,libmspub) ("libmwaw" ,libmwaw) ("libodfgen" ,libodfgen) @@ -935,7 +922,7 @@ and to return information on pronunciations, meanings and synonyms.") ("unixodbc" ,unixodbc) ("unzip" ,unzip) ("vigra" ,vigra) - ("xmlsec-src" ,xmlsec-src-libreoffice) + ("xmlsec" ,xmlsec-nss) ("zip" ,zip))) (arguments `(#:tests? #f ; Building the tests already fails. @@ -944,26 +931,27 @@ and to return information on pronunciations, meanings and synonyms.") (modify-phases %standard-phases (add-before 'configure 'prepare-src (lambda* (#:key inputs #:allow-other-keys) - (let ((xmlsec (assoc-ref inputs "xmlsec-src"))) + (let ((gpgme (assoc-ref inputs "gpgme"))) (substitute* (list "sysui/CustomTarget_share.mk" "solenv/gbuild/gbuild.mk" "solenv/gbuild/platform/unxgcc.mk") (("/bin/sh") (which "sh"))) - (mkdir "external/tarballs") - (symlink - xmlsec - (string-append "external/tarballs/" - "86b1daaa438f5a7bea9a52d7b9799ac0-" - "xmlsec1-1.2.23.tar.gz")) - ;; The following is required for building xmlsec from the - ;; unpatched external tarball; since "configure" starts with - ;; "/bin/sh", it needs to be executed by a command invoking - ;; the shell. - (setenv "SHELL" (which "bash")) - (setenv "CONFIG_SHELL" (which "bash")) - (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk" - (("./configure") "$(CONFIG_SHELL) ./configure" )) + + ;; GPGME++ headers are installed in a gpgme++ subdirectory, + ;; but files in "xmlsecurity/source/gpg/" expect to find them + ;; on the include path without a prefix. + (substitute* "xmlsecurity/Library_xsec_xmlsec.mk" + (("\\$\\$\\(INCLUDE\\)") + (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++"))) + + ;; XXX: When GTK2 is disabled, one header file is not included. + ;; This is likely fixed in later versions. See also + ;; <https://bugs.gentoo.org/641812>. + (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx" + (("#include <unx/gtk/gtkgdi.hxx>") + "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>")) + #t))) (add-after 'install 'bin-and-desktop-install ;; Create 'soffice' and 'libreoffice' symlinks to the executable @@ -1037,6 +1025,10 @@ and to return information on pronunciations, meanings and synonyms.") "--disable-coinmp" "--disable-firebird-sdbc" ; embedded firebird "--disable-gltf" + ;; XXX: PDFium support requires fetching an external tarball and + ;; patching the build scripts to work with GCC5. Try enabling this + ;; when our default compiler is >=GCC 6. + "--disable-pdfium" "--disable-gtk" ; disable use of GTK+ 2 "--without-doxygen"))) (home-page "https://www.libreoffice.org/") diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index a0937582f..39cfc4530 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net> ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> -;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com> +;;; Copyright © 2016, 2017, 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com> ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net> ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> @@ -40,6 +40,7 @@ #:use-module (gnu packages autotools) #:use-module (gnu packages compression) #:use-module (gnu packages gnupg) + #:use-module (gnu packages gnuzilla) #:use-module (gnu packages perl) #:use-module (gnu packages perl-check) #:use-module (gnu packages python) @@ -970,6 +971,15 @@ Libxml2).") (license (license:x11-style "file://COPYING" "See 'COPYING' in the distribution.")))) +(define-public xmlsec-nss + (package + (inherit xmlsec) + (name "xmlsec-nss") + (inputs + `(("nss" ,nss) + ("libltdl" ,libltdl))) + (synopsis "XML Security Library (using NSS instead of GnuTLS)"))) + (define-public minixml (package (name "minixml") -- 2.16.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-11 15:08 ` Marius Bakke @ 2018-02-11 15:34 ` Marius Bakke 2018-02-11 15:55 ` Leo Famulari 2018-02-11 15:36 ` Leo Famulari 1 sibling, 1 reply; 10+ messages in thread From: Marius Bakke @ 2018-02-11 15:34 UTC (permalink / raw) To: Leo Famulari; +Cc: 30414-done On Sun, Feb 11, 2018, at 3:08 PM, Marius Bakke wrote: > Leo Famulari <leo@famulari.name> writes: > > >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 > >> From: Marius Bakke <mbakke@fastmail.com> > >> Date: Sun, 11 Feb 2018 11:46:27 +0100 > >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. > >> > >> * gnu/packages/check.scm (cppunit-1.14): New public variable. > >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. > >> (libreoffice): Update to 5.4.5.1. > >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. > >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace > >> LIBJPEG with LIBJPEG-TURBO. > >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ > >> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add > >> "--disable-pdfium" to #:configure-flags. > >> * gnu/packages/xml.scm (xmlsec-nss): New public variable. > > > > The only change I suggest is to remove the obsolete comment at the > > beginning of libreoffice's native-inputs about the xmlsec tarball. > > Good catch. It seems the autoconf and automake inputs are no longer > required. But I unfortunately spoke too soon earlier, it failed very > late in the build: > > [build CMP] filter/source/xsltdialog/xsltdlg > ld: cannot find -lltdl > collect2: error: ld returned 1 exit status > make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/ > libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix- > build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/ > libxsec_xmlsec.so] Error 1 > make[1]: *** Waiting for unfinished jobs.... > make: *** [Makefile:269: build] Error 2 > phase `build' failed after 2114.1 seconds > > I've attached a revised patch that adds libltdl, and removes the > automake inputs. However, I have to leave now, so could you please > verify that it works and push? I can provide moral support on #guix if > nothing else :-) > > TIA! Never mind, it was actually completed by the time I packed up. I pushed it (and fixed the merge conflict in xml.scm, sorry about that!). Thanks for staying on top of the never-ending CVE stream :-) ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-11 15:34 ` Marius Bakke @ 2018-02-11 15:55 ` Leo Famulari 0 siblings, 0 replies; 10+ messages in thread From: Leo Famulari @ 2018-02-11 15:55 UTC (permalink / raw) To: Marius Bakke; +Cc: 30414-done [-- Attachment #1: Type: text/plain, Size: 222 bytes --] On Sun, Feb 11, 2018 at 03:34:42PM +0000, Marius Bakke wrote: > Never mind, it was actually completed by the time I packed up. > I pushed it (and fixed the merge conflict in xml.scm, sorry about that!). Awesome, thanks! [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] 2018-02-11 15:08 ` Marius Bakke 2018-02-11 15:34 ` Marius Bakke @ 2018-02-11 15:36 ` Leo Famulari 1 sibling, 0 replies; 10+ messages in thread From: Leo Famulari @ 2018-02-11 15:36 UTC (permalink / raw) To: Marius Bakke; +Cc: 30414 [-- Attachment #1: Type: text/plain, Size: 424 bytes --] On Sun, Feb 11, 2018 at 03:08:59PM +0000, Marius Bakke wrote: > I've attached a revised patch that adds libltdl, and removes the > automake inputs. However, I have to leave now, so could you please > verify that it works and push? I can provide moral support on #guix if > nothing else :-) Can somebody else do this? I'm actually riding a bus right now and won't be able to run this build long enough for it to complete. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-02-12 15:10 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-02-10 18:52 bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Leo Famulari 2018-02-10 21:49 ` Leo Famulari 2018-02-11 1:27 ` Marius Bakke 2018-02-11 3:54 ` Leo Famulari 2018-02-11 14:29 ` Marius Bakke 2018-02-11 14:42 ` Leo Famulari 2018-02-11 15:08 ` Marius Bakke 2018-02-11 15:34 ` Marius Bakke 2018-02-11 15:55 ` Leo Famulari 2018-02-11 15:36 ` Leo Famulari
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).