GNU bug report logs -
#30414
Libreoffice CVE-2018-6871 [remote read of any local files]
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 10 Feb 2018 18:54:01 UTC
Severity: normal
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30414 in the body.
You can then email your comments to 30414 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sat, 10 Feb 2018 18:54:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 10 Feb 2018 18:54:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
We need to fix CVE-2018-6871 in our LibreOffice package. This bug allows
remote attackers to read any file accessible from LibreOffice by
supplying a crafted file to open in LibreOffice.
Apparently the bug is fixed in LibreOffice 5.4.5 or 6.0.1.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sat, 10 Feb 2018 21:50:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 30414 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I'm trying to update LibreOffice to 5.4.5.1.
This version of LibreOffice requires cppunit to be updated to 1.14.0.
However, this new version of cppunit requires C++11.
This is not the default C++ standard in GCC 5, so this update requires
sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.
I'd rather try cherry-picking a patch from LibreOffice upstream but
their Git repo is several gigabytes and it will take hours for me to
download it.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 01:28:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 30414 <at> debbugs.gnu.org (full text, mbox):
On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari <leo <at> famulari.name> wrote:
>I'm trying to update LibreOffice to 5.4.5.1.
>
>This version of LibreOffice requires cppunit to be updated to 1.14.0.
>
>However, this new version of cppunit requires C++11.
>
>This is not the default C++ standard in GCC 5, so this update requires
>sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.
Could we package the newer version separately and override CXXFLAGS for libreoffice only?
>I'd rather try cherry-picking a patch from LibreOffice upstream but
>their Git repo is several gigabytes and it will take hours for me to
>download it.
I was digging through the GitHub mirror, but haven't been able to find the commit(s) in question:
https://github.com/LibreOffice/core
Thanks for working on it!
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 01:29:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 03:55:04 GMT)
Full text and
rfc822 format available.
Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Feb 11, 2018 at 02:27:44AM +0100, Marius Bakke wrote:
> I was digging through the GitHub mirror, but haven't been able to find the commit(s) in question:
I haven't found them either.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 03:55:05 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 14:30:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 30414 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
[the café I'm at is blocking outgoing email, so resending through a browser]
On Sun, Feb 11, 2018, at 1:27 AM, Marius Bakke wrote:
>
>
> On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari
> <leo <at> famulari.name> wrote:
> >I'm trying to update LibreOffice to 5.4.5.1.
> >
> >This version of LibreOffice requires cppunit to be updated to 1.14.0.
> >
> >However, this new version of cppunit requires C++11.
> >
> >This is not the default C++ standard in GCC 5, so this update requires
> >sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.
>
> Could we package the newer version separately and override CXXFLAGS for
> libreoffice only?
I gave this a go, and there were (of course) a lot more changes
necessary to make this newer libreoffice build. In particular, it now
works with an external xmlsec (albeit NSS only), and it wants to build
PDFium(!) in the same fashion as xmlsec was previously.
However PDFium fails to build due to requiring newer C++ features, and
my attempts at patching "external/pdfium/Library_pdfium.mk" to add
CXXFLAGS were unsuccessful. So in the end I disabled PDFium support.
It also required libjpeg-turbo instead of libjpeg, although this is
supposedly fixed in 6.0.1:
<https://bugs.documentfoundation.org/show_bug.cgi?id=115416>.
Then there were some other problems related to not finding GPGME
headers, as well as an upstream regression when GTK2 support is
disabled.
Without further ado, here is the patch. I'm still building it, but plan
to push shortly if there are no further issues.
[0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch (text/x-patch, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 14:43:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 30414 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Feb 11, 2018 at 02:29:02PM +0000, Marius Bakke wrote:
> I gave this a go, and there were (of course) a lot more changes
> necessary to make this newer libreoffice build. In particular, it now
> works with an external xmlsec (albeit NSS only), and it wants to build
> PDFium(!) in the same fashion as xmlsec was previously.
>
> However PDFium fails to build due to requiring newer C++ features, and
> my attempts at patching "external/pdfium/Library_pdfium.mk" to add
> CXXFLAGS were unsuccessful. So in the end I disabled PDFium support.
>
> It also required libjpeg-turbo instead of libjpeg, although this is
> supposedly fixed in 6.0.1:
> <https://bugs.documentfoundation.org/show_bug.cgi?id=115416>.
>
> Then there were some other problems related to not finding GPGME
> headers, as well as an upstream regression when GTK2 support is
> disabled.
>
> Without further ado, here is the patch. I'm still building it, but plan
> to push shortly if there are no further issues.
Wow, thank you!
> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke <at> fastmail.com>
> Date: Sun, 11 Feb 2018 11:46:27 +0100
> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
>
> * gnu/packages/check.scm (cppunit-1.14): New public variable.
> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
> (libreoffice): Update to 5.4.5.1.
> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace
> LIBJPEG with LIBJPEG-TURBO.
> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++
> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add
> "--disable-pdfium" to #:configure-flags.
> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
The only change I suggest is to remove the obsolete comment at the
beginning of libreoffice's native-inputs about the xmlsec tarball.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 15:10:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 30414 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
>> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke <at> fastmail.com>
>> Date: Sun, 11 Feb 2018 11:46:27 +0100
>> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
>>
>> * gnu/packages/check.scm (cppunit-1.14): New public variable.
>> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
>> (libreoffice): Update to 5.4.5.1.
>> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
>> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace
>> LIBJPEG with LIBJPEG-TURBO.
>> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++
>> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add
>> "--disable-pdfium" to #:configure-flags.
>> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
>
> The only change I suggest is to remove the obsolete comment at the
> beginning of libreoffice's native-inputs about the xmlsec tarball.
Good catch. It seems the autoconf and automake inputs are no longer
required. But I unfortunately spoke too soon earlier, it failed very
late in the build:
[build CMP] filter/source/xsltdialog/xsltdlg
ld: cannot find -lltdl
collect2: error: ld returned 1 exit status
make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/libxsec_xmlsec.so] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:269: build] Error 2
phase `build' failed after 2114.1 seconds
I've attached a revised patch that adds libltdl, and removes the
automake inputs. However, I have to leave now, so could you please
verify that it works and push? I can provide moral support on #guix if
nothing else :-)
TIA!
[0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch (text/x-patch, attachment)]
Reply sent
to
Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility.
(Sun, 11 Feb 2018 15:35:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sun, 11 Feb 2018 15:35:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 30414-done <at> debbugs.gnu.org (full text, mbox):
On Sun, Feb 11, 2018, at 3:08 PM, Marius Bakke wrote:
> Leo Famulari <leo <at> famulari.name> writes:
>
> >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
> >> From: Marius Bakke <mbakke <at> fastmail.com>
> >> Date: Sun, 11 Feb 2018 11:46:27 +0100
> >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
> >>
> >> * gnu/packages/check.scm (cppunit-1.14): New public variable.
> >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
> >> (libreoffice): Update to 5.4.5.1.
> >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
> >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace
> >> LIBJPEG with LIBJPEG-TURBO.
> >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++
> >> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add
> >> "--disable-pdfium" to #:configure-flags.
> >> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
> >
> > The only change I suggest is to remove the obsolete comment at the
> > beginning of libreoffice's native-inputs about the xmlsec tarball.
>
> Good catch. It seems the autoconf and automake inputs are no longer
> required. But I unfortunately spoke too soon earlier, it failed very
> late in the build:
>
> [build CMP] filter/source/xsltdialog/xsltdlg
> ld: cannot find -lltdl
> collect2: error: ld returned 1 exit status
> make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/
> libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-
> build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/
> libxsec_xmlsec.so] Error 1
> make[1]: *** Waiting for unfinished jobs....
> make: *** [Makefile:269: build] Error 2
> phase `build' failed after 2114.1 seconds
>
> I've attached a revised patch that adds libltdl, and removes the
> automake inputs. However, I have to leave now, so could you please
> verify that it works and push? I can provide moral support on #guix if
> nothing else :-)
>
> TIA!
Never mind, it was actually completed by the time I packed up.
I pushed it (and fixed the merge conflict in xml.scm, sorry about that!).
Thanks for staying on top of the never-ending CVE stream :-)
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Sun, 11 Feb 2018 15:37:01 GMT)
Full text and
rfc822 format available.
Message #37 received at 30414 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Feb 11, 2018 at 03:08:59PM +0000, Marius Bakke wrote:
> I've attached a revised patch that adds libltdl, and removes the
> automake inputs. However, I have to leave now, so could you please
> verify that it works and push? I can provide moral support on #guix if
> nothing else :-)
Can somebody else do this? I'm actually riding a bus right now and won't
be able to run this build long enough for it to complete.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30414; Package
guix.
(Mon, 12 Feb 2018 15:10:03 GMT)
Full text and
rfc822 format available.
Message #40 received at 30414-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Feb 11, 2018 at 03:34:42PM +0000, Marius Bakke wrote:
> Never mind, it was actually completed by the time I packed up.
> I pushed it (and fixed the merge conflict in xml.scm, sorry about that!).
Awesome, thanks!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 13 Mar 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 186 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.