GNU bug report logs - #30414
Libreoffice CVE-2018-6871 [remote read of any local files]

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 10 Feb 2018 18:54:01 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #23 received at 30414 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 30414 <at> debbugs.gnu.org
Subject: Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local
 files]
Date: Sun, 11 Feb 2018 14:29:02 +0000

[Message part 1 (text/plain, inline)]
[the café I'm at is blocking outgoing email, so resending through a browser]

On Sun, Feb 11, 2018, at 1:27 AM, Marius Bakke wrote:
> 
> 
> On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari 
> <leo <at> famulari.name> wrote:
> >I'm trying to update LibreOffice to 5.4.5.1.
> >
> >This version of LibreOffice requires cppunit to be updated to 1.14.0.
> >
> >However, this new version of cppunit requires C++11.
> >
> >This is not the default C++ standard in GCC 5, so this update requires
> >sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.
> 
> Could we package the newer version separately and override CXXFLAGS for 
> libreoffice only?

I gave this a go, and there were (of course) a lot more changes
necessary to make this newer libreoffice build.  In particular, it now
works with an external xmlsec (albeit NSS only), and it wants to build
PDFium(!) in the same fashion as xmlsec was previously.

However PDFium fails to build due to requiring newer C++ features, and
my attempts at patching "external/pdfium/Library_pdfium.mk" to add
CXXFLAGS were unsuccessful.  So in the end I disabled PDFium support.

It also required libjpeg-turbo instead of libjpeg, although this is
supposedly fixed in 6.0.1:
<https://bugs.documentfoundation.org/show_bug.cgi?id=115416>.

Then there were some other problems related to not finding GPGME
headers, as well as an upstream regression when GTK2 support is
disabled.

Without further ado, here is the patch.  I'm still building it, but plan
to push shortly if there are no further issues. 

[0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch (text/x-patch, attachment)]
This bug report was last modified 7 years and 186 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.