From unknown Sat Sep 13 11:54:20 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#30414 <30414@debbugs.gnu.org> To: bug#30414 <30414@debbugs.gnu.org> Subject: Status: Libreoffice CVE-2018-6871 [remote read of any local files] Reply-To: bug#30414 <30414@debbugs.gnu.org> Date: Sat, 13 Sep 2025 18:54:20 +0000 retitle 30414 Libreoffice CVE-2018-6871 [remote read of any local files] reassign 30414 guix submitter 30414 Leo Famulari severity 30414 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 10 13:53:03 2018 Received: (at submit) by debbugs.gnu.org; 10 Feb 2018 18:53:03 +0000 Received: from localhost ([127.0.0.1]:37223 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekaGl-0007Op-Fh for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:53:03 -0500 Received: from eggs.gnu.org ([208.118.235.92]:32795) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekaGk-0007OM-1m for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:53:02 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekaGd-0000Mi-N8 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:52:56 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:53775) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekaGd-0000MQ-Ht for submit@debbugs.gnu.org; Sat, 10 Feb 2018 13:52:55 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51959) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekaGc-00064J-54 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:52:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekaGX-0000E6-V5 for bug-guix@gnu.org; Sat, 10 Feb 2018 13:52:54 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:45875) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekaGX-0000Ca-OH for bug-guix@gnu.org; Sat, 10 Feb 2018 13:52:49 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id EB51220A64; Sat, 10 Feb 2018 13:52:47 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 13:52:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=J6wxPL0LOigaCH Trkp35V7HpTetmClJ8DmRgPPWHctI=; b=SCTlWRTFagX56h/yYPVUvPbxGRec/u mwzNqG+DjcVneTJMNYzz0Tyef67CXbM/Xe1K+RFdCTqkaeFsL2X9mncBpBd4bNfX G7Fpi0Giu1GsrF14je9vR9DqTgad1UayyloiREQ9n4rF1eremUG8K10syv3BpOHX 5r7msdoCQdsIU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=J6wxPL0LOigaCHTrkp35V7HpTetmClJ8DmRgPPWHctI=; b=kitN8sOs EiSPqrn2tALUAnbTFxQoAe733/s0Yk5oQMPXCuTTLjOK9uUnGapg835nHmaKzuoF o50qApquasj4PAnIrHljgKJGYHzaaWWl09I3r2ljXLU/681eL/BBpDcQ0yskgBuO VWIPmY51Um2ijiGokeyxAY+449wi59IVeEuoM+lDQE7xG+gbAKvwu5E9y89iHlRo uq6tYNLeipwXd0GXxlEcfrjILicKKqQ4z38Pu/NQgqyXp39+WxRo+VeAOd5ne5wm 56glPi2xhh59aZIf8ndTEIF30uhU76LwsdhpwNhyYcCg/EDzGBm74RV2/SZVNXPm bF8Xi2FHDXOhZQ== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 9F78D7E520 for ; Sat, 10 Feb 2018 13:52:47 -0500 (EST) Date: Sat, 10 Feb 2018 13:52:46 -0500 From: Leo Famulari To: bug-guix@gnu.org Subject: Libreoffice CVE-2018-6871 [remote read of any local files] Message-ID: <20180210185246.GA18573@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.9.3 (2018-01-21) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline We need to fix CVE-2018-6871 in our LibreOffice package. This bug allows remote attackers to read any file accessible from LibreOffice by supplying a crafted file to open in LibreOffice. Apparently the bug is fixed in LibreOffice 5.4.5 or 6.0.1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871 https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/P34ACgkQJkb6MLrK fwjfHg//V478l/SK/nFagSs+UGS1XEW1uJWPpLz6g7VigjOFK6Sh8qCt/US3bR6v M+cCey2W6Bp1+dnqjKxXqZS/2ZmqzGOTwBckgzkJjXAAyiGNG2Rr9NXrh9kmjOjw eyPhATIsTgui4LwnzpdxI+Df06Sv7ja1J2bFiTfbZ1WCHzU6f1vk2g5iQG8hA5yG oseYRhx9NJ6p4Mc3xDXe2xnsu9cXcA1y/eHwSX7Hwe1h9miFK56qGI2ZuHXtMvZl CQDzlaEa1eAz2Twr75VWLzxzdObgzcNe4YFVfkNxZz0n2OXphQSxDS3qKQDONPzc e0Yru/8HZPkQ3KtGILPm42GhxV2x6vtCfxL4+SOrAjlSvxlJaCNhJ5giSwSZtOkO /UVrOeewrHGaSfzJgVukXIU9F37OcDwC3baQE3zOLkvHNre5tSZ1lp/up+V63oUS oWe7DRctrmr9uweYvCj5uSvgD/cV4mJKQ5Vf6X+sug0rxEvN7+ztB6sMgQNw7EeC EsOBE7w3NHquD9PFnPvE4GIWALO8xwLPtwwAcrNTgS6VKU64fs3xU0yJIblQVILT bDxQt9EmARaIx3S4Jlm6dVHhaGUqhbgouu4m9iY7lExx3eR60+Z417ZETHW+3cgR GhIBs8w7snjLKqlg2Y9Ly7iVFxZltNH2TTEixppsm0MuXsXD2zo= =+zb2 -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 10 16:49:58 2018 Received: (at 30414) by debbugs.gnu.org; 10 Feb 2018 21:49:58 +0000 Received: from localhost ([127.0.0.1]:37299 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekd1y-0004s7-67 for submit@debbugs.gnu.org; Sat, 10 Feb 2018 16:49:58 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48167) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekd1v-0004rz-PQ for 30414@debbugs.gnu.org; Sat, 10 Feb 2018 16:49:56 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D8E31209B4; Sat, 10 Feb 2018 16:49:54 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 16:49:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=fWhP3gREyfkJsF iy97KCshLBSSb6bJBZNWCItqf7sM0=; b=M/3lFCxVD2w9Bc5c92XxPQSJnwfZyB YWV+7g7vsyPAmtv3vnm3vuRLnz9k25Sa8z0szZuklGnsCG78J7GVCmULD9k8hOEf oj44tb4Wv7qvVgpVCWVBF0u7Iks12MiVF8lt5jHwXYfFm073lufO+Rd1rHYs2DIG DryG+ejGNgUno= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=fWhP3gREyfkJsFiy97KCshLBSSb6bJBZNWCItqf7sM0=; b=S9QNMiiL UuWroJTwm1XOi2G+XQ6Klh+uwH7UrRQaSFGUyARO9ioSl3kuPrpJF3Wey289fKtE /wRJDpKTqgmHCS01QDizSd27A3ogIow0QaEKT023q/J5DQKDDDxTFge/PiFZdQJv zsnIdxKqUMzBPxbdaC3JP5z5g0NUMRY5//vtGzuRmsCPYGWXZKYBcCTCkABbi6GY ZO8DB79fhycCJophEP25TuOntPcxg+/+ZSTLxhAW5Y1TC59ny4Xc7UOHG6QASe9d OkxW4yGGjCNJMS/KHsDYW9QStHzlOu3MrbpHYcCtGFpIDsofhmZGFD+SyJVQw9pw UkNJhesAPgHG8Q== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 90F7A24250 for <30414@debbugs.gnu.org>; Sat, 10 Feb 2018 16:49:54 -0500 (EST) Date: Sat, 10 Feb 2018 16:49:52 -0500 From: Leo Famulari To: 30414@debbugs.gnu.org Subject: RE: Libreoffice CVE-2018-6871 [remote read of any local files] Message-ID: <20180210214952.GA19621@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs" Content-Disposition: inline User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30414 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I'm trying to update LibreOffice to 5.4.5.1. This version of LibreOffice requires cppunit to be updated to 1.14.0. However, this new version of cppunit requires C++11. This is not the default C++ standard in GCC 5, so this update requires sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT. I'd rather try cherry-picking a patch from LibreOffice upstream but their Git repo is several gigabytes and it will take hours for me to download it. --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/aPwACgkQJkb6MLrK fwh7BBAAmqX5vvZEFLW7q/IgcBxh8Qq8CDnWQhEFXeHRMeLN4PfDFX5TZfRW4wwF 78DtZ5NHn7BiwbaI01dN9AgszbJ5OvXz5QfEGlixWAXKHuqiq1xC+sC7N12gtchr yo3dP7ZkL1HpUuTuQWzoHImHbQCUpKhofHaZBT0w2GBUh4gqG0gufve1Yzc4xtgg bpvKmyimVl/Of60k9RyuN0mfnDBwbLTnnSVct2AJPSMMwURBRyP4LUhPNj6yHHPB 3L0ix1v/d9c773RsurTNYWo0qn1UZ+2Ii6G2SkY0GXJnqq2rSigg1Q/fRaV3O1MX bSUfzI5cbNoomsUGM9nHps9hwUsT7FON+Dlfd9K0DfTsaOwEdviKbFhj4WLvbd5C 6JczlWwtDCE5asPQGZQNpHS+JoRwm6Ss96Tg4JqzyV1bAtOYMlsyHlTn7Uf3Z68v IC7NddpTgGMHXpD8tmCM/tF6CSnGMn87BxCNjdaHJTea5KmRam6Q1YW9B6khToy9 yPJkgw+gJH0BzQbc0rnhm9gWEyuZH21xU7go7aMr3OiCzpKy+852nFRfHHInKGzo fDkgBCp7z6CmTXr4ReTUP7QfDr1wOQrHmVJgOdA1SxVo1RElZO5bWLtFYZxPIrvH HR55NORpdELcPGPJzzkDZRle6emx1iRLdmfqA9LPWMnMK5Z6TXI= =cFs6 -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs-- From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 10 20:27:51 2018 Received: (at 30414) by debbugs.gnu.org; 11 Feb 2018 01:27:51 +0000 Received: from localhost ([127.0.0.1]:37451 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekgQo-0003ND-VK for submit@debbugs.gnu.org; Sat, 10 Feb 2018 20:27:51 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:33781) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekgQn-0003N5-0B for 30414@debbugs.gnu.org; Sat, 10 Feb 2018 20:27:50 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id A931F20C77; Sat, 10 Feb 2018 20:27:48 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sat, 10 Feb 2018 20:27:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=rwaJTV2p1cteGcwE6jRn0B3e6rZGJ whdil0N1xstZJ4=; b=YW3U5Y0f11kkb2hRa7gYoYEdk4DgOm9fkzaLMctB7rlPB 7268JeMcC8VAUd9ExW2tfdY4IHd+gJVrBAbZWmDjkJpRgJ/6XFzL/ZTl94K/SE1W s4d/p1y+gg9kVRniwMksAToqJ99qcolNEtsaY5xQ+yfDXef6SBMBxpQJPCFkewHP DjdAJigmIczVeGaQvmX8NpUoAQLQsKi6k+cQjBupahSNjIXWoc/Pz1mWCWx1nGOV AKaxWazIKKikbA9Q19Gw8vn0IMnqHOSJ8weAsnuaufbToJcpHYtGsFPjFZxPAvwW Y4sUsKDmx31O95SOwgwFYJgtkOAw1brYY1WocIZWQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=rwaJTV 2p1cteGcwE6jRn0B3e6rZGJwhdil0N1xstZJ4=; b=Vmp1v/DSDZZ+f63LzRqelN 6Nwf72BJvE1ERpBRKrgcU9CUG0n2wKPKgk/2PBE+Pwx3V3gjJtSs6DaWfG1n6bQR 0IZF/tmRw9yMh8LwjHIi4gUg4XlzTDH3FSBQKtj5JEoAbFrUqdnoVmU3Sjb09noP brTWuVjkFg5Y1N0URSXSmFSN5OzhqevN2qm8tUA1ndt/BUbDMjJ77IFsaD2p6wJV eelVURAFboNcqKQSQs/ZXXIZ0PhqUeW9gR1DmcD/QCzvxbF4IUW12HabNgQntGkh 45UZxaWfemfu1ofkXOtRzDJheGKUjXWeKx6ErzFruYDFLkBw6sajmmEj+Pe9Z6sg == X-ME-Sender: Received: from [10.233.121.25] (26-121-11.connect.netcom.no [176.11.121.26]) by mail.messagingengine.com (Postfix) with ESMTPA id 0DEEA24636; Sat, 10 Feb 2018 20:27:47 -0500 (EST) Date: Sun, 11 Feb 2018 02:27:44 +0100 User-Agent: K-9 Mail for Android In-Reply-To: <20180210214952.GA19621@jasmine.lan> References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] To: bug-guix@gnu.org,Leo Famulari ,30414@debbugs.gnu.org From: Marius Bakke Message-ID: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30414 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari wrote: >I'm trying to update LibreOffice to 5=2E4=2E5=2E1=2E > >This version of LibreOffice requires cppunit to be updated to 1=2E14=2E0= =2E > >However, this new version of cppunit requires C++11=2E > >This is not the default C++ standard in GCC 5, so this update requires >sprinkling "CXXFLAGS=3D-std=3Dc++11" across several packages, AFAICT=2E Could we package the newer version separately and override CXXFLAGS for li= breoffice only? >I'd rather try cherry-picking a patch from LibreOffice upstream but >their Git repo is several gigabytes and it will take hours for me to >download it=2E I was digging through the GitHub mirror, but haven't been able to find the= commit(s) in question: https://github=2Ecom/LibreOffice/core Thanks for working on it! --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 10 22:54:21 2018 Received: (at submit) by debbugs.gnu.org; 11 Feb 2018 03:54:21 +0000 Received: from localhost ([127.0.0.1]:37527 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekiib-0006p1-9x for submit@debbugs.gnu.org; Sat, 10 Feb 2018 22:54:21 -0500 Received: from eggs.gnu.org ([208.118.235.92]:52650) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekiiZ-0006om-9f for submit@debbugs.gnu.org; Sat, 10 Feb 2018 22:54:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekiiT-0005h3-0v for submit@debbugs.gnu.org; Sat, 10 Feb 2018 22:54:14 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:53361) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekiiS-0005gS-Pj for submit@debbugs.gnu.org; Sat, 10 Feb 2018 22:54:12 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43577) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekiiR-0007IM-8Y for bug-guix@gnu.org; Sat, 10 Feb 2018 22:54:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekiiO-0005Xb-F1 for bug-guix@gnu.org; Sat, 10 Feb 2018 22:54:11 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52465) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekiiO-0005WO-48 for bug-guix@gnu.org; Sat, 10 Feb 2018 22:54:08 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id BC62420B49; Sat, 10 Feb 2018 22:54:06 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 10 Feb 2018 22:54:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=DTi5z4QxlXnJUMlLUUsAv9PuEI4S9zrTXd936hAzH5Q=; b=sI/O8 kPfchTlz8jVzIT6/ztLdR6kqG3EZ1TJmrH/dPwFOY4j3YMf8WNsjrkpOD6gbdUMr Tr932dA9lGRGHR9EYAHBXHEFlPVmDYwRaM+PlfOxwYBZ+35z+1n86qndHAEvRpLR ZEqEqmSXUiJLfsOG3hH7z/FfDz6FEuaEHYtQ2E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=DTi5z4QxlXnJUMlLUUsAv9PuEI4S9 zrTXd936hAzH5Q=; b=RXxsg6QW0I1VqvYZTHZpnqan4u8TrE0rjDxwo1U9+P2gr 3GEay2H50P8EQzxzOJQcSyw28DwHAHaBLpTlFpUGejjF+fvxVNnHajsu5HK5Vj/c lai4rUMtiBDG+DSIU+juphEp7bGh7P6p9bWcRr2HIO2lPB3rPzuWJGdc/UGYdtMh 6f++Q3XouD/XpTenn6sFDBev9UnuruVh8B4251LAPZ44dEvoiYxjzD7v1LD5Jxrg 1Ho+hrj+ySiDXTCMmcbSB8CxybII/VFF/gPDV6SbIdYTEq2BS5+4g6woh4KMddxu AE9IHLaip2dGEmDNj9FLivFhfUeig0YrlhiwjaIBQ== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 6B82724108; Sat, 10 Feb 2018 22:54:06 -0500 (EST) Date: Sat, 10 Feb 2018 22:54:04 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Message-ID: <20180211035404.GA6331@jasmine.lan> References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.3 (2018-01-21) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit Cc: bug-guix@gnu.org, 30414@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Feb 11, 2018 at 02:27:44AM +0100, Marius Bakke wrote: > I was digging through the GitHub mirror, but haven't been able to find the commit(s) in question: I haven't found them either. --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp/vlgACgkQJkb6MLrK fwjUYBAAq1eDozxdW+UG63LpJltlQ9QfGp3fJCMjA/45rrQ55L2KdtNNaeGInrx7 R9Ijpwl0UeTISqNQaZ0X/zGd4VeqSkBx0CcOadJpMQtefiX4PWv5x76gnXl29yTz CI2w2r4o1OhHVNr7hmzXfj040ZygtVDuMm95ymi71ZjjcGum21cPZcaevx7WS4Up NSGV6IRwJR4Yg4fehtbIsLjdCNqB/QntiSdHUEVmdYlA8Riiosmw/3Fvhc8dLr3i IE9RaNFL3JC3dAv7mkvxwMlL1lVjGqWCDklX2AEkqseRywj8j5m3EWAKSXkgkNvY acDLCRUZJnB9Rlovs0JSYqOop09RBdQmInJZv0HTqsgXPzd/9aVU5wiPVIPUiUTR RDPnDRbRnXrYXIRMSpt/+itALWvn9FqBPNLfYq33A0rU1JhwZK6qHD8FiAouGqbx ASn/WMybm2UDrbW6Ib004WRb/b8q2QkYhO7DtYKWIuJeAzwdtHd2vZ6YflVYaVOQ IE7317DYNdwTdkG1YA8pPJeVP2f7C1Ph/lYdYu/fkgZ7XskCSghRwetfLpnSrsN+ giN8Z/dsRCoyMpRkZcrH3LySagUg1KjlhCXHHzES16z+7Ny2i29q9lCzUmrWEepM a27AuQUzrgEuvciwAK117mauVgR7BqEW1i3AqaphTBL775qndf4= =Jgqw -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62-- From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 11 09:29:17 2018 Received: (at 30414) by debbugs.gnu.org; 11 Feb 2018 14:29:17 +0000 Received: from localhost ([127.0.0.1]:37700 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekscr-0006dq-90 for submit@debbugs.gnu.org; Sun, 11 Feb 2018 09:29:17 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58937) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekscp-0006dI-CJ for 30414@debbugs.gnu.org; Sun, 11 Feb 2018 09:29:04 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id B6B9520A8A; Sun, 11 Feb 2018 09:29:02 -0500 (EST) Received: from web1 ([10.202.2.211]) by compute5.internal (MEProxy); Sun, 11 Feb 2018 09:29:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=AUUfCP1FmR373RXNCk9t9EuB//xPc IHy4psdFbR46bA=; b=H6E8rQKNp7A/SaZn3RPBocLI40n4n+iVku2XAaBA6ymMV 45iHC5nhD9pX8uVgmm90QNF/Td/i08ZL75mlZ2+kvlW4p3Ap5fuEh6VZ2hm7gyl0 bROJan8T3MNj3tpWL+vKorw9tpLvL2v34CsNu4Z+JKPAKOXfL9/wwy4RoQi5AXNF x9f5BboEX89bcMYcpUpYRba/rrSyt+geIIWUDPMuZ1bi+kGgWddkO0LLu1f4Gtkd pt7AZHqvhls8WApiH3I5mRSSd+zl434ez0KqqH4R7q/12M0J9XTSnZekGBJKe1Vd e5V65TyXyKh61CgqlsBjV4ZbGwWG+dxRV6XjCzhsA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=AUUfCP 1FmR373RXNCk9t9EuB//xPcIHy4psdFbR46bA=; b=Z94F77dZn81zRDwbUEHbq6 geQh5aMcMiBG37owmioyq0LPrz2EQaMXKtFjiBEuW6oH9cXwfCJd3UWPwnGvbK81 cUnly7GFI6QONl1q1AARl0M7BsAf5rU7WtlPyihajEJRFb5ouwH219IAPQLVbiGy 7C5tVGW4odLltYDXVjkfeupD7Wia9wGYDlHD5RQIKHdppKbGWUp0nO2vJaxLoGuO JaPThUMKW+HfsUrMz2PV0xWKNTXdV6V9/0v7N1ufLbF+SBrHLaE04JuWLi9BVIjF HPzfScqhuc+ihYsCEu3IhfUKiuF6NJCK9Tt9NHuv+NCJ8XqsUxMtBdslWiwAq7lA == X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 91976940B1; Sun, 11 Feb 2018 09:29:02 -0500 (EST) Message-Id: <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> From: Marius Bakke To: Leo Famulari , 30414@debbugs.gnu.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_151835934223204882" X-Mailer: MessagingEngine.com Webmail Interface - ajax-fde26eb3 Date: Sun, 11 Feb 2018 14:29:02 +0000 Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] In-Reply-To: References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30414 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) This is a multi-part message in MIME format. --_----------=_151835934223204882 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" [the caf=C3=A9 I'm at is blocking outgoing email, so resending through a br= owser] On Sun, Feb 11, 2018, at 1:27 AM, Marius Bakke wrote: >=20 >=20 > On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari=20 > wrote: > >I'm trying to update LibreOffice to 5.4.5.1. > > > >This version of LibreOffice requires cppunit to be updated to 1.14.0. > > > >However, this new version of cppunit requires C++11. > > > >This is not the default C++ standard in GCC 5, so this update requires > >sprinkling "CXXFLAGS=3D-std=3Dc++11" across several packages, AFAICT. >=20 > Could we package the newer version separately and override CXXFLAGS for=20 > libreoffice only? I gave this a go, and there were (of course) a lot more changes necessary to make this newer libreoffice build. In particular, it now works with an external xmlsec (albeit NSS only), and it wants to build PDFium(!) in the same fashion as xmlsec was previously. However PDFium fails to build due to requiring newer C++ features, and my attempts at patching "external/pdfium/Library_pdfium.mk" to add CXXFLAGS were unsuccessful. So in the end I disabled PDFium support. It also required libjpeg-turbo instead of libjpeg, although this is supposedly fixed in 6.0.1: . Then there were some other problems related to not finding GPGME headers, as well as an upstream regression when GTK2 support is disabled. Without further ado, here is the patch. I'm still building it, but plan to push shortly if there are no further issues.=20 --_----------=_151835934223204882 Content-Disposition: attachment; filename="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch" Content-Id: <1518359274.2320374.8834046416eb3884aca6bc52e87e3fa97ecb9df6.144F0BB5@content.messagingengine.com> Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch" RnJvbSBhMjhlODJlMWUzZDQ4MGQ1ZWRmMzc0Y2VhMDYyNTM2ZDRjOGQ2ZDgy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXJpdXMgQmFra2Ug PG1iYWtrZUBmYXN0bWFpbC5jb20+CkRhdGU6IFN1biwgMTEgRmViIDIwMTgg MTE6NDY6MjcgKzAxMDAKU3ViamVjdDogW1BBVENIXSBnbnU6IGxpYnJlb2Zm aWNlOiBVcGRhdGUgdG8gNS40LjUuMSBbQ1ZFLTIwMTgtNjg3MV0uCgoqIGdu dS9wYWNrYWdlcy9jaGVjay5zY20gKGNwcHVuaXQtMS4xNCk6IE5ldyBwdWJs aWMgdmFyaWFibGUuCiogZ251L3BhY2thZ2VzL2xpYnJlb2ZmaWNlLnNjbSAo eG1sc2VjLXNyYy1saWJyZW9mZmljZSk6IFJlbW92ZSB2YXJpYWJsZS4KKGxp YnJlb2ZmaWNlKTogVXBkYXRlIHRvIDUuNC41LjEuCltuYXRpdmUtaW5wdXRz XTogQ2hhbmdlIENQUFVOSVQgdG8gQ1BQVU5JVC0xLjE0LgpbaW5wdXRzXTog QWRkIEdQR01FIGFuZCBYTUxTRUMtTlNTLiAgUmVtb3ZlIFhNTFNFQy1TUkMt TElCUkVPRkZJQ0UuICBSZXBsYWNlCkxJQkpQRUcgd2l0aCBMSUJKUEVHLVRV UkJPLgpbYXJndW1lbnRzXTogUmVtb3ZlIHhtbHNlYyBjb2RlIGZyb20gUFJF UEFSRS1TUkMtUEhBU0UuICBNYWtlIHN1cmUgR1BHTUUrKwpoZWFkZXJzIGFy ZSBmb3VuZC4gIEFkZCB3b3JrYXJvdW5kIGZvciA8aHR0cHM6Ly9idWdzLmdl bnRvby5vcmcvNjQxODEyPi4gIEFkZAoiLS1kaXNhYmxlLXBkZml1bSIgdG8g Izpjb25maWd1cmUtZmxhZ3MuCiogZ251L3BhY2thZ2VzL3htbC5zY20gKHht bHNlYy1uc3MpOiBOZXcgcHVibGljIHZhcmlhYmxlLgotLS0KIGdudS9wYWNr YWdlcy9jaGVjay5zY20gICAgICAgfCAxNyArKysrKysrKysrKysKIGdudS9w YWNrYWdlcy9saWJyZW9mZmljZS5zY20gfCA2MSArKysrKysrKysrKysrKysr KysrKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogZ251L3BhY2thZ2VzL3ht bC5zY20gICAgICAgICB8IDEyICsrKysrKysrLQogMyBmaWxlcyBjaGFuZ2Vk LCA1NiBpbnNlcnRpb25zKCspLCAzNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1n aXQgYS9nbnUvcGFja2FnZXMvY2hlY2suc2NtIGIvZ251L3BhY2thZ2VzL2No ZWNrLnNjbQppbmRleCAxMjc2YzBmZGEuLjhmMjFiYWEwOSAxMDA2NDQKLS0t IGEvZ251L3BhY2thZ2VzL2NoZWNrLnNjbQorKysgYi9nbnUvcGFja2FnZXMv Y2hlY2suc2NtCkBAIC0xNTcsNiArMTU3LDIzIEBAIHVuaXQgdGVzdGluZy4g IFRlc3Qgb3V0cHV0IGlzIGluIFhNTCBmb3IgYXV0b21hdGljIHRlc3Rpbmcg YW5kIEdVSSBiYXNlZCBmb3IKIHN1cGVydmlzZWQgdGVzdHMuIikKICAgICAo bGljZW5zZSBsaWNlbnNlOmxncGwyLjEpKSkgOyBubyBjb3B5cmlnaHQgbm90 aWNlcy4gTEdQTDIuMSBpcyBpbiB0aGUgdGFyYmFsbAogCis7OyBTb21lIHBh Y2thZ2VzIHJlcXVpcmUgdGhpcyBuZXdlciB2ZXJzaW9uIG9mIGNwcHVuaXQu ICBIb3dldmVyLCBpdCBuZWVkcworOzsgQysrMTEgc3VwcG9ydCwgd2hpY2gg aXMgbm90IGVuYWJsZWQgYnkgZGVmYXVsdCBpbiBvdXIgY3VycmVudCBHQ0Ms IGFuZAorOzsgdXBkYXRpbmcgaW4tcGxhY2Ugd291bGQgcmVxdWlyZSBhZGRp bmcgQ1hYRkxBR1MgdG8gbWFueSBkZXBlbmRlbnQgcGFja2FnZXMuCis7OyBU aHVzLCBrZWVwIGFzIGEgc2VwYXJhdGUgdmFyaWFibGUgZm9yIG5vdy4KKzs7 IFRPRE86IFJlbW92ZSB0aGlzIHdoZW4gb3VyIGRlZmF1bHQgR0NDIGlzIHVw ZGF0ZWQgdG8gNiBvciBoaWdoZXIuCisoZGVmaW5lLXB1YmxpYyBjcHB1bml0 LTEuMTQKKyAgKHBhY2thZ2UKKyAgICAoaW5oZXJpdCBjcHB1bml0KQorICAg ICh2ZXJzaW9uICIxLjE0LjAiKQorICAgIChzb3VyY2UgKG9yaWdpbgorICAg ICAgICAgICAgICAobWV0aG9kIHVybC1mZXRjaCkKKyAgICAgICAgICAgICAg KHVyaSAoc3RyaW5nLWFwcGVuZCAiaHR0cDovL2Rldi13d3cubGlicmVvZmZp Y2Uub3JnL3NyYy8iCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgImNwcHVuaXQtIiB2ZXJzaW9uICIudGFyLmd6IikpCisgICAgICAgICAg ICAgIChzaGEyNTYKKyAgICAgICAgICAgICAgIChiYXNlMzIKKyAgICAgICAg ICAgICAgICAiMTAyN2N5Zng1Z3Nqa2RrYWY2YzJ3bmpoNjg4ODJncnc4bjY3 MjAxOGNqM3ZzOWxyaG1peCIpKSkpKSkKKwogKGRlZmluZS1wdWJsaWMgY2F0 Y2gtZnJhbWV3b3JrCiAgIChwYWNrYWdlCiAgICAgKG5hbWUgImNhdGNoIikK ZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy9saWJyZW9mZmljZS5zY20gYi9n bnUvcGFja2FnZXMvbGlicmVvZmZpY2Uuc2NtCmluZGV4IDc5OWIwNjI0My4u YjI1NDZlMTQ2IDEwMDY0NAotLS0gYS9nbnUvcGFja2FnZXMvbGlicmVvZmZp Y2Uuc2NtCisrKyBiL2dudS9wYWNrYWdlcy9saWJyZW9mZmljZS5zY20KQEAg LTcsNyArNyw3IEBACiA7OzsgQ29weXJpZ2h0IMKpIDIwMTcgVG9iaWFzIEdl ZXJpbmNreC1SaWNlIDxtZUB0b2JpYXMuZ3I+CiA7OzsgQ29weXJpZ2h0IMKp IDIwMTcgQW5keSBXaW5nbyA8d2luZ29AaWdhbGlhLmNvbT4KIDs7OyBDb3B5 cmlnaHQgwqkgMjAxNyBMdWRvdmljIENvdXJ0w6hzIDxsdWRvQGdudS5vcmc+ Ci07OzsgQ29weXJpZ2h0IMKpIDIwMTcgTWFyaXVzIEJha2tlIDxtYmFra2VA ZmFzdG1haWwuY29tPgorOzs7IENvcHlyaWdodCDCqSAyMDE3LCAyMDE4IE1h cml1cyBCYWtrZSA8bWJha2tlQGZhc3RtYWlsLmNvbT4KIDs7OyBDb3B5cmln aHQgwqkgMjAxNyBSdXRnZXIgSGVsbGluZyA8cmhlbGxpbmdAbXlrb2xhYi5j b20+CiA7OzsKIDs7OyBUaGlzIGZpbGUgaXMgcGFydCBvZiBHTlUgR3VpeC4K QEAgLTU0LDYgKzU0LDcgQEAKICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2Fn ZXMgZ2xpYikKICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2FnZXMgZ25vbWUp CiAgICM6dXNlLW1vZHVsZSAoZ251IHBhY2thZ2VzIGdwZXJmKQorICAjOnVz ZS1tb2R1bGUgKGdudSBwYWNrYWdlcyBnbnVwZykKICAgIzp1c2UtbW9kdWxl IChnbnUgcGFja2FnZXMgZ251emlsbGEpCiAgICM6dXNlLW1vZHVsZSAoZ251 IHBhY2thZ2VzIGdzdHJlYW1lcikKICAgIzp1c2UtbW9kdWxlIChnbnUgcGFj a2FnZXMgZ3RrKQpAQCAtODM5LDIyICs4NDAsMTAgQEAgYW5kIHRvIHJldHVy biBpbmZvcm1hdGlvbiBvbiBwcm9udW5jaWF0aW9ucywgbWVhbmluZ3MgYW5k IHN5bm9ueW1zLiIpCiAgICAgKGxpY2Vuc2UgKG5vbi1jb3B5bGVmdCAiZmls ZTovL0NPUFlJTkciCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU2Vl IENPUFlJTkcgaW4gdGhlIGRpc3RyaWJ1dGlvbi4iKSkpKQogCi07OyBMaWJy ZU9mZmljZSByZXF1aXJlcyBhbiB4bWxzZWMgc291cmNlIHRhcmJhbGw7IGl0 IGRvZXMgbm90IGV2ZW4gY2hlY2sKLTs7IGZvciB0aGUgcHJlc2VuY2Ugb2Yg YW4gZXh0ZXJuYWxseSBjb21waWxlZCBsaWJyYXJ5LgotKGRlZmluZSB4bWxz ZWMtc3JjLWxpYnJlb2ZmaWNlCi0gIChvcmlnaW4KLSAgICAobWV0aG9kIHVy bC1mZXRjaCkKLSAgICAodXJpCi0gICAgICAoc3RyaW5nLWFwcGVuZAotICAg ICAgICJodHRwOi8vZGV2LXd3dy5saWJyZW9mZmljZS5vcmcvc3JjLyIKLSAg ICAgICAiODZiMWRhYWE0MzhmNWE3YmVhOWE1MmQ3Yjk3OTlhYzAteG1sc2Vj MS0xLjIuMjMudGFyLmd6IikpCi0gICAgKHNoYTI1NiAoYmFzZTMyCi0gICAg ICAgICAgICAgIjE3cWZ3NWNya3FuNHY2eGJranhyanZjY2NmYzAwZHkwNTM4 OTJ3cnd2NTRxZGs4bjdtMjEiKSkpKQotCiAoZGVmaW5lLXB1YmxpYyBsaWJy ZW9mZmljZQogICAocGFja2FnZQogICAgIChuYW1lICJsaWJyZW9mZmljZSIp Ci0gICAgKHZlcnNpb24gIjUuMy43LjIiKQorICAgICh2ZXJzaW9uICI1LjQu NS4xIikKICAgICAoc291cmNlCiAgICAgIChvcmlnaW4KICAgICAgIChtZXRo b2QgdXJsLWZldGNoKQpAQCAtODYzLDcgKzg1Miw3IEBAIGFuZCB0byByZXR1 cm4gaW5mb3JtYXRpb24gb24gcHJvbnVuY2lhdGlvbnMsIG1lYW5pbmdzIGFu ZCBzeW5vbnltcy4iKQogICAgICAgICAgICJodHRwczovL2Rvd25sb2FkLmRv Y3VtZW50Zm91bmRhdGlvbi5vcmcvbGlicmVvZmZpY2Uvc3JjLyIKICAgICAg ICAgICAodmVyc2lvbi1wcmVmaXggdmVyc2lvbiAzKSAiL2xpYnJlb2ZmaWNl LSIgdmVyc2lvbiAiLnRhci54eiIpKQogICAgICAgKHNoYTI1NiAoYmFzZTMy Ci0gICAgICAgICAgICAgICAiMHo3ZnNzcDBqY2owOXd4YWQxd21oeTY5bjcx YTJtd2w5MzNseHA5ZHo1c2R2em5jeG15MyIpKSkpCisgICAgICAgICAgICAg ICAiMTY3Ymg2amd5aGZjdm4zZzd4Z2hrZzRuYjk5aDkxZGl5cGRscnk1ZGYy MXhzOGJpczVnYiIpKSkpCiAgICAgKGJ1aWxkLXN5c3RlbSBnbnUtYnVpbGQt c3lzdGVtKQogICAgIChuYXRpdmUtaW5wdXRzCiAgICAgIGAoOzsgYXV0b3Jl Y29uZiBpcyBydW4gYnkgdGhlIExpYnJlT2ZmaWNlIGJ1aWxkIHN5c3RlbSwg c2luY2UgYWZ0ZXIKQEAgLTg3Miw3ICs4NjEsNyBAQCBhbmQgdG8gcmV0dXJu IGluZm9ybWF0aW9uIG9uIHByb251bmNpYXRpb25zLCBtZWFuaW5ncyBhbmQg c3lub255bXMuIikKICAgICAgICAoImF1dG9jb25mIiAsYXV0b2NvbmYpCiAg ICAgICAgKCJhdXRvbWFrZSIgLGF1dG9tYWtlKQogICAgICAgICgiYmlzb24i ICxiaXNvbikKLSAgICAgICAoImNwcHVuaXQiICxjcHB1bml0KQorICAgICAg ICgiY3BwdW5pdCIgLGNwcHVuaXQtMS4xNCkKICAgICAgICAoImZsZXgiICxm bGV4KQogICAgICAgICgicGtnLWNvbmZpZyIgLHBrZy1jb25maWcpCiAgICAg ICAgKCJweXRob24iICxweXRob24td3JhcHBlcikKQEAgLTg4OCw2ICs4Nzcs NyBAQCBhbmQgdG8gcmV0dXJuIGluZm9ybWF0aW9uIG9uIHByb251bmNpYXRp b25zLCBtZWFuaW5ncyBhbmQgc3lub255bXMuIikKICAgICAgICAoImdsZXci ICxnbGV3KQogICAgICAgICgiZ2xtIiAsZ2xtKQogICAgICAgICgiZ3BlcmYi ICxncGVyZikKKyAgICAgICAoImdwZ21lIiAsZ3BnbWUpCiAgICAgICAgKCJn cmFwaGl0ZTIiICxncmFwaGl0ZTIpCiAgICAgICAgKCJnc3QtcGx1Z2lucy1i YXNlIiAsZ3N0LXBsdWdpbnMtYmFzZSkKICAgICAgICAoImd0aysiICxndGsr KQpAQCAtODk3LDcgKzg4Nyw3IEBAIGFuZCB0byByZXR1cm4gaW5mb3JtYXRp b24gb24gcHJvbnVuY2lhdGlvbnMsIG1lYW5pbmdzIGFuZCBzeW5vbnltcy4i KQogICAgICAgICgibGliYWJ3IiAsbGliYWJ3KQogICAgICAgICgibGliY2Ry IiAsbGliY2RyKQogICAgICAgICgibGliY21pcyIgLGxpYmNtaXMpCi0gICAg ICAgKCJsaWJqcGVnIiAsbGlianBlZykKKyAgICAgICAoImxpYmpwZWctdHVy Ym8iICxsaWJqcGVnLXR1cmJvKQogICAgICAgICgibGliZS1ib29rIiAsbGli ZS1ib29rKQogICAgICAgICgibGliZXRvbnllayIgLGxpYmV0b255ZWspCiAg ICAgICAgKCJsaWJleHR0ZXh0Y2F0IiAsbGliZXh0dGV4dGNhdCkKQEAgLTkz NSw3ICs5MjUsNyBAQCBhbmQgdG8gcmV0dXJuIGluZm9ybWF0aW9uIG9uIHBy b251bmNpYXRpb25zLCBtZWFuaW5ncyBhbmQgc3lub255bXMuIikKICAgICAg ICAoInVuaXhvZGJjIiAsdW5peG9kYmMpCiAgICAgICAgKCJ1bnppcCIgLHVu emlwKQogICAgICAgICgidmlncmEiICx2aWdyYSkKLSAgICAgICAoInhtbHNl Yy1zcmMiICx4bWxzZWMtc3JjLWxpYnJlb2ZmaWNlKQorICAgICAgICgieG1s c2VjIiAseG1sc2VjLW5zcykKICAgICAgICAoInppcCIgLHppcCkpKQogICAg IChhcmd1bWVudHMKICAgICAgYCgjOnRlc3RzPyAjZiA7IEJ1aWxkaW5nIHRo ZSB0ZXN0cyBhbHJlYWR5IGZhaWxzLgpAQCAtOTQ0LDI2ICs5MzQsMjcgQEAg YW5kIHRvIHJldHVybiBpbmZvcm1hdGlvbiBvbiBwcm9udW5jaWF0aW9ucywg bWVhbmluZ3MgYW5kIHN5bm9ueW1zLiIpCiAgICAgICAgICAobW9kaWZ5LXBo YXNlcyAlc3RhbmRhcmQtcGhhc2VzCiAgICAgICAgICAgIChhZGQtYmVmb3Jl ICdjb25maWd1cmUgJ3ByZXBhcmUtc3JjCiAgICAgICAgICAgICAgKGxhbWJk YSogKCM6a2V5IGlucHV0cyAjOmFsbG93LW90aGVyLWtleXMpCi0gICAgICAg ICAgICAgICAobGV0ICgoeG1sc2VjIChhc3NvYy1yZWYgaW5wdXRzICJ4bWxz ZWMtc3JjIikpKQorICAgICAgICAgICAgICAgKGxldCAoKGdwZ21lIChhc3Nv Yy1yZWYgaW5wdXRzICJncGdtZSIpKSkKICAgICAgICAgICAgICAgICAgKHN1 YnN0aXR1dGUqCiAgICAgICAgICAgICAgICAgICAgKGxpc3QgInN5c3VpL0N1 c3RvbVRhcmdldF9zaGFyZS5tayIKICAgICAgICAgICAgICAgICAgICAgICAg ICAic29sZW52L2didWlsZC9nYnVpbGQubWsiCiAgICAgICAgICAgICAgICAg ICAgICAgICAgInNvbGVudi9nYnVpbGQvcGxhdGZvcm0vdW54Z2NjLm1rIikK ICAgICAgICAgICAgICAgICAgICAoKCIvYmluL3NoIikgKHdoaWNoICJzaCIp KSkKLSAgICAgICAgICAgICAgICAgKG1rZGlyICJleHRlcm5hbC90YXJiYWxs cyIpCi0gICAgICAgICAgICAgICAgIChzeW1saW5rCi0gICAgICAgICAgICAg ICAgICAgeG1sc2VjCi0gICAgICAgICAgICAgICAgICAgKHN0cmluZy1hcHBl bmQgImV4dGVybmFsL3RhcmJhbGxzLyIKLSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAiODZiMWRhYWE0MzhmNWE3YmVhOWE1MmQ3Yjk3OTlh YzAtIgotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ4bWxz ZWMxLTEuMi4yMy50YXIuZ3oiKSkKLSAgICAgICAgICAgICAgICAgOzsgVGhl IGZvbGxvd2luZyBpcyByZXF1aXJlZCBmb3IgYnVpbGRpbmcgeG1sc2VjIGZy b20gdGhlCi0gICAgICAgICAgICAgICAgIDs7IHVucGF0Y2hlZCBleHRlcm5h bCB0YXJiYWxsOyBzaW5jZSAiY29uZmlndXJlIiBzdGFydHMgd2l0aAotICAg ICAgICAgICAgICAgICA7OyAiL2Jpbi9zaCIsIGl0IG5lZWRzIHRvIGJlIGV4 ZWN1dGVkIGJ5IGEgY29tbWFuZCBpbnZva2luZwotICAgICAgICAgICAgICAg ICA7OyB0aGUgc2hlbGwuCi0gICAgICAgICAgICAgICAgIChzZXRlbnYgIlNI RUxMIiAod2hpY2ggImJhc2giKSkKLSAgICAgICAgICAgICAgICAgKHNldGVu diAiQ09ORklHX1NIRUxMIiAod2hpY2ggImJhc2giKSkKLSAgICAgICAgICAg ICAgICAgKHN1YnN0aXR1dGUqICJleHRlcm5hbC9saWJ4bWxzZWMvRXh0ZXJu YWxQcm9qZWN0X3htbHNlYy5tayIKLSAgICAgICAgICAgICAgICAgICAoKCIu L2NvbmZpZ3VyZSIpICIkKENPTkZJR19TSEVMTCkgLi9jb25maWd1cmUiICkp CisKKyAgICAgICAgICAgICAgICAgOzsgR1BHTUUrKyBoZWFkZXJzIGFyZSBp bnN0YWxsZWQgaW4gYSBncGdtZSsrIHN1YmRpcmVjdG9yeSwKKyAgICAgICAg ICAgICAgICAgOzsgYnV0IGZpbGVzIGluICJ4bWxzZWN1cml0eS9zb3VyY2Uv Z3BnLyIgZXhwZWN0IHRvIGZpbmQgdGhlbQorICAgICAgICAgICAgICAgICA7 OyBvbiB0aGUgaW5jbHVkZSBwYXRoIHdpdGhvdXQgYSBwcmVmaXguCisgICAg ICAgICAgICAgICAgIChzdWJzdGl0dXRlKiAieG1sc2VjdXJpdHkvTGlicmFy eV94c2VjX3htbHNlYy5tayIKKyAgICAgICAgICAgICAgICAgICAoKCJcXCRc XCRcXChJTkNMVURFXFwpIikKKyAgICAgICAgICAgICAgICAgICAgKHN0cmlu Zy1hcHBlbmQgIiQkKElOQ0xVREUpIC1JIiBncGdtZSAiL2luY2x1ZGUvZ3Bn bWUrKyIpKSkKKworICAgICAgICAgICAgICAgICA7OyBYWFg6IFdoZW4gR1RL MiBpcyBkaXNhYmxlZCwgb25lIGhlYWRlciBmaWxlIGlzIG5vdCBpbmNsdWRl ZC4KKyAgICAgICAgICAgICAgICAgOzsgVGhpcyBpcyBsaWtlbHkgZml4ZWQg aW4gbGF0ZXIgdmVyc2lvbnMuICBTZWUgYWxzbworICAgICAgICAgICAgICAg ICA7OyA8aHR0cHM6Ly9idWdzLmdlbnRvby5vcmcvNjQxODEyPi4KKyAgICAg ICAgICAgICAgICAgKHN1YnN0aXR1dGUqICJ2Y2wvdW54L2d0azMvZ3RrM2d0 a2ZyYW1lLmN4eCIKKyAgICAgICAgICAgICAgICAgICAoKCIjaW5jbHVkZSA8 dW54L2d0ay9ndGtnZGkuaHh4PiIpCisgICAgICAgICAgICAgICAgICAgICIj aW5jbHVkZSA8dW54L2d0ay9ndGtnZGkuaHh4PlxuI2luY2x1ZGUgPHVueC9n dGsvZ3Rrc2FsbWVudS5oeHg+IikpCisKICAgICAgICAgICAgICAgICAgI3Qp KSkKICAgICAgICAgICAgKGFkZC1hZnRlciAnaW5zdGFsbCAnYmluLWFuZC1k ZXNrdG9wLWluc3RhbGwKICAgICAgICAgICAgICA7OyBDcmVhdGUgJ3NvZmZp Y2UnIGFuZCAnbGlicmVvZmZpY2UnIHN5bWxpbmtzIHRvIHRoZSBleGVjdXRh YmxlCkBAIC0xMDM3LDYgKzEwMjgsMTAgQEAgYW5kIHRvIHJldHVybiBpbmZv cm1hdGlvbiBvbiBwcm9udW5jaWF0aW9ucywgbWVhbmluZ3MgYW5kIHN5bm9u eW1zLiIpCiAgICAgICAgICAgIi0tZGlzYWJsZS1jb2lubXAiCiAgICAgICAg ICAgIi0tZGlzYWJsZS1maXJlYmlyZC1zZGJjIiA7IGVtYmVkZGVkIGZpcmVi aXJkCiAgICAgICAgICAgIi0tZGlzYWJsZS1nbHRmIgorICAgICAgICAgIDs7 IFhYWDogUERGaXVtIHN1cHBvcnQgcmVxdWlyZXMgZmV0Y2hpbmcgYW4gZXh0 ZXJuYWwgdGFyYmFsbCBhbmQKKyAgICAgICAgICA7OyBwYXRjaGluZyB0aGUg YnVpbGQgc2NyaXB0cyB0byB3b3JrIHdpdGggR0NDNS4gIFRyeSBlbmFibGlu ZyB0aGlzCisgICAgICAgICAgOzsgd2hlbiBvdXIgZGVmYXVsdCBjb21waWxl ciBpcyA+PUdDQyA2LgorICAgICAgICAgICItLWRpc2FibGUtcGRmaXVtIgog ICAgICAgICAgICItLWRpc2FibGUtZ3RrIiA7IGRpc2FibGUgdXNlIG9mIEdU SysgMgogICAgICAgICAgICItLXdpdGhvdXQtZG94eWdlbiIpKSkKICAgICAo aG9tZS1wYWdlICJodHRwczovL3d3dy5saWJyZW9mZmljZS5vcmcvIikKZGlm ZiAtLWdpdCBhL2dudS9wYWNrYWdlcy94bWwuc2NtIGIvZ251L3BhY2thZ2Vz L3htbC5zY20KaW5kZXggYTA5Mzc1ODJmLi4zOWNmYzQ1MzAgMTAwNjQ0Ci0t LSBhL2dudS9wYWNrYWdlcy94bWwuc2NtCisrKyBiL2dudS9wYWNrYWdlcy94 bWwuc2NtCkBAIC0xMyw3ICsxMyw3IEBACiA7OzsgQ29weXJpZ2h0IMKpIDIw MTYgSmFuIE5pZXV3ZW5odWl6ZW4gPGphbm5la2VAZ251Lm9yZz4KIDs7OyBD b3B5cmlnaHQgwqkgMjAxNiwgMjAxNyBuZzAgPGNvbnRhY3QubmcwQGNyeXB0 b2xhYi5uZXQ+CiA7OzsgQ29weXJpZ2h0IMKpIDIwMTYsIDIwMTcsIDIwMTgg VG9iaWFzIEdlZXJpbmNreC1SaWNlIDxtZUB0b2JpYXMuZ3I+Ci07OzsgQ29w eXJpZ2h0IMKpIDIwMTYsIDIwMTcgTWFyaXVzIEJha2tlIDxtYmFra2VAZmFz dG1haWwuY29tPgorOzs7IENvcHlyaWdodCDCqSAyMDE2LCAyMDE3LCAyMDE4 IE1hcml1cyBCYWtrZSA8bWJha2tlQGZhc3RtYWlsLmNvbT4KIDs7OyBDb3B5 cmlnaHQgwqkgMjAxNyBBZHJpYW5vIFBlbHVzbyA8Y2F0b25hbm9AZ21haWwu Y29tPgogOzs7IENvcHlyaWdodCDCqSAyMDE3IEdyZWdvciBHaWVzZW4gPGdp ZXNlbkB6YWVobHdlcmsubmV0PgogOzs7IENvcHlyaWdodCDCqSAyMDE3IEFs ZXggVm9uZyA8YWxleHZvbmcxOTk1QGdtYWlsLmNvbT4KQEAgLTQwLDYgKzQw LDcgQEAKICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2FnZXMgYXV0b3Rvb2xz KQogICAjOnVzZS1tb2R1bGUgKGdudSBwYWNrYWdlcyBjb21wcmVzc2lvbikK ICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2FnZXMgZ251cGcpCisgICM6dXNl LW1vZHVsZSAoZ251IHBhY2thZ2VzIGdudXppbGxhKQogICAjOnVzZS1tb2R1 bGUgKGdudSBwYWNrYWdlcyBwZXJsKQogICAjOnVzZS1tb2R1bGUgKGdudSBw YWNrYWdlcyBwZXJsLWNoZWNrKQogICAjOnVzZS1tb2R1bGUgKGdudSBwYWNr YWdlcyBweXRob24pCkBAIC05NzAsNiArOTcxLDE1IEBAIExpYnhtbDIpLiIp CiAgICAgKGxpY2Vuc2UgKGxpY2Vuc2U6eDExLXN0eWxlICJmaWxlOi8vQ09Q WUlORyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNlZSAn Q09QWUlORycgaW4gdGhlIGRpc3RyaWJ1dGlvbi4iKSkpKQogCisoZGVmaW5l LXB1YmxpYyB4bWxzZWMtbnNzCisgIChwYWNrYWdlCisgICAgKGluaGVyaXQg eG1sc2VjKQorICAgIChuYW1lICJ4bWxzZWMtbnNzIikKKyAgICAoaW5wdXRz CisgICAgIGAoKCJuc3MiICxuc3MpCisgICAgICAgKCJsaWJsdGRsIiAsbGli bHRkbCkpKQorICAgIChzeW5vcHNpcyAiWE1MIFNlY3VyaXR5IExpYnJhcnkg KHVzaW5nIE5TUyBpbnN0ZWFkIG9mIEdudVRMUykiKSkpCisKIChkZWZpbmUt cHVibGljIG1pbml4bWwKICAgKHBhY2thZ2UKICAgICAobmFtZSAibWluaXht bCIpCi0tIAoyLjE2LjEKCg== --_----------=_151835934223204882-- From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 11 09:42:20 2018 Received: (at 30414) by debbugs.gnu.org; 11 Feb 2018 14:42:20 +0000 Received: from localhost ([127.0.0.1]:37705 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekspg-0000PR-49 for submit@debbugs.gnu.org; Sun, 11 Feb 2018 09:42:20 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43325) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekspc-0000PG-E6 for 30414@debbugs.gnu.org; Sun, 11 Feb 2018 09:42:18 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 02A4220B71; Sun, 11 Feb 2018 09:42:16 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sun, 11 Feb 2018 09:42:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=TmBozwfV0GI1M/gw0m7zCQ0Ocqgf4Bt/KeA91fGvZI8=; b=ufn0M EkDcaC+IlIji7Eq+UlZG17rH/9igZHRTj4+9ATJLlRfEBCH1vd60mWn2ZaQntm87 hqWR+8p+JyGWxCWDys9yPvc/k0f097hNZ3ynz2gHy59TMl1Hg0Grg9NZQg4zR6SH 6CvhSEdAXLN2AR4Btr/44eyoYccmnmvY98i2E0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=TmBozwfV0GI1M/gw0m7zCQ0Ocqgf4 Bt/KeA91fGvZI8=; b=gaarAd8Cj1c23QkNZnav7DSoftvKkMOLc6b23z1VzdnDH kd6kxVrWTmF6LHGT7YJtHRDMaipmuTGrrh0+JrfAchE6A39BVogHceUsQ3Wok9dI dyLb6zOqEFkb0SYNDU48tOw+8xYvupvi5E6x+eqyavCm4qUAayt4o3sxenk0xkWE 9J3mxx5vzNWPU0CUUCZFS/+omjCa7eTtxhJb55CymSCksweuttJOGo+KkgzDLqaN tN16iYiRpkNjBwKhPRmdR25AYn3xeM2SFkVqoY/Oa2F3P2lW9rMSMDamz6S2jcGK jJy+jhz691U5s7rs2WeJCBSf0BbzI8D388Ee4ZrMg== X-ME-Sender: Received: from localhost (unknown [172.58.200.6]) by mail.messagingengine.com (Postfix) with ESMTPA id BA5287E5CA; Sun, 11 Feb 2018 09:42:15 -0500 (EST) Date: Sun, 11 Feb 2018 09:42:14 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Message-ID: <20180211144214.GA21042@jasmine.lan> References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30414 Cc: 30414@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2018 at 02:29:02PM +0000, Marius Bakke wrote: > I gave this a go, and there were (of course) a lot more changes > necessary to make this newer libreoffice build. In particular, it now > works with an external xmlsec (albeit NSS only), and it wants to build > PDFium(!) in the same fashion as xmlsec was previously. >=20 > However PDFium fails to build due to requiring newer C++ features, and > my attempts at patching "external/pdfium/Library_pdfium.mk" to add > CXXFLAGS were unsuccessful. So in the end I disabled PDFium support. >=20 > It also required libjpeg-turbo instead of libjpeg, although this is > supposedly fixed in 6.0.1: > . > > Then there were some other problems related to not finding GPGME > headers, as well as an upstream regression when GTK2 support is > disabled. >=20 > Without further ado, here is the patch. I'm still building it, but plan > to push shortly if there are no further issues.=20 Wow, thank you! > From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Sun, 11 Feb 2018 11:46:27 +0100 > Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. >=20 > * gnu/packages/check.scm (cppunit-1.14): New public variable. > * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. > (libreoffice): Update to 5.4.5.1. > [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. > [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Repl= ace > LIBJPEG with LIBJPEG-TURBO. > [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ > headers are found. Add workaround for . = Add > "--disable-pdfium" to #:configure-flags. > * gnu/packages/xml.scm (xmlsec-nss): New public variable. The only change I suggest is to remove the obsolete comment at the beginning of libreoffice's native-inputs about the xmlsec tarball. --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAVkMACgkQJkb6MLrK fwjFGw/+NLRktHawWheBRlaro3fxKKOFVcQkibCrqI7quJiFNPbRWgUnVnXZEc6B eicqB6NPKzdt8tIPhMqp3CVEyqhESi/TCfMHkP4//EmO5PyflQXkvwHOe65RAAru bKGsqox5L0rfm5sbjEDE7Wmcyn7J6GWkSOYMiKv3b4OAJafTdT9gov4iOOztyFMU T+y1ofngg4bXXN1GmZtrv83YcYOw4FicGyxkyzsJhw31jco8ZJhu2Wu9D6Of7b1B wZCXdFoaUomu4evEY+LtUz/cXL4b7HfDC0swsJP2dMH+BUnDjxsxZlOMu97OBBez t9WDW/GMsyD4wpcgUAiZe/Zclqm1FjGPic50bNNk6QS0N9vLgSxxn38zmTer8Y1j apxF+OM0uY93buFTZUDxIdN+bC6x/CkHe4b32m8pSOS2pZV0TPfQQJzVU7IbqY+p mmlVsR1B54UJLX1kwlEedANsUktEOihPOWtFYX5VCtTPhpQPdGVM03AO1o2tYMmz HbTSmQHMVthQ8Liu6icr0lHTG88FyE8dgJz/KT3mlnUmwLWLswSiDkqhfR4WS7c4 S7EKb3XxJ4HgcPw/S8MaugUNxoStekQnfzVB2+CMIFRKfz60KlMAGep5Egr2HUmY pHIwNiW3QPMdu4RQZDy4cIkf26iA4E/+wFtkKzKH5FJ65pbHYfY= =8mfw -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 11 10:09:15 2018 Received: (at 30414) by debbugs.gnu.org; 11 Feb 2018 15:09:15 +0000 Received: from localhost ([127.0.0.1]:38443 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ektFZ-0001D1-NK for submit@debbugs.gnu.org; Sun, 11 Feb 2018 10:09:15 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:37597) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ektFT-0001CY-PL for 30414@debbugs.gnu.org; Sun, 11 Feb 2018 10:09:04 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 987F7209E5; Sun, 11 Feb 2018 10:08:59 -0500 (EST) Received: from web6 ([10.202.2.216]) by compute5.internal (MEProxy); Sun, 11 Feb 2018 10:08:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=kggoiL3hwVKr097FHu0Hqa8PBxmNR hylYRSzCOQwL/g=; b=bXRPypFZGWbL9cO9MYgNpvZZHm+rQV2bcRFtc3YJ4dd5F D0sipxfkgFBUZEYLvj1miWLPJ6cJlZH24wVip+7CCX7xNqVnLukTcDURdX4bWAwk P6BMyqlD5aOhjgctUgOdBs6d4a8gFUgmbyENO9aNfwaP4ImycXj69N26c2qIuUqn Fk2N5pmT34/Bz4e+I9EYzzLnyjwj6XSZXh8/F/zov7+4SuTh3eFimKJ6Z1hb/adp aMKN/rTMRyZsAL5yfMCnPFNq0Tm3O6sffRaC7yXMJW0/FD4IHjkReTNlM3kqaJgw qRtAv0ymf2KAh4h0dpwX4jyZmXnkDqeaK89amB8nQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=kggoiL 3hwVKr097FHu0Hqa8PBxmNRhylYRSzCOQwL/g=; b=ctBVFf54cKaSpTJ+E38u7p B8TKSVJ0mHmwFz2muvCGTEhDRcMd+EPaD6OB1C/qy6rn3o+L1BJekKpJdFexx6Fm tBF9VlHh/OJAK96n74/cUe1/ypkDxJOzSfUy3YLayJF1t7yFQ/iDpnJFBSavzCaG eUEuviR6ulbadNFM1Kbgtubeh9rHeYUtW2pUnV28SEpSH/s22hpCIF/ap4Ol8N7d +MDSgCh27Rb++tP9dqAT/Q5rt3vwCB4VSgOlDyVmNvRrOMGf6Rz6jtJOQRWYtNgd vQ3jlHlkt4OCeAeABzBKCaxnl2OH5x9UZZYS1bcAsxQj/K33NWS7kUnSQCy1n69A == X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 730024121; Sun, 11 Feb 2018 10:08:59 -0500 (EST) Message-Id: <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> From: Marius Bakke To: Leo Famulari MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_15183617391764452" X-Mailer: MessagingEngine.com Webmail Interface - ajax-fde26eb3 References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> <20180211144214.GA21042@jasmine.lan> In-Reply-To: <20180211144214.GA21042@jasmine.lan> Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Date: Sun, 11 Feb 2018 15:08:59 +0000 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30414 Cc: 30414@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) This is a multi-part message in MIME format. --_----------=_15183617391764452 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" Leo Famulari writes: >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Sun, 11 Feb 2018 11:46:27 +0100 >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. >> >> * gnu/packages/check.scm (cppunit-1.14): New public variable. >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. >> (libreoffice): Update to 5.4.5.1. >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace >> LIBJPEG with LIBJPEG-TURBO. >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ >> headers are found. Add workaround for . Add >> "--disable-pdfium" to #:configure-flags. >> * gnu/packages/xml.scm (xmlsec-nss): New public variable. > > The only change I suggest is to remove the obsolete comment at the > beginning of libreoffice's native-inputs about the xmlsec tarball. Good catch. It seems the autoconf and automake inputs are no longer required. But I unfortunately spoke too soon earlier, it failed very late in the build: [build CMP] filter/source/xsltdialog/xsltdlg ld: cannot find -lltdl collect2: error: ld returned 1 exit status make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/libxsec_xmlsec.so] Error 1 make[1]: *** Waiting for unfinished jobs.... make: *** [Makefile:269: build] Error 2 phase `build' failed after 2114.1 seconds I've attached a revised patch that adds libltdl, and removes the automake inputs. However, I have to leave now, so could you please verify that it works and push? I can provide moral support on #guix if nothing else :-) TIA! --_----------=_15183617391764452 Content-Disposition: attachment; filename="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch" Content-Id: <1518361660.176368.a3bc0bca291ec4baa76fc576bfa72974cb5e4278.78916025@content.messagingengine.com> Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch" RnJvbSA3OGEyMTYwMjZjYzVkNGJlNGUxNjIzZmJlOGIzNjMyZjQ3Yjk5ZWY4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXJpdXMgQmFra2Ug PG1iYWtrZUBmYXN0bWFpbC5jb20+CkRhdGU6IFN1biwgMTEgRmViIDIwMTgg MTE6NDY6MjcgKzAxMDAKU3ViamVjdDogW1BBVENIXSBnbnU6IGxpYnJlb2Zm aWNlOiBVcGRhdGUgdG8gNS40LjUuMSBbQ1ZFLTIwMTgtNjg3MV0uCgoqIGdu dS9wYWNrYWdlcy9jaGVjay5zY20gKGNwcHVuaXQtMS4xNCk6IE5ldyBwdWJs aWMgdmFyaWFibGUuCiogZ251L3BhY2thZ2VzL2xpYnJlb2ZmaWNlLnNjbSAo eG1sc2VjLXNyYy1saWJyZW9mZmljZSk6IFJlbW92ZSB2YXJpYWJsZS4KKGxp YnJlb2ZmaWNlKTogVXBkYXRlIHRvIDUuNC41LjEuCltuYXRpdmUtaW5wdXRz XTogQ2hhbmdlIENQUFVOSVQgdG8gQ1BQVU5JVC0xLjE0LiAgUmVtb3ZlIEFV VE9DT05GIGFuZCBBVVRPTUFLRS4KW2lucHV0c106IEFkZCBHUEdNRSwgWE1M U0VDLU5TUyBhbmQgTElCTFRETC4gIFJlbW92ZSBYTUxTRUMtU1JDLUxJQlJF T0ZGSUNFLgpSZXBsYWNlIExJQkpQRUcgd2l0aCBMSUJKUEVHLVRVUkJPLgpb YXJndW1lbnRzXTogUmVtb3ZlIHhtbHNlYyBjb2RlIGZyb20gUFJFUEFSRS1T UkMtUEhBU0UuICBNYWtlIHN1cmUgR1BHTUUrKwpoZWFkZXJzIGFyZSBmb3Vu ZC4gIEFkZCB3b3JrYXJvdW5kIGZvciA8aHR0cHM6Ly9idWdzLmdlbnRvby5v cmcvNjQxODEyPi4gIEFkZAoiLS1kaXNhYmxlLXBkZml1bSIgdG8gIzpjb25m aWd1cmUtZmxhZ3MuCiogZ251L3BhY2thZ2VzL3htbC5zY20gKHhtbHNlYy1u c3MpOiBOZXcgcHVibGljIHZhcmlhYmxlLgotLS0KIGdudS9wYWNrYWdlcy9j aGVjay5zY20gICAgICAgfCAxNyArKysrKysrKysrKwogZ251L3BhY2thZ2Vz L2xpYnJlb2ZmaWNlLnNjbSB8IDcwICsrKysrKysrKysrKysrKysrKysrLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tCiBnbnUvcGFja2FnZXMveG1sLnNjbSAg ICAgICAgIHwgMTIgKysrKysrKy0KIDMgZmlsZXMgY2hhbmdlZCwgNTkgaW5z ZXJ0aW9ucygrKSwgNDAgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvZ251 L3BhY2thZ2VzL2NoZWNrLnNjbSBiL2dudS9wYWNrYWdlcy9jaGVjay5zY20K aW5kZXggMTI3NmMwZmRhLi45MmY0OTM1OTIgMTAwNjQ0Ci0tLSBhL2dudS9w YWNrYWdlcy9jaGVjay5zY20KKysrIGIvZ251L3BhY2thZ2VzL2NoZWNrLnNj bQpAQCAtMTU3LDYgKzE1NywyMyBAQCB1bml0IHRlc3RpbmcuICBUZXN0IG91 dHB1dCBpcyBpbiBYTUwgZm9yIGF1dG9tYXRpYyB0ZXN0aW5nIGFuZCBHVUkg YmFzZWQgZm9yCiBzdXBlcnZpc2VkIHRlc3RzLiIpCiAgICAgKGxpY2Vuc2Ug bGljZW5zZTpsZ3BsMi4xKSkpIDsgbm8gY29weXJpZ2h0IG5vdGljZXMuIExH UEwyLjEgaXMgaW4gdGhlIHRhcmJhbGwKIAorOzsgU29tZSBwYWNrYWdlcyBy ZXF1aXJlIHRoaXMgbmV3ZXIgdmVyc2lvbiBvZiBjcHB1bml0LiAgSG93ZXZl ciwgaXQgbmVlZHMKKzs7IEMrKzExIHN1cHBvcnQsIHdoaWNoIGlzIG5vdCBl bmFibGVkIGJ5IGRlZmF1bHQgaW4gb3VyIGN1cnJlbnQgR0NDLCBhbmQKKzs7 IHVwZGF0aW5nIGluLXBsYWNlIHdvdWxkIHJlcXVpcmUgYWRkaW5nIENYWEZM QUdTIHRvIG1hbnkgZGVwZW5kZW50IHBhY2thZ2VzLgorOzsgVGh1cywga2Vl cCBhcyBhIHNlcGFyYXRlIHZhcmlhYmxlIGZvciBub3cuCis7OyBUT0RPOiBS ZW1vdmUgdGhpcyB3aGVuIG91ciBkZWZhdWx0IEdDQyBpcyB1cGRhdGVkIHRv IDYgb3IgaGlnaGVyLgorKGRlZmluZS1wdWJsaWMgY3BwdW5pdC0xLjE0Cisg IChwYWNrYWdlCisgICAgKGluaGVyaXQgY3BwdW5pdCkKKyAgICAodmVyc2lv biAiMS4xNC4wIikKKyAgICAoc291cmNlIChvcmlnaW4KKyAgICAgICAgICAg ICAgKG1ldGhvZCB1cmwtZmV0Y2gpCisgICAgICAgICAgICAgICh1cmkgKHN0 cmluZy1hcHBlbmQgImh0dHBzOi8vZGV2LXd3dy5saWJyZW9mZmljZS5vcmcv c3JjLyIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY3Bw dW5pdC0iIHZlcnNpb24gIi50YXIuZ3oiKSkKKyAgICAgICAgICAgICAgKHNo YTI1NgorICAgICAgICAgICAgICAgKGJhc2UzMgorICAgICAgICAgICAgICAg ICIxMDI3Y3lmeDVnc2prZGthZjZjMnduamg2ODg4MmdydzhuNjcyMDE4Y2oz dnM5bHJobWl4IikpKSkpKQorCiAoZGVmaW5lLXB1YmxpYyBjYXRjaC1mcmFt ZXdvcmsKICAgKHBhY2thZ2UKICAgICAobmFtZSAiY2F0Y2giKQpkaWZmIC0t Z2l0IGEvZ251L3BhY2thZ2VzL2xpYnJlb2ZmaWNlLnNjbSBiL2dudS9wYWNr YWdlcy9saWJyZW9mZmljZS5zY20KaW5kZXggNzk5YjA2MjQzLi40N2RkMjFi M2IgMTAwNjQ0Ci0tLSBhL2dudS9wYWNrYWdlcy9saWJyZW9mZmljZS5zY20K KysrIGIvZ251L3BhY2thZ2VzL2xpYnJlb2ZmaWNlLnNjbQpAQCAtNyw3ICs3 LDcgQEAKIDs7OyBDb3B5cmlnaHQgwqkgMjAxNyBUb2JpYXMgR2VlcmluY2t4 LVJpY2UgPG1lQHRvYmlhcy5ncj4KIDs7OyBDb3B5cmlnaHQgwqkgMjAxNyBB bmR5IFdpbmdvIDx3aW5nb0BpZ2FsaWEuY29tPgogOzs7IENvcHlyaWdodCDC qSAyMDE3IEx1ZG92aWMgQ291cnTDqHMgPGx1ZG9AZ251Lm9yZz4KLTs7OyBD b3B5cmlnaHQgwqkgMjAxNyBNYXJpdXMgQmFra2UgPG1iYWtrZUBmYXN0bWFp bC5jb20+Cis7OzsgQ29weXJpZ2h0IMKpIDIwMTcsIDIwMTggTWFyaXVzIEJh a2tlIDxtYmFra2VAZmFzdG1haWwuY29tPgogOzs7IENvcHlyaWdodCDCqSAy MDE3IFJ1dGdlciBIZWxsaW5nIDxyaGVsbGluZ0BteWtvbGFiLmNvbT4KIDs7 OwogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0IG9mIEdOVSBHdWl4LgpAQCAtNTQs NiArNTQsNyBAQAogICAjOnVzZS1tb2R1bGUgKGdudSBwYWNrYWdlcyBnbGli KQogICAjOnVzZS1tb2R1bGUgKGdudSBwYWNrYWdlcyBnbm9tZSkKICAgIzp1 c2UtbW9kdWxlIChnbnUgcGFja2FnZXMgZ3BlcmYpCisgICM6dXNlLW1vZHVs ZSAoZ251IHBhY2thZ2VzIGdudXBnKQogICAjOnVzZS1tb2R1bGUgKGdudSBw YWNrYWdlcyBnbnV6aWxsYSkKICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2Fn ZXMgZ3N0cmVhbWVyKQogICAjOnVzZS1tb2R1bGUgKGdudSBwYWNrYWdlcyBn dGspCkBAIC04MzksMjIgKzg0MCwxMCBAQCBhbmQgdG8gcmV0dXJuIGluZm9y bWF0aW9uIG9uIHByb251bmNpYXRpb25zLCBtZWFuaW5ncyBhbmQgc3lub255 bXMuIikKICAgICAobGljZW5zZSAobm9uLWNvcHlsZWZ0ICJmaWxlOi8vQ09Q WUlORyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTZWUgQ09QWUlO RyBpbiB0aGUgZGlzdHJpYnV0aW9uLiIpKSkpCiAKLTs7IExpYnJlT2ZmaWNl IHJlcXVpcmVzIGFuIHhtbHNlYyBzb3VyY2UgdGFyYmFsbDsgaXQgZG9lcyBu b3QgZXZlbiBjaGVjawotOzsgZm9yIHRoZSBwcmVzZW5jZSBvZiBhbiBleHRl cm5hbGx5IGNvbXBpbGVkIGxpYnJhcnkuCi0oZGVmaW5lIHhtbHNlYy1zcmMt bGlicmVvZmZpY2UKLSAgKG9yaWdpbgotICAgIChtZXRob2QgdXJsLWZldGNo KQotICAgICh1cmkKLSAgICAgIChzdHJpbmctYXBwZW5kCi0gICAgICAgImh0 dHA6Ly9kZXYtd3d3LmxpYnJlb2ZmaWNlLm9yZy9zcmMvIgotICAgICAgICI4 NmIxZGFhYTQzOGY1YTdiZWE5YTUyZDdiOTc5OWFjMC14bWxzZWMxLTEuMi4y My50YXIuZ3oiKSkKLSAgICAoc2hhMjU2IChiYXNlMzIKLSAgICAgICAgICAg ICAiMTdxZnc1Y3JrcW40djZ4YmtqeHJqdmNjY2ZjMDBkeTA1Mzg5Mndyd3Y1 NHFkazhuN20yMSIpKSkpCi0KIChkZWZpbmUtcHVibGljIGxpYnJlb2ZmaWNl CiAgIChwYWNrYWdlCiAgICAgKG5hbWUgImxpYnJlb2ZmaWNlIikKLSAgICAo dmVyc2lvbiAiNS4zLjcuMiIpCisgICAgKHZlcnNpb24gIjUuNC41LjEiKQog ICAgIChzb3VyY2UKICAgICAgKG9yaWdpbgogICAgICAgKG1ldGhvZCB1cmwt ZmV0Y2gpCkBAIC04NjMsMTYgKzg1MiwxMSBAQCBhbmQgdG8gcmV0dXJuIGlu Zm9ybWF0aW9uIG9uIHByb251bmNpYXRpb25zLCBtZWFuaW5ncyBhbmQgc3lu b255bXMuIikKICAgICAgICAgICAiaHR0cHM6Ly9kb3dubG9hZC5kb2N1bWVu dGZvdW5kYXRpb24ub3JnL2xpYnJlb2ZmaWNlL3NyYy8iCiAgICAgICAgICAg KHZlcnNpb24tcHJlZml4IHZlcnNpb24gMykgIi9saWJyZW9mZmljZS0iIHZl cnNpb24gIi50YXIueHoiKSkKICAgICAgIChzaGEyNTYgKGJhc2UzMgotICAg ICAgICAgICAgICAgIjB6N2Zzc3AwamNqMDl3eGFkMXdtaHk2OW43MWEybXds OTMzbHhwOWR6NXNkdnpuY3hteTMiKSkpKQorICAgICAgICAgICAgICAgIjE2 N2JoNmpneWhmY3ZuM2c3eGdoa2c0bmI5OWg5MWRpeXBkbHJ5NWRmMjF4czhi aXM1Z2IiKSkpKQogICAgIChidWlsZC1zeXN0ZW0gZ251LWJ1aWxkLXN5c3Rl bSkKICAgICAobmF0aXZlLWlucHV0cwotICAgICBgKDs7IGF1dG9yZWNvbmYg aXMgcnVuIGJ5IHRoZSBMaWJyZU9mZmljZSBidWlsZCBzeXN0ZW0sIHNpbmNl IGFmdGVyCi0gICAgICAgOzsgdW5wYWNraW5nIHRoZSBleHRlcm5hbCB4bWxz ZWMgdGFyYmFsbCwgaXQgYXBwbGllcyBhIHNlcmllcyBvZgotICAgICAgIDs7 IHBhdGNoZXMgdG8gTWFrZWZpbGUuYW0sIGNvbmZpZ3VyZS5pbiwgY29uZmln Lmd1ZXNzIGFuZCBjb25maWcuc3ViLgotICAgICAgICgiYXV0b2NvbmYiICxh dXRvY29uZikKLSAgICAgICAoImF1dG9tYWtlIiAsYXV0b21ha2UpCi0gICAg ICAgKCJiaXNvbiIgLGJpc29uKQotICAgICAgICgiY3BwdW5pdCIgLGNwcHVu aXQpCisgICAgIGAoKCJiaXNvbiIgLGJpc29uKQorICAgICAgICgiY3BwdW5p dCIgLGNwcHVuaXQtMS4xNCkKICAgICAgICAoImZsZXgiICxmbGV4KQogICAg ICAgICgicGtnLWNvbmZpZyIgLHBrZy1jb25maWcpCiAgICAgICAgKCJweXRo b24iICxweXRob24td3JhcHBlcikKQEAgLTg4OCw2ICs4NzIsNyBAQCBhbmQg dG8gcmV0dXJuIGluZm9ybWF0aW9uIG9uIHByb251bmNpYXRpb25zLCBtZWFu aW5ncyBhbmQgc3lub255bXMuIikKICAgICAgICAoImdsZXciICxnbGV3KQog ICAgICAgICgiZ2xtIiAsZ2xtKQogICAgICAgICgiZ3BlcmYiICxncGVyZikK KyAgICAgICAoImdwZ21lIiAsZ3BnbWUpCiAgICAgICAgKCJncmFwaGl0ZTIi ICxncmFwaGl0ZTIpCiAgICAgICAgKCJnc3QtcGx1Z2lucy1iYXNlIiAsZ3N0 LXBsdWdpbnMtYmFzZSkKICAgICAgICAoImd0aysiICxndGsrKQpAQCAtODk3 LDEyICs4ODIsMTQgQEAgYW5kIHRvIHJldHVybiBpbmZvcm1hdGlvbiBvbiBw cm9udW5jaWF0aW9ucywgbWVhbmluZ3MgYW5kIHN5bm9ueW1zLiIpCiAgICAg ICAgKCJsaWJhYnciICxsaWJhYncpCiAgICAgICAgKCJsaWJjZHIiICxsaWJj ZHIpCiAgICAgICAgKCJsaWJjbWlzIiAsbGliY21pcykKLSAgICAgICAoImxp YmpwZWciICxsaWJqcGVnKQorICAgICAgICgibGlianBlZy10dXJibyIgLGxp YmpwZWctdHVyYm8pCiAgICAgICAgKCJsaWJlLWJvb2siICxsaWJlLWJvb2sp CiAgICAgICAgKCJsaWJldG9ueWVrIiAsbGliZXRvbnllaykKICAgICAgICAo ImxpYmV4dHRleHRjYXQiICxsaWJleHR0ZXh0Y2F0KQogICAgICAgICgibGli ZnJlZWhhbmQiICxsaWJmcmVlaGFuZCkKICAgICAgICAoImxpYmxhbmd0YWci ICxsaWJsYW5ndGFnKQorICAgICAgIDs7IFhYWDogUGVyaGFwcyB0aGlzIHNo b3VsZCBiZSBwcm9wYWdhdGVkIGZyb20geG1sc2VjLgorICAgICAgICgibGli bHRkbCIgLGxpYmx0ZGwpCiAgICAgICAgKCJsaWJtc3B1YiIgLGxpYm1zcHVi KQogICAgICAgICgibGlibXdhdyIgLGxpYm13YXcpCiAgICAgICAgKCJsaWJv ZGZnZW4iICxsaWJvZGZnZW4pCkBAIC05MzUsNyArOTIyLDcgQEAgYW5kIHRv IHJldHVybiBpbmZvcm1hdGlvbiBvbiBwcm9udW5jaWF0aW9ucywgbWVhbmlu Z3MgYW5kIHN5bm9ueW1zLiIpCiAgICAgICAgKCJ1bml4b2RiYyIgLHVuaXhv ZGJjKQogICAgICAgICgidW56aXAiICx1bnppcCkKICAgICAgICAoInZpZ3Jh IiAsdmlncmEpCi0gICAgICAgKCJ4bWxzZWMtc3JjIiAseG1sc2VjLXNyYy1s aWJyZW9mZmljZSkKKyAgICAgICAoInhtbHNlYyIgLHhtbHNlYy1uc3MpCiAg ICAgICAgKCJ6aXAiICx6aXApKSkKICAgICAoYXJndW1lbnRzCiAgICAgIGAo Izp0ZXN0cz8gI2YgOyBCdWlsZGluZyB0aGUgdGVzdHMgYWxyZWFkeSBmYWls cy4KQEAgLTk0NCwyNiArOTMxLDI3IEBAIGFuZCB0byByZXR1cm4gaW5mb3Jt YXRpb24gb24gcHJvbnVuY2lhdGlvbnMsIG1lYW5pbmdzIGFuZCBzeW5vbnlt cy4iKQogICAgICAgICAgKG1vZGlmeS1waGFzZXMgJXN0YW5kYXJkLXBoYXNl cwogICAgICAgICAgICAoYWRkLWJlZm9yZSAnY29uZmlndXJlICdwcmVwYXJl LXNyYwogICAgICAgICAgICAgIChsYW1iZGEqICgjOmtleSBpbnB1dHMgIzph bGxvdy1vdGhlci1rZXlzKQotICAgICAgICAgICAgICAgKGxldCAoKHhtbHNl YyAoYXNzb2MtcmVmIGlucHV0cyAieG1sc2VjLXNyYyIpKSkKKyAgICAgICAg ICAgICAgIChsZXQgKChncGdtZSAoYXNzb2MtcmVmIGlucHV0cyAiZ3BnbWUi KSkpCiAgICAgICAgICAgICAgICAgIChzdWJzdGl0dXRlKgogICAgICAgICAg ICAgICAgICAgIChsaXN0ICJzeXN1aS9DdXN0b21UYXJnZXRfc2hhcmUubWsi CiAgICAgICAgICAgICAgICAgICAgICAgICAgInNvbGVudi9nYnVpbGQvZ2J1 aWxkLm1rIgogICAgICAgICAgICAgICAgICAgICAgICAgICJzb2xlbnYvZ2J1 aWxkL3BsYXRmb3JtL3VueGdjYy5tayIpCiAgICAgICAgICAgICAgICAgICAg KCgiL2Jpbi9zaCIpICh3aGljaCAic2giKSkpCi0gICAgICAgICAgICAgICAg IChta2RpciAiZXh0ZXJuYWwvdGFyYmFsbHMiKQotICAgICAgICAgICAgICAg ICAoc3ltbGluawotICAgICAgICAgICAgICAgICAgIHhtbHNlYwotICAgICAg ICAgICAgICAgICAgIChzdHJpbmctYXBwZW5kICJleHRlcm5hbC90YXJiYWxs cy8iCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIjg2YjFk YWFhNDM4ZjVhN2JlYTlhNTJkN2I5Nzk5YWMwLSIKLSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAieG1sc2VjMS0xLjIuMjMudGFyLmd6Iikp Ci0gICAgICAgICAgICAgICAgIDs7IFRoZSBmb2xsb3dpbmcgaXMgcmVxdWly ZWQgZm9yIGJ1aWxkaW5nIHhtbHNlYyBmcm9tIHRoZQotICAgICAgICAgICAg ICAgICA7OyB1bnBhdGNoZWQgZXh0ZXJuYWwgdGFyYmFsbDsgc2luY2UgImNv bmZpZ3VyZSIgc3RhcnRzIHdpdGgKLSAgICAgICAgICAgICAgICAgOzsgIi9i aW4vc2giLCBpdCBuZWVkcyB0byBiZSBleGVjdXRlZCBieSBhIGNvbW1hbmQg aW52b2tpbmcKLSAgICAgICAgICAgICAgICAgOzsgdGhlIHNoZWxsLgotICAg ICAgICAgICAgICAgICAoc2V0ZW52ICJTSEVMTCIgKHdoaWNoICJiYXNoIikp Ci0gICAgICAgICAgICAgICAgIChzZXRlbnYgIkNPTkZJR19TSEVMTCIgKHdo aWNoICJiYXNoIikpCi0gICAgICAgICAgICAgICAgIChzdWJzdGl0dXRlKiAi ZXh0ZXJuYWwvbGlieG1sc2VjL0V4dGVybmFsUHJvamVjdF94bWxzZWMubWsi Ci0gICAgICAgICAgICAgICAgICAgKCgiLi9jb25maWd1cmUiKSAiJChDT05G SUdfU0hFTEwpIC4vY29uZmlndXJlIiApKQorCisgICAgICAgICAgICAgICAg IDs7IEdQR01FKysgaGVhZGVycyBhcmUgaW5zdGFsbGVkIGluIGEgZ3BnbWUr KyBzdWJkaXJlY3RvcnksCisgICAgICAgICAgICAgICAgIDs7IGJ1dCBmaWxl cyBpbiAieG1sc2VjdXJpdHkvc291cmNlL2dwZy8iIGV4cGVjdCB0byBmaW5k IHRoZW0KKyAgICAgICAgICAgICAgICAgOzsgb24gdGhlIGluY2x1ZGUgcGF0 aCB3aXRob3V0IGEgcHJlZml4LgorICAgICAgICAgICAgICAgICAoc3Vic3Rp dHV0ZSogInhtbHNlY3VyaXR5L0xpYnJhcnlfeHNlY194bWxzZWMubWsiCisg ICAgICAgICAgICAgICAgICAgKCgiXFwkXFwkXFwoSU5DTFVERVxcKSIpCisg ICAgICAgICAgICAgICAgICAgIChzdHJpbmctYXBwZW5kICIkJChJTkNMVURF KSAtSSIgZ3BnbWUgIi9pbmNsdWRlL2dwZ21lKysiKSkpCisKKyAgICAgICAg ICAgICAgICAgOzsgWFhYOiBXaGVuIEdUSzIgaXMgZGlzYWJsZWQsIG9uZSBo ZWFkZXIgZmlsZSBpcyBub3QgaW5jbHVkZWQuCisgICAgICAgICAgICAgICAg IDs7IFRoaXMgaXMgbGlrZWx5IGZpeGVkIGluIGxhdGVyIHZlcnNpb25zLiAg U2VlIGFsc28KKyAgICAgICAgICAgICAgICAgOzsgPGh0dHBzOi8vYnVncy5n ZW50b28ub3JnLzY0MTgxMj4uCisgICAgICAgICAgICAgICAgIChzdWJzdGl0 dXRlKiAidmNsL3VueC9ndGszL2d0azNndGtmcmFtZS5jeHgiCisgICAgICAg ICAgICAgICAgICAgKCgiI2luY2x1ZGUgPHVueC9ndGsvZ3RrZ2RpLmh4eD4i KQorICAgICAgICAgICAgICAgICAgICAiI2luY2x1ZGUgPHVueC9ndGsvZ3Rr Z2RpLmh4eD5cbiNpbmNsdWRlIDx1bngvZ3RrL2d0a3NhbG1lbnUuaHh4PiIp KQorCiAgICAgICAgICAgICAgICAgICN0KSkpCiAgICAgICAgICAgIChhZGQt YWZ0ZXIgJ2luc3RhbGwgJ2Jpbi1hbmQtZGVza3RvcC1pbnN0YWxsCiAgICAg ICAgICAgICAgOzsgQ3JlYXRlICdzb2ZmaWNlJyBhbmQgJ2xpYnJlb2ZmaWNl JyBzeW1saW5rcyB0byB0aGUgZXhlY3V0YWJsZQpAQCAtMTAzNyw2ICsxMDI1 LDEwIEBAIGFuZCB0byByZXR1cm4gaW5mb3JtYXRpb24gb24gcHJvbnVuY2lh dGlvbnMsIG1lYW5pbmdzIGFuZCBzeW5vbnltcy4iKQogICAgICAgICAgICIt LWRpc2FibGUtY29pbm1wIgogICAgICAgICAgICItLWRpc2FibGUtZmlyZWJp cmQtc2RiYyIgOyBlbWJlZGRlZCBmaXJlYmlyZAogICAgICAgICAgICItLWRp c2FibGUtZ2x0ZiIKKyAgICAgICAgICA7OyBYWFg6IFBERml1bSBzdXBwb3J0 IHJlcXVpcmVzIGZldGNoaW5nIGFuIGV4dGVybmFsIHRhcmJhbGwgYW5kCisg ICAgICAgICAgOzsgcGF0Y2hpbmcgdGhlIGJ1aWxkIHNjcmlwdHMgdG8gd29y ayB3aXRoIEdDQzUuICBUcnkgZW5hYmxpbmcgdGhpcworICAgICAgICAgIDs7 IHdoZW4gb3VyIGRlZmF1bHQgY29tcGlsZXIgaXMgPj1HQ0MgNi4KKyAgICAg ICAgICAiLS1kaXNhYmxlLXBkZml1bSIKICAgICAgICAgICAiLS1kaXNhYmxl LWd0ayIgOyBkaXNhYmxlIHVzZSBvZiBHVEsrIDIKICAgICAgICAgICAiLS13 aXRob3V0LWRveHlnZW4iKSkpCiAgICAgKGhvbWUtcGFnZSAiaHR0cHM6Ly93 d3cubGlicmVvZmZpY2Uub3JnLyIpCmRpZmYgLS1naXQgYS9nbnUvcGFja2Fn ZXMveG1sLnNjbSBiL2dudS9wYWNrYWdlcy94bWwuc2NtCmluZGV4IGEwOTM3 NTgyZi4uMzljZmM0NTMwIDEwMDY0NAotLS0gYS9nbnUvcGFja2FnZXMveG1s LnNjbQorKysgYi9nbnUvcGFja2FnZXMveG1sLnNjbQpAQCAtMTMsNyArMTMs NyBAQAogOzs7IENvcHlyaWdodCDCqSAyMDE2IEphbiBOaWV1d2VuaHVpemVu IDxqYW5uZWtlQGdudS5vcmc+CiA7OzsgQ29weXJpZ2h0IMKpIDIwMTYsIDIw MTcgbmcwIDxjb250YWN0Lm5nMEBjcnlwdG9sYWIubmV0PgogOzs7IENvcHly aWdodCDCqSAyMDE2LCAyMDE3LCAyMDE4IFRvYmlhcyBHZWVyaW5ja3gtUmlj ZSA8bWVAdG9iaWFzLmdyPgotOzs7IENvcHlyaWdodCDCqSAyMDE2LCAyMDE3 IE1hcml1cyBCYWtrZSA8bWJha2tlQGZhc3RtYWlsLmNvbT4KKzs7OyBDb3B5 cmlnaHQgwqkgMjAxNiwgMjAxNywgMjAxOCBNYXJpdXMgQmFra2UgPG1iYWtr ZUBmYXN0bWFpbC5jb20+CiA7OzsgQ29weXJpZ2h0IMKpIDIwMTcgQWRyaWFu byBQZWx1c28gPGNhdG9uYW5vQGdtYWlsLmNvbT4KIDs7OyBDb3B5cmlnaHQg wqkgMjAxNyBHcmVnb3IgR2llc2VuIDxnaWVzZW5AemFlaGx3ZXJrLm5ldD4K IDs7OyBDb3B5cmlnaHQgwqkgMjAxNyBBbGV4IFZvbmcgPGFsZXh2b25nMTk5 NUBnbWFpbC5jb20+CkBAIC00MCw2ICs0MCw3IEBACiAgICM6dXNlLW1vZHVs ZSAoZ251IHBhY2thZ2VzIGF1dG90b29scykKICAgIzp1c2UtbW9kdWxlIChn bnUgcGFja2FnZXMgY29tcHJlc3Npb24pCiAgICM6dXNlLW1vZHVsZSAoZ251 IHBhY2thZ2VzIGdudXBnKQorICAjOnVzZS1tb2R1bGUgKGdudSBwYWNrYWdl cyBnbnV6aWxsYSkKICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2FnZXMgcGVy bCkKICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2FnZXMgcGVybC1jaGVjaykK ICAgIzp1c2UtbW9kdWxlIChnbnUgcGFja2FnZXMgcHl0aG9uKQpAQCAtOTcw LDYgKzk3MSwxNSBAQCBMaWJ4bWwyKS4iKQogICAgIChsaWNlbnNlIChsaWNl bnNlOngxMS1zdHlsZSAiZmlsZTovL0NPUFlJTkciCiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICJTZWUgJ0NPUFlJTkcnIGluIHRoZSBkaXN0 cmlidXRpb24uIikpKSkKIAorKGRlZmluZS1wdWJsaWMgeG1sc2VjLW5zcwor ICAocGFja2FnZQorICAgIChpbmhlcml0IHhtbHNlYykKKyAgICAobmFtZSAi eG1sc2VjLW5zcyIpCisgICAgKGlucHV0cworICAgICBgKCgibnNzIiAsbnNz KQorICAgICAgICgibGlibHRkbCIgLGxpYmx0ZGwpKSkKKyAgICAoc3lub3Bz aXMgIlhNTCBTZWN1cml0eSBMaWJyYXJ5ICh1c2luZyBOU1MgaW5zdGVhZCBv ZiBHbnVUTFMpIikpKQorCiAoZGVmaW5lLXB1YmxpYyBtaW5peG1sCiAgIChw YWNrYWdlCiAgICAgKG5hbWUgIm1pbml4bWwiKQotLSAKMi4xNi4xCgo= --_----------=_15183617391764452-- From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 11 10:34:45 2018 Received: (at 30414-done) by debbugs.gnu.org; 11 Feb 2018 15:34:45 +0000 Received: from localhost ([127.0.0.1]:38461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekteP-0001n2-8b for submit@debbugs.gnu.org; Sun, 11 Feb 2018 10:34:45 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:47587) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ekteN-0001mu-Jr for 30414-done@debbugs.gnu.org; Sun, 11 Feb 2018 10:34:44 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 2FB382093F; Sun, 11 Feb 2018 10:34:43 -0500 (EST) Received: from web6 ([10.202.2.216]) by compute5.internal (MEProxy); Sun, 11 Feb 2018 10:34:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=rLLQ1K+sLFapfecP0QzNZqOUL9yBY E1KPl4Yx6qJj3k=; b=eZNvUDs4wq6EH8pHjGYp2DTXdZNMnhdsUALlvG/wWR6ZQ ZA1xONwXDE+b0VX9sQ8y0BEhjsV4t9Rvl/cr7tRTZPJbrNFra//0sv2zcYgsGwoK qJcr2T+t/81kHuyE+SMxQe93v2q4mgNuVknpGZ2PQzkBqfwiUAA63GnwEdOmuT3a wtsfySOHbS7X52R/DHHPLmXVCY4d1eyiCMLimVBxvvUS4T7WqB6H63bleiZbxOUX NRwIIwI8yvUkjnoj605jFAxN8ZIDb2NGUB9H6cqy2jHdC+wCu9iT30GahLCKJBVs CfW38ue7BHipBjut2VrFCaN2MbQLoPL0J8ctb2BZA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=rLLQ1K +sLFapfecP0QzNZqOUL9yBYE1KPl4Yx6qJj3k=; b=AjIrYy4qay3QF6UhPddbG8 lS8w+xSOMgjLbZEmzQUyoXA65fQ7+2t8MeCw6ae5RTFv99HyrBaiivlHCm/lVkPd tY6OCsrSCw5jqnNq1VDy/KuCIpkr4cv01yo5smM966eB/09Hnihkby22GajEvDtp CouLrEwBWMN4ivlET3HXFvf2QL8nkpl2xwtpT1fSTaevrX2MGItgpWgr+OXWIgtJ HGso17d185bSVDuM3xMHZwgj5rLRYzLK9/eunvi9aS4doSC82+rDfGO6TD3qIc25 V6i5fGgmnP1C5+sguvAVyFeoigQCuOHLhmpWX2hae+p2aqQI3ErohTbxymJsB9uQ == X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 079834121; Sun, 11 Feb 2018 10:34:43 -0500 (EST) Message-Id: <1518363282.185370.1267018608.237C7FC5@webmail.messagingengine.com> From: Marius Bakke To: Leo Famulari MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-fde26eb3 In-Reply-To: <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> <20180211144214.GA21042@jasmine.lan> <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Date: Sun, 11 Feb 2018 15:34:42 +0000 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30414-done Cc: 30414-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Sun, Feb 11, 2018, at 3:08 PM, Marius Bakke wrote: > Leo Famulari writes: > > >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 > >> From: Marius Bakke > >> Date: Sun, 11 Feb 2018 11:46:27 +0100 > >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. > >> > >> * gnu/packages/check.scm (cppunit-1.14): New public variable. > >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. > >> (libreoffice): Update to 5.4.5.1. > >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. > >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace > >> LIBJPEG with LIBJPEG-TURBO. > >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ > >> headers are found. Add workaround for . Add > >> "--disable-pdfium" to #:configure-flags. > >> * gnu/packages/xml.scm (xmlsec-nss): New public variable. > > > > The only change I suggest is to remove the obsolete comment at the > > beginning of libreoffice's native-inputs about the xmlsec tarball. > > Good catch. It seems the autoconf and automake inputs are no longer > required. But I unfortunately spoke too soon earlier, it failed very > late in the build: > > [build CMP] filter/source/xsltdialog/xsltdlg > ld: cannot find -lltdl > collect2: error: ld returned 1 exit status > make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/ > libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix- > build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/ > libxsec_xmlsec.so] Error 1 > make[1]: *** Waiting for unfinished jobs.... > make: *** [Makefile:269: build] Error 2 > phase `build' failed after 2114.1 seconds > > I've attached a revised patch that adds libltdl, and removes the > automake inputs. However, I have to leave now, so could you please > verify that it works and push? I can provide moral support on #guix if > nothing else :-) > > TIA! Never mind, it was actually completed by the time I packed up. I pushed it (and fixed the merge conflict in xml.scm, sorry about that!). Thanks for staying on top of the never-ending CVE stream :-) From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 11 10:36:52 2018 Received: (at 30414) by debbugs.gnu.org; 11 Feb 2018 15:36:52 +0000 Received: from localhost ([127.0.0.1]:38478 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ektgR-0001r2-R3 for submit@debbugs.gnu.org; Sun, 11 Feb 2018 10:36:51 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:33773) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ektgP-0001qu-Jy for 30414@debbugs.gnu.org; Sun, 11 Feb 2018 10:36:49 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7610E20AF1; Sun, 11 Feb 2018 10:36:49 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sun, 11 Feb 2018 10:36:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=0qSsgeVkKJAj0McaJ7bpHp3F30GXm6luEH0DWLla1GQ=; b=zsYxd DLUOkYh2rzzKSku7pOkwpJXj70bKbae4QY/qKzKoQCA0uFbetLZR60RWUxstOKTA QNOU1wHoC4s8pVpv4HqJ6iroxTcVyNzGSUaMyVMmbb3QUeahxY6ILIUS9ZHu2NOK r5KZSBSUAtjia/Z8SahVvJQd2S0E5/Zy+lABTw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=0qSsgeVkKJAj0McaJ7bpHp3F30GXm 6luEH0DWLla1GQ=; b=kAuvJmncG9yR+gdrBbcTbShsPVh7Vz49SMjYLX5+i3Inu xDFK8n5y9JEQTRY89ueY+JFjZD9gzxfCEqBsIoeUwrXgstDxrKhzB+W0LTKZc+0d s3cVWz6JNN6D12NRPXP5K3GQcQAPkbqh2AvalHxVaoE5SXgOEVH3hIkQ69dobUX5 6ZegegENLxaMbe1ljycK2viDvuo0eXqTHIl4CjAu3N79iKUhn3nrJqqj2yHojNXv Ldz2mEpkuMZb1uIstBKD9jescok2nADtd54rcGgGPVlrVOxe7aJAGLYMH1tkqf1A KOq6hF0v9j+jGo2Gj3C/sROvvDGH/7YDqtue8Yl6Q== X-ME-Sender: Received: from localhost (unknown [172.58.200.6]) by mail.messagingengine.com (Postfix) with ESMTPA id 2705C7E3E0; Sun, 11 Feb 2018 10:36:49 -0500 (EST) Date: Sun, 11 Feb 2018 10:36:48 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Message-ID: <20180211153648.GB1853@jasmine.lan> References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> <20180211144214.GA21042@jasmine.lan> <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MfFXiAuoTsnnDAfZ" Content-Disposition: inline In-Reply-To: <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30414 Cc: 30414@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --MfFXiAuoTsnnDAfZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Feb 11, 2018 at 03:08:59PM +0000, Marius Bakke wrote: > I've attached a revised patch that adds libltdl, and removes the > automake inputs. However, I have to leave now, so could you please > verify that it works and push? I can provide moral support on #guix if > nothing else :-) Can somebody else do this? I'm actually riding a bus right now and won't be able to run this build long enough for it to complete. --MfFXiAuoTsnnDAfZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAYxAACgkQJkb6MLrK fwgVqhAAiLJeNI7jNQ8sTsVJiZuxjcgPYTLHQtT11DdCtFkDFuImpGkodZ6/97XP Wr8skBWOq6+IdoPbEpeS9MoHZcSI6fEHIh/oxRzJNa4gnHOqfO4cUza5nykLE7RE Bp3dWq5kfiiqBguLRL2HtYgk23jrWKb1+bIIkU4abSNnvOmtY3prj63ml/Tam2+K yUfeR1XRSo6SFz5QUCYxeOAqhpS02zcBQ6MWbSSZbjs2nWYFWZde0MMJkCpZL3VD ep9+bVBRkBu+g2mGdADTUnE6WJ12x9pEMnVhF287mnVvpmF/6Fx2rsaDRCVTCq/L CS5qkvL1Qr/M1LLCmjWL28+qZYFcQvNHWsSBvQcS5tnYJ9vCiB5IxIQx5oMmWq0I nDnn2NmCHPLUEBsKrN4Phpf0rcIoKlMH1wf9Ic9LbPlOzEL1o2GbdIeeNdhm3upN HLCtMsQHh5THovl7T05QxX5gEdaTRt8pW4fdSfo0/o7CWr91P+rFSxkjZPirTM7/ 1h7KSR9x3mjGab4BLSu1LMjkSEKkghIAKd4UnyaWmtk7ahMef+W4DZL8bpWxhlpC R0ndbzfNIECfs7nDil9Ucgt/KX7IGFNPPz49l+WeDdqRaqKKw5v/7rFZqLlu8rAQ x+x52qHgaKIE6kkizA7ii3Hvq6chNY06wPtA0VcwMGJiOOs5Swo= =1x6S -----END PGP SIGNATURE----- --MfFXiAuoTsnnDAfZ-- From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 12 10:09:44 2018 Received: (at 30414-done) by debbugs.gnu.org; 12 Feb 2018 15:09:45 +0000 Received: from localhost ([127.0.0.1]:39817 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1elFjk-0005V3-Nf for submit@debbugs.gnu.org; Mon, 12 Feb 2018 10:09:44 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:60177) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1elFji-0005Ut-UJ for 30414-done@debbugs.gnu.org; Mon, 12 Feb 2018 10:09:43 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D87A121245; Mon, 12 Feb 2018 10:09:42 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Mon, 12 Feb 2018 10:09:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=QTF6acE2p9RgutahIA8GAP1MBbIbxE6FHNc/WBZAS5E=; b=iDvDt bAsWF0jY/xDBga3rDJ97PGLYVgWcXnfZEIPwGSyBMCb06Nx0r/YFBO6hQrElyDKA mHeFzrDgufe6oItEh+9R9oBAgqI32aqLFfAZk9tDEeE2Cm+W9vMQh9MP43/iMlBL DinNskFy5LElNawTrA43zzZvJ78+iGavGg2UbA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=QTF6acE2p9RgutahIA8GAP1MBbIbx E6FHNc/WBZAS5E=; b=US/JVbSiJpGNkDJYOiOxkMTwMfiBSSpfwOF3rmm3JX4Jf 1r6yn4DcxHYaHb71Semh4XRH8JCT7WAT3wnKejjyQu6h5Y3YwORzQg1L5+YnI2QN 2KaduxRyPrb5PzvXxKwG/X+Okg2TV/jt7MavRG7wms0ZCNIHyap8DPfVzipDbGpG NyFfP0ca48HZMGXWKhsvcg8ivV20N+7iw034L0IH/jmoXe7Qd0HyAghPQ1wl4zbk WqYgVvf91Kkm+0tnHC0EFK7ufbhNzHGBvhAGiUSsF2wLv3gmkqmxvbCAE65PoNsb IuLQ4NutBiwzO0u+6WffAjcGPHt5Qsn/b5dez+wbg== X-ME-Sender: Received: from localhost (unknown [172.58.225.239]) by mail.messagingengine.com (Postfix) with ESMTPA id 87E217E168; Mon, 12 Feb 2018 10:09:42 -0500 (EST) Date: Sun, 11 Feb 2018 10:55:39 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files] Message-ID: <20180211155539.GA4079@jasmine.lan> References: <20180210185246.GA18573@jasmine.lan> <20180210214952.GA19621@jasmine.lan> <1518359342.2320488.1266983880.27284CC4@webmail.messagingengine.com> <20180211144214.GA21042@jasmine.lan> <1518361739.176445.1267005016.063B804B@webmail.messagingengine.com> <1518363282.185370.1267018608.237C7FC5@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline In-Reply-To: <1518363282.185370.1267018608.237C7FC5@webmail.messagingengine.com> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: 30414-done Cc: 30414-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.1 (/) --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Feb 11, 2018 at 03:34:42PM +0000, Marius Bakke wrote: > Never mind, it was actually completed by the time I packed up. > I pushed it (and fixed the merge conflict in xml.scm, sorry about that!). Awesome, thanks! --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqAZ3sACgkQJkb6MLrK fwgt+BAA5BGYD3wetK9gdXHaUAVjmM/4X8aT9ZpILN3MtAyRJX1JSn/iXeQcqyKZ Gmj9nMP0ZCJxDfWR/5SgSkeVL74E8FgOskz1K5vp3Vz8tEPgMRdLtCKNwsyDBsav gteSB9A5wHoY3GV4NMVcXM6p4D7G/g2F98gtrgfthYKNIOa3bdmqfJUo4kRA/V87 BMvkXfKelQpvfE0+F3PWC+dE3lHqUwYQFtnleNFfwqhSQLuMXK5tB1mb9V28f4pd ND0rAfHDBIcwDz1tUO6LNK1bZEy/wzQ+nVsMCtFjHdaIrifJF3TVSNWKn2UmSw3n 8zwznMDRbfP91VLXIjJDoxc99COj4MJlHXTWGbwJPBokFX3jj5qyu2yMeJ0IgTeq YZGz8gYfGcQ7G9Xpkx6KqcJNfiLCFV5Fcp8w83LFQap0Q+5wMYltkcIZYKBJQqud v7D3EY5Jr1HzC8R+UUSzoFIIb4wLZVWom4yCyzwtFe9NtRoF0wKzEceG03javtDA Z/YMzr2aw6zt2rjcBeHzwhKH6u/cSAramQI27Zvz35cqWhacRNvStdTbWXSVzPoU RnJbMHiEf5Zwz2MLq7P8mEX4rcmM3Unkmu7PP4jd2RoXClypi+bxO5Wv2srIP7Mk P8o8JWcBG8E7szzAvW8Aw0+tD+CzVBUKkpj2r7y8EYgbU8wpi3o= =6PR+ -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- From unknown Sat Sep 13 11:54:20 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 13 Mar 2018 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator