From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]
Date: Sun, 11 Feb 2018 09:42:14 -0500
Message-ID: <20180211144214.GA21042@jasmine.lan>
References: <20180210185246.GA18573@jasmine.lan>
	<20180210214952.GA19621@jasmine.lan>
	<EF4C9A8E-5741-4C98-B1D2-158A59B4E4CF@fastmail.com>
	<1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60513)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eksqP-0000NW-Gu
	for bug-guix@gnu.org; Sun, 11 Feb 2018 09:43:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eksqM-0003oL-EP
	for bug-guix@gnu.org; Sun, 11 Feb 2018 09:43:05 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:58041)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eksqM-0003nk-5j
	for bug-guix@gnu.org; Sun, 11 Feb 2018 09:43:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eksqL-0000QL-SE
	for bug-guix@gnu.org; Sun, 11 Feb 2018 09:43:01 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.30414.B30414.15183601401583@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: 30414@debbugs.gnu.org


--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Feb 11, 2018 at 02:29:02PM +0000, Marius Bakke wrote:
> I gave this a go, and there were (of course) a lot more changes
> necessary to make this newer libreoffice build.  In particular, it now
> works with an external xmlsec (albeit NSS only), and it wants to build
> PDFium(!) in the same fashion as xmlsec was previously.
>=20
> However PDFium fails to build due to requiring newer C++ features, and
> my attempts at patching "external/pdfium/Library_pdfium.mk" to add
> CXXFLAGS were unsuccessful.  So in the end I disabled PDFium support.
>=20
> It also required libjpeg-turbo instead of libjpeg, although this is
> supposedly fixed in 6.0.1:
> <https://bugs.documentfoundation.org/show_bug.cgi?id=3D115416>.
>
> Then there were some other problems related to not finding GPGME
> headers, as well as an upstream regression when GTK2 support is
> disabled.
>=20
> Without further ado, here is the patch.  I'm still building it, but plan
> to push shortly if there are no further issues.=20

Wow, thank you!

> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sun, 11 Feb 2018 11:46:27 +0100
> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
>=20
> * gnu/packages/check.scm (cppunit-1.14): New public variable.
> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
> (libreoffice): Update to 5.4.5.1.
> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
> [inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Repl=
ace
> LIBJPEG with LIBJPEG-TURBO.
> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
> headers are found.  Add workaround for <https://bugs.gentoo.org/641812>. =
 Add
> "--disable-pdfium" to #:configure-flags.
> * gnu/packages/xml.scm (xmlsec-nss): New public variable.

The only change I suggest is to remove the obsolete comment at the
beginning of libreoffice's native-inputs about the xmlsec tarball.

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAVkMACgkQJkb6MLrK
fwjFGw/+NLRktHawWheBRlaro3fxKKOFVcQkibCrqI7quJiFNPbRWgUnVnXZEc6B
eicqB6NPKzdt8tIPhMqp3CVEyqhESi/TCfMHkP4//EmO5PyflQXkvwHOe65RAAru
bKGsqox5L0rfm5sbjEDE7Wmcyn7J6GWkSOYMiKv3b4OAJafTdT9gov4iOOztyFMU
T+y1ofngg4bXXN1GmZtrv83YcYOw4FicGyxkyzsJhw31jco8ZJhu2Wu9D6Of7b1B
wZCXdFoaUomu4evEY+LtUz/cXL4b7HfDC0swsJP2dMH+BUnDjxsxZlOMu97OBBez
t9WDW/GMsyD4wpcgUAiZe/Zclqm1FjGPic50bNNk6QS0N9vLgSxxn38zmTer8Y1j
apxF+OM0uY93buFTZUDxIdN+bC6x/CkHe4b32m8pSOS2pZV0TPfQQJzVU7IbqY+p
mmlVsR1B54UJLX1kwlEedANsUktEOihPOWtFYX5VCtTPhpQPdGVM03AO1o2tYMmz
HbTSmQHMVthQ8Liu6icr0lHTG88FyE8dgJz/KT3mlnUmwLWLswSiDkqhfR4WS7c4
S7EKb3XxJ4HgcPw/S8MaugUNxoStekQnfzVB2+CMIFRKfz60KlMAGep5Egr2HUmY
pHIwNiW3QPMdu4RQZDy4cIkf26iA4E/+wFtkKzKH5FJ65pbHYfY=
=8mfw
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--