bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 382 bytes --]

We need to fix CVE-2018-6871 in our LibreOffice package. This bug allows
remote attackers to read any file accessible from LibreOffice by
supplying a crafted file to open in LibreOffice.

Apparently the bug is fixed in LibreOffice 5.4.5 or 6.0.1.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 459 bytes --]

I'm trying to update LibreOffice to 5.4.5.1.

This version of LibreOffice requires cppunit to be updated to 1.14.0.

However, this new version of cppunit requires C++11.

This is not the default C++ standard in GCC 5, so this update requires
sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.

I'd rather try cherry-picking a patch from LibreOffice upstream but
their Git repo is several gigabytes and it will take hours for me to
download it.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Marius Bakke]

On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari <leo@famulari.name> wrote:
>I'm trying to update LibreOffice to 5.4.5.1.
>
>This version of LibreOffice requires cppunit to be updated to 1.14.0.
>
>However, this new version of cppunit requires C++11.
>
>This is not the default C++ standard in GCC 5, so this update requires
>sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.

Could we package the newer version separately and override CXXFLAGS for libreoffice only?


>I'd rather try cherry-picking a patch from LibreOffice upstream but
>their Git repo is several gigabytes and it will take hours for me to
>download it.

I was digging through the GitHub mirror, but haven't been able to find the commit(s) in question:

https://github.com/LibreOffice/core

Thanks for working on it!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 192 bytes --]

On Sun, Feb 11, 2018 at 02:27:44AM +0100, Marius Bakke wrote:
> I was digging through the GitHub mirror, but haven't been able to find the commit(s) in question:

I haven't found them either.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1589 bytes --]

[the café I'm at is blocking outgoing email, so resending through a browser]

On Sun, Feb 11, 2018, at 1:27 AM, Marius Bakke wrote:
> 
> 
> On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari 
> <leo@famulari.name> wrote:
> >I'm trying to update LibreOffice to 5.4.5.1.
> >
> >This version of LibreOffice requires cppunit to be updated to 1.14.0.
> >
> >However, this new version of cppunit requires C++11.
> >
> >This is not the default C++ standard in GCC 5, so this update requires
> >sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.
> 
> Could we package the newer version separately and override CXXFLAGS for 
> libreoffice only?

I gave this a go, and there were (of course) a lot more changes
necessary to make this newer libreoffice build.  In particular, it now
works with an external xmlsec (albeit NSS only), and it wants to build
PDFium(!) in the same fashion as xmlsec was previously.

However PDFium fails to build due to requiring newer C++ features, and
my attempts at patching "external/pdfium/Library_pdfium.mk" to add
CXXFLAGS were unsuccessful.  So in the end I disabled PDFium support.

It also required libjpeg-turbo instead of libjpeg, although this is
supposedly fixed in 6.0.1:
<https://bugs.documentfoundation.org/show_bug.cgi?id=115416>.

Then there were some other problems related to not finding GPGME
headers, as well as an upstream regression when GTK2 support is
disabled.

Without further ado, here is the patch.  I'm still building it, but plan
to push shortly if there are no further issues. 

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch --]
[-- Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch", Size: 10141 bytes --]

From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sun, 11 Feb 2018 11:46:27 +0100
Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].

* gnu/packages/check.scm (cppunit-1.14): New public variable.
* gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
(libreoffice): Update to 5.4.5.1.
[native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
[inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Replace
LIBJPEG with LIBJPEG-TURBO.
[arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
"--disable-pdfium" to #:configure-flags.
* gnu/packages/xml.scm (xmlsec-nss): New public variable.
---
 gnu/packages/check.scm       | 17 ++++++++++++
 gnu/packages/libreoffice.scm | 61 ++++++++++++++++++++------------------------
 gnu/packages/xml.scm         | 12 ++++++++-
 3 files changed, 56 insertions(+), 34 deletions(-)

diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 1276c0fda..8f21baa09 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -157,6 +157,23 @@ unit testing.  Test output is in XML for automatic testing and GUI based for
 supervised tests.")
     (license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball
 
+;; Some packages require this newer version of cppunit.  However, it needs
+;; C++11 support, which is not enabled by default in our current GCC, and
+;; updating in-place would require adding CXXFLAGS to many dependent packages.
+;; Thus, keep as a separate variable for now.
+;; TODO: Remove this when our default GCC is updated to 6 or higher.
+(define-public cppunit-1.14
+  (package
+    (inherit cppunit)
+    (version "1.14.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://dev-www.libreoffice.org/src/"
+                                  "cppunit-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix"))))))
+
 (define-public catch-framework
   (package
     (name "catch")
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 799b06243..b2546e146 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -54,6 +54,7 @@
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gnome)
   #:use-module (gnu packages gperf)
+  #:use-module (gnu packages gnupg)
   #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages gstreamer)
   #:use-module (gnu packages gtk)
@@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.")
     (license (non-copyleft "file://COPYING"
                            "See COPYING in the distribution."))))
 
-;; LibreOffice requires an xmlsec source tarball; it does not even check
-;; for the presence of an externally compiled library.
-(define xmlsec-src-libreoffice
-  (origin
-    (method url-fetch)
-    (uri
-      (string-append
-       "http://dev-www.libreoffice.org/src/"
-       "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz"))
-    (sha256 (base32
-             "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21"))))
-
 (define-public libreoffice
   (package
     (name "libreoffice")
-    (version "5.3.7.2")
+    (version "5.4.5.1")
     (source
      (origin
       (method url-fetch)
@@ -863,7 +852,7 @@ and to return information on pronunciations, meanings and synonyms.")
           "https://download.documentfoundation.org/libreoffice/src/"
           (version-prefix version 3) "/libreoffice-" version ".tar.xz"))
       (sha256 (base32
-               "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3"))))
+               "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb"))))
     (build-system gnu-build-system)
     (native-inputs
      `(;; autoreconf is run by the LibreOffice build system, since after
@@ -872,7 +861,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("autoconf" ,autoconf)
        ("automake" ,automake)
        ("bison" ,bison)
-       ("cppunit" ,cppunit)
+       ("cppunit" ,cppunit-1.14)
        ("flex" ,flex)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -888,6 +877,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("glew" ,glew)
        ("glm" ,glm)
        ("gperf" ,gperf)
+       ("gpgme" ,gpgme)
        ("graphite2" ,graphite2)
        ("gst-plugins-base" ,gst-plugins-base)
        ("gtk+" ,gtk+)
@@ -897,7 +887,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("libabw" ,libabw)
        ("libcdr" ,libcdr)
        ("libcmis" ,libcmis)
-       ("libjpeg" ,libjpeg)
+       ("libjpeg-turbo" ,libjpeg-turbo)
        ("libe-book" ,libe-book)
        ("libetonyek" ,libetonyek)
        ("libexttextcat" ,libexttextcat)
@@ -935,7 +925,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("unixodbc" ,unixodbc)
        ("unzip" ,unzip)
        ("vigra" ,vigra)
-       ("xmlsec-src" ,xmlsec-src-libreoffice)
+       ("xmlsec" ,xmlsec-nss)
        ("zip" ,zip)))
     (arguments
      `(#:tests? #f ; Building the tests already fails.
@@ -944,26 +934,27 @@ and to return information on pronunciations, meanings and synonyms.")
          (modify-phases %standard-phases
            (add-before 'configure 'prepare-src
              (lambda* (#:key inputs #:allow-other-keys)
-               (let ((xmlsec (assoc-ref inputs "xmlsec-src")))
+               (let ((gpgme (assoc-ref inputs "gpgme")))
                  (substitute*
                    (list "sysui/CustomTarget_share.mk"
                          "solenv/gbuild/gbuild.mk"
                          "solenv/gbuild/platform/unxgcc.mk")
                    (("/bin/sh") (which "sh")))
-                 (mkdir "external/tarballs")
-                 (symlink
-                   xmlsec
-                   (string-append "external/tarballs/"
-                                  "86b1daaa438f5a7bea9a52d7b9799ac0-"
-                                  "xmlsec1-1.2.23.tar.gz"))
-                 ;; The following is required for building xmlsec from the
-                 ;; unpatched external tarball; since "configure" starts with
-                 ;; "/bin/sh", it needs to be executed by a command invoking
-                 ;; the shell.
-                 (setenv "SHELL" (which "bash"))
-                 (setenv "CONFIG_SHELL" (which "bash"))
-                 (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk"
-                   (("./configure") "$(CONFIG_SHELL) ./configure" ))
+
+                 ;; GPGME++ headers are installed in a gpgme++ subdirectory,
+                 ;; but files in "xmlsecurity/source/gpg/" expect to find them
+                 ;; on the include path without a prefix.
+                 (substitute* "xmlsecurity/Library_xsec_xmlsec.mk"
+                   (("\\$\\$\\(INCLUDE\\)")
+                    (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++")))
+
+                 ;; XXX: When GTK2 is disabled, one header file is not included.
+                 ;; This is likely fixed in later versions.  See also
+                 ;; <https://bugs.gentoo.org/641812>.
+                 (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx"
+                   (("#include <unx/gtk/gtkgdi.hxx>")
+                    "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>"))
+
                  #t)))
            (add-after 'install 'bin-and-desktop-install
              ;; Create 'soffice' and 'libreoffice' symlinks to the executable
@@ -1037,6 +1028,10 @@ and to return information on pronunciations, meanings and synonyms.")
           "--disable-coinmp"
           "--disable-firebird-sdbc" ; embedded firebird
           "--disable-gltf"
+          ;; XXX: PDFium support requires fetching an external tarball and
+          ;; patching the build scripts to work with GCC5.  Try enabling this
+          ;; when our default compiler is >=GCC 6.
+          "--disable-pdfium"
           "--disable-gtk" ; disable use of GTK+ 2
           "--without-doxygen")))
     (home-page "https://www.libreoffice.org/")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index a0937582f..39cfc4530 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -40,6 +40,7 @@
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages perl-check)
   #:use-module (gnu packages python)
@@ -970,6 +971,15 @@ Libxml2).")
     (license (license:x11-style "file://COPYING"
                                 "See 'COPYING' in the distribution."))))
 
+(define-public xmlsec-nss
+  (package
+    (inherit xmlsec)
+    (name "xmlsec-nss")
+    (inputs
+     `(("nss" ,nss)
+       ("libltdl" ,libltdl)))
+    (synopsis "XML Security Library (using NSS instead of GnuTLS)")))
+
 (define-public minixml
   (package
     (name "minixml")
-- 
2.16.1

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 2012 bytes --]

On Sun, Feb 11, 2018 at 02:29:02PM +0000, Marius Bakke wrote:
> I gave this a go, and there were (of course) a lot more changes
> necessary to make this newer libreoffice build.  In particular, it now
> works with an external xmlsec (albeit NSS only), and it wants to build
> PDFium(!) in the same fashion as xmlsec was previously.
> 
> However PDFium fails to build due to requiring newer C++ features, and
> my attempts at patching "external/pdfium/Library_pdfium.mk" to add
> CXXFLAGS were unsuccessful.  So in the end I disabled PDFium support.
> 
> It also required libjpeg-turbo instead of libjpeg, although this is
> supposedly fixed in 6.0.1:
> <https://bugs.documentfoundation.org/show_bug.cgi?id=115416>.
>
> Then there were some other problems related to not finding GPGME
> headers, as well as an upstream regression when GTK2 support is
> disabled.
> 
> Without further ado, here is the patch.  I'm still building it, but plan
> to push shortly if there are no further issues. 

Wow, thank you!

> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sun, 11 Feb 2018 11:46:27 +0100
> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
> 
> * gnu/packages/check.scm (cppunit-1.14): New public variable.
> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
> (libreoffice): Update to 5.4.5.1.
> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
> [inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Replace
> LIBJPEG with LIBJPEG-TURBO.
> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
> headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
> "--disable-pdfium" to #:configure-flags.
> * gnu/packages/xml.scm (xmlsec-nss): New public variable.

The only change I suggest is to remove the obsolete comment at the
beginning of libreoffice's native-inputs about the xmlsec tarball.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1871 bytes --]

Leo Famulari <leo@famulari.name> writes:

>> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sun, 11 Feb 2018 11:46:27 +0100
>> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
>> 
>> * gnu/packages/check.scm (cppunit-1.14): New public variable.
>> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
>> (libreoffice): Update to 5.4.5.1.
>> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
>> [inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Replace
>> LIBJPEG with LIBJPEG-TURBO.
>> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
>> headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
>> "--disable-pdfium" to #:configure-flags.
>> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
>
> The only change I suggest is to remove the obsolete comment at the
> beginning of libreoffice's native-inputs about the xmlsec tarball.

Good catch.  It seems the autoconf and automake inputs are no longer
required.  But I unfortunately spoke too soon earlier, it failed very
late in the build:

[build CMP] filter/source/xsltdialog/xsltdlg
ld: cannot find -lltdl
collect2: error: ld returned 1 exit status
make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/libxsec_xmlsec.so] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:269: build] Error 2
phase `build' failed after 2114.1 seconds

I've attached a revised patch that adds libltdl, and removes the
automake inputs.  However, I have to leave now, so could you please
verify that it works and push?  I can provide moral support on #guix if
nothing else :-)

TIA!

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch --]
[-- Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch", Size: 10526 bytes --]

From 78a216026cc5d4be4e1623fbe8b3632f47b99ef8 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sun, 11 Feb 2018 11:46:27 +0100
Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].

* gnu/packages/check.scm (cppunit-1.14): New public variable.
* gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
(libreoffice): Update to 5.4.5.1.
[native-inputs]: Change CPPUNIT to CPPUNIT-1.14.  Remove AUTOCONF and AUTOMAKE.
[inputs]: Add GPGME, XMLSEC-NSS and LIBLTDL.  Remove XMLSEC-SRC-LIBREOFFICE.
Replace LIBJPEG with LIBJPEG-TURBO.
[arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
"--disable-pdfium" to #:configure-flags.
* gnu/packages/xml.scm (xmlsec-nss): New public variable.
---
 gnu/packages/check.scm       | 17 +++++++++++
 gnu/packages/libreoffice.scm | 70 ++++++++++++++++++++------------------------
 gnu/packages/xml.scm         | 12 +++++++-
 3 files changed, 59 insertions(+), 40 deletions(-)

diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 1276c0fda..92f493592 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -157,6 +157,23 @@ unit testing.  Test output is in XML for automatic testing and GUI based for
 supervised tests.")
     (license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball
 
+;; Some packages require this newer version of cppunit.  However, it needs
+;; C++11 support, which is not enabled by default in our current GCC, and
+;; updating in-place would require adding CXXFLAGS to many dependent packages.
+;; Thus, keep as a separate variable for now.
+;; TODO: Remove this when our default GCC is updated to 6 or higher.
+(define-public cppunit-1.14
+  (package
+    (inherit cppunit)
+    (version "1.14.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://dev-www.libreoffice.org/src/"
+                                  "cppunit-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix"))))))
+
 (define-public catch-framework
   (package
     (name "catch")
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 799b06243..47dd21b3b 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -54,6 +54,7 @@
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gnome)
   #:use-module (gnu packages gperf)
+  #:use-module (gnu packages gnupg)
   #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages gstreamer)
   #:use-module (gnu packages gtk)
@@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.")
     (license (non-copyleft "file://COPYING"
                            "See COPYING in the distribution."))))
 
-;; LibreOffice requires an xmlsec source tarball; it does not even check
-;; for the presence of an externally compiled library.
-(define xmlsec-src-libreoffice
-  (origin
-    (method url-fetch)
-    (uri
-      (string-append
-       "http://dev-www.libreoffice.org/src/"
-       "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz"))
-    (sha256 (base32
-             "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21"))))
-
 (define-public libreoffice
   (package
     (name "libreoffice")
-    (version "5.3.7.2")
+    (version "5.4.5.1")
     (source
      (origin
       (method url-fetch)
@@ -863,16 +852,11 @@ and to return information on pronunciations, meanings and synonyms.")
           "https://download.documentfoundation.org/libreoffice/src/"
           (version-prefix version 3) "/libreoffice-" version ".tar.xz"))
       (sha256 (base32
-               "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3"))))
+               "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(;; autoreconf is run by the LibreOffice build system, since after
-       ;; unpacking the external xmlsec tarball, it applies a series of
-       ;; patches to Makefile.am, configure.in, config.guess and config.sub.
-       ("autoconf" ,autoconf)
-       ("automake" ,automake)
-       ("bison" ,bison)
-       ("cppunit" ,cppunit)
+     `(("bison" ,bison)
+       ("cppunit" ,cppunit-1.14)
        ("flex" ,flex)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -888,6 +872,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("glew" ,glew)
        ("glm" ,glm)
        ("gperf" ,gperf)
+       ("gpgme" ,gpgme)
        ("graphite2" ,graphite2)
        ("gst-plugins-base" ,gst-plugins-base)
        ("gtk+" ,gtk+)
@@ -897,12 +882,14 @@ and to return information on pronunciations, meanings and synonyms.")
        ("libabw" ,libabw)
        ("libcdr" ,libcdr)
        ("libcmis" ,libcmis)
-       ("libjpeg" ,libjpeg)
+       ("libjpeg-turbo" ,libjpeg-turbo)
        ("libe-book" ,libe-book)
        ("libetonyek" ,libetonyek)
        ("libexttextcat" ,libexttextcat)
        ("libfreehand" ,libfreehand)
        ("liblangtag" ,liblangtag)
+       ;; XXX: Perhaps this should be propagated from xmlsec.
+       ("libltdl" ,libltdl)
        ("libmspub" ,libmspub)
        ("libmwaw" ,libmwaw)
        ("libodfgen" ,libodfgen)
@@ -935,7 +922,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("unixodbc" ,unixodbc)
        ("unzip" ,unzip)
        ("vigra" ,vigra)
-       ("xmlsec-src" ,xmlsec-src-libreoffice)
+       ("xmlsec" ,xmlsec-nss)
        ("zip" ,zip)))
     (arguments
      `(#:tests? #f ; Building the tests already fails.
@@ -944,26 +931,27 @@ and to return information on pronunciations, meanings and synonyms.")
          (modify-phases %standard-phases
            (add-before 'configure 'prepare-src
              (lambda* (#:key inputs #:allow-other-keys)
-               (let ((xmlsec (assoc-ref inputs "xmlsec-src")))
+               (let ((gpgme (assoc-ref inputs "gpgme")))
                  (substitute*
                    (list "sysui/CustomTarget_share.mk"
                          "solenv/gbuild/gbuild.mk"
                          "solenv/gbuild/platform/unxgcc.mk")
                    (("/bin/sh") (which "sh")))
-                 (mkdir "external/tarballs")
-                 (symlink
-                   xmlsec
-                   (string-append "external/tarballs/"
-                                  "86b1daaa438f5a7bea9a52d7b9799ac0-"
-                                  "xmlsec1-1.2.23.tar.gz"))
-                 ;; The following is required for building xmlsec from the
-                 ;; unpatched external tarball; since "configure" starts with
-                 ;; "/bin/sh", it needs to be executed by a command invoking
-                 ;; the shell.
-                 (setenv "SHELL" (which "bash"))
-                 (setenv "CONFIG_SHELL" (which "bash"))
-                 (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk"
-                   (("./configure") "$(CONFIG_SHELL) ./configure" ))
+
+                 ;; GPGME++ headers are installed in a gpgme++ subdirectory,
+                 ;; but files in "xmlsecurity/source/gpg/" expect to find them
+                 ;; on the include path without a prefix.
+                 (substitute* "xmlsecurity/Library_xsec_xmlsec.mk"
+                   (("\\$\\$\\(INCLUDE\\)")
+                    (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++")))
+
+                 ;; XXX: When GTK2 is disabled, one header file is not included.
+                 ;; This is likely fixed in later versions.  See also
+                 ;; <https://bugs.gentoo.org/641812>.
+                 (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx"
+                   (("#include <unx/gtk/gtkgdi.hxx>")
+                    "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>"))
+
                  #t)))
            (add-after 'install 'bin-and-desktop-install
              ;; Create 'soffice' and 'libreoffice' symlinks to the executable
@@ -1037,6 +1025,10 @@ and to return information on pronunciations, meanings and synonyms.")
           "--disable-coinmp"
           "--disable-firebird-sdbc" ; embedded firebird
           "--disable-gltf"
+          ;; XXX: PDFium support requires fetching an external tarball and
+          ;; patching the build scripts to work with GCC5.  Try enabling this
+          ;; when our default compiler is >=GCC 6.
+          "--disable-pdfium"
           "--disable-gtk" ; disable use of GTK+ 2
           "--without-doxygen")))
     (home-page "https://www.libreoffice.org/")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index a0937582f..39cfc4530 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -40,6 +40,7 @@
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages perl-check)
   #:use-module (gnu packages python)
@@ -970,6 +971,15 @@ Libxml2).")
     (license (license:x11-style "file://COPYING"
                                 "See 'COPYING' in the distribution."))))
 
+(define-public xmlsec-nss
+  (package
+    (inherit xmlsec)
+    (name "xmlsec-nss")
+    (inputs
+     `(("nss" ,nss)
+       ("libltdl" ,libltdl)))
+    (synopsis "XML Security Library (using NSS instead of GnuTLS)")))
+
 (define-public minixml
   (package
     (name "minixml")
-- 
2.16.1

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Marius Bakke]

On Sun, Feb 11, 2018, at 3:08 PM, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
> >> From: Marius Bakke <mbakke@fastmail.com>
> >> Date: Sun, 11 Feb 2018 11:46:27 +0100
> >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
> >> 
> >> * gnu/packages/check.scm (cppunit-1.14): New public variable.
> >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
> >> (libreoffice): Update to 5.4.5.1.
> >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
> >> [inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Replace
> >> LIBJPEG with LIBJPEG-TURBO.
> >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
> >> headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
> >> "--disable-pdfium" to #:configure-flags.
> >> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
> >
> > The only change I suggest is to remove the obsolete comment at the
> > beginning of libreoffice's native-inputs about the xmlsec tarball.
> 
> Good catch.  It seems the autoconf and automake inputs are no longer
> required.  But I unfortunately spoke too soon earlier, it failed very
> late in the build:
> 
> [build CMP] filter/source/xsltdialog/xsltdlg
> ld: cannot find -lltdl
> collect2: error: ld returned 1 exit status
> make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/
> libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-
> build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/
> libxsec_xmlsec.so] Error 1
> make[1]: *** Waiting for unfinished jobs....
> make: *** [Makefile:269: build] Error 2
> phase `build' failed after 2114.1 seconds
> 
> I've attached a revised patch that adds libltdl, and removes the
> automake inputs.  However, I have to leave now, so could you please
> verify that it works and push?  I can provide moral support on #guix if
> nothing else :-)
> 
> TIA!

Never mind, it was actually completed by the time I packed up.
 I pushed it (and fixed the merge conflict in xml.scm, sorry about that!).

Thanks for staying on top of the never-ending CVE stream :-)

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

On Sun, Feb 11, 2018 at 03:08:59PM +0000, Marius Bakke wrote:
> I've attached a revised patch that adds libltdl, and removes the
> automake inputs.  However, I have to leave now, so could you please
> verify that it works and push?  I can provide moral support on #guix if
> nothing else :-)

Can somebody else do this? I'm actually riding a bus right now and won't
be able to run this build long enough for it to complete.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 222 bytes --]

On Sun, Feb 11, 2018 at 03:34:42PM +0000, Marius Bakke wrote:
> Never mind, it was actually completed by the time I packed up.
>  I pushed it (and fixed the merge conflict in xml.scm, sorry about that!).

Awesome, thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]