Leo Famulari <l...@famulari.name> writes: >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke <mba...@fastmail.com> >> Date: Sun, 11 Feb 2018 11:46:27 +0100 >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. >> >> * gnu/packages/check.scm (cppunit-1.14): New public variable. >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. >> (libreoffice): Update to 5.4.5.1. >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace >> LIBJPEG with LIBJPEG-TURBO. >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ >> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add >> "--disable-pdfium" to #:configure-flags. >> * gnu/packages/xml.scm (xmlsec-nss): New public variable. > > The only change I suggest is to remove the obsolete comment at the > beginning of libreoffice's native-inputs about the xmlsec tarball.
Good catch. It seems the autoconf and automake inputs are no longer required. But I unfortunately spoke too soon earlier, it failed very late in the build: [build CMP] filter/source/xsltdialog/xsltdlg ld: cannot find -lltdl collect2: error: ld returned 1 exit status make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/libxsec_xmlsec.so] Error 1 make[1]: *** Waiting for unfinished jobs.... make: *** [Makefile:269: build] Error 2 phase `build' failed after 2114.1 seconds I've attached a revised patch that adds libltdl, and removes the automake inputs. However, I have to leave now, so could you please verify that it works and push? I can provide moral support on #guix if nothing else :-) TIA!
From 78a216026cc5d4be4e1623fbe8b3632f47b99ef8 Mon Sep 17 00:00:00 2001 From: Marius Bakke <mba...@fastmail.com> Date: Sun, 11 Feb 2018 11:46:27 +0100 Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871]. * gnu/packages/check.scm (cppunit-1.14): New public variable. * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable. (libreoffice): Update to 5.4.5.1. [native-inputs]: Change CPPUNIT to CPPUNIT-1.14. Remove AUTOCONF and AUTOMAKE. [inputs]: Add GPGME, XMLSEC-NSS and LIBLTDL. Remove XMLSEC-SRC-LIBREOFFICE. Replace LIBJPEG with LIBJPEG-TURBO. [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++ headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add "--disable-pdfium" to #:configure-flags. * gnu/packages/xml.scm (xmlsec-nss): New public variable. --- gnu/packages/check.scm | 17 +++++++++++ gnu/packages/libreoffice.scm | 70 ++++++++++++++++++++------------------------ gnu/packages/xml.scm | 12 +++++++- 3 files changed, 59 insertions(+), 40 deletions(-) diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm index 1276c0fda..92f493592 100644 --- a/gnu/packages/check.scm +++ b/gnu/packages/check.scm @@ -157,6 +157,23 @@ unit testing. Test output is in XML for automatic testing and GUI based for supervised tests.") (license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball +;; Some packages require this newer version of cppunit. However, it needs +;; C++11 support, which is not enabled by default in our current GCC, and +;; updating in-place would require adding CXXFLAGS to many dependent packages. +;; Thus, keep as a separate variable for now. +;; TODO: Remove this when our default GCC is updated to 6 or higher. +(define-public cppunit-1.14 + (package + (inherit cppunit) + (version "1.14.0") + (source (origin + (method url-fetch) + (uri (string-append "https://dev-www.libreoffice.org/src/" + "cppunit-" version ".tar.gz")) + (sha256 + (base32 + "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix")))))) + (define-public catch-framework (package (name "catch") diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm index 799b06243..47dd21b3b 100644 --- a/gnu/packages/libreoffice.scm +++ b/gnu/packages/libreoffice.scm @@ -7,7 +7,7 @@ ;;; Copyright © 2017 Tobias Geerinckx-Rice <m...@tobias.gr> ;;; Copyright © 2017 Andy Wingo <wi...@igalia.com> ;;; Copyright © 2017 Ludovic Courtès <l...@gnu.org> -;;; Copyright © 2017 Marius Bakke <mba...@fastmail.com> +;;; Copyright © 2017, 2018 Marius Bakke <mba...@fastmail.com> ;;; Copyright © 2017 Rutger Helling <rhell...@mykolab.com> ;;; ;;; This file is part of GNU Guix. @@ -54,6 +54,7 @@ #:use-module (gnu packages glib) #:use-module (gnu packages gnome) #:use-module (gnu packages gperf) + #:use-module (gnu packages gnupg) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages gstreamer) #:use-module (gnu packages gtk) @@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.") (license (non-copyleft "file://COPYING" "See COPYING in the distribution.")))) -;; LibreOffice requires an xmlsec source tarball; it does not even check -;; for the presence of an externally compiled library. -(define xmlsec-src-libreoffice - (origin - (method url-fetch) - (uri - (string-append - "http://dev-www.libreoffice.org/src/" - "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz")) - (sha256 (base32 - "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21")))) - (define-public libreoffice (package (name "libreoffice") - (version "5.3.7.2") + (version "5.4.5.1") (source (origin (method url-fetch) @@ -863,16 +852,11 @@ and to return information on pronunciations, meanings and synonyms.") "https://download.documentfoundation.org/libreoffice/src/" (version-prefix version 3) "/libreoffice-" version ".tar.xz")) (sha256 (base32 - "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3")))) + "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb")))) (build-system gnu-build-system) (native-inputs - `(;; autoreconf is run by the LibreOffice build system, since after - ;; unpacking the external xmlsec tarball, it applies a series of - ;; patches to Makefile.am, configure.in, config.guess and config.sub. - ("autoconf" ,autoconf) - ("automake" ,automake) - ("bison" ,bison) - ("cppunit" ,cppunit) + `(("bison" ,bison) + ("cppunit" ,cppunit-1.14) ("flex" ,flex) ("pkg-config" ,pkg-config) ("python" ,python-wrapper) @@ -888,6 +872,7 @@ and to return information on pronunciations, meanings and synonyms.") ("glew" ,glew) ("glm" ,glm) ("gperf" ,gperf) + ("gpgme" ,gpgme) ("graphite2" ,graphite2) ("gst-plugins-base" ,gst-plugins-base) ("gtk+" ,gtk+) @@ -897,12 +882,14 @@ and to return information on pronunciations, meanings and synonyms.") ("libabw" ,libabw) ("libcdr" ,libcdr) ("libcmis" ,libcmis) - ("libjpeg" ,libjpeg) + ("libjpeg-turbo" ,libjpeg-turbo) ("libe-book" ,libe-book) ("libetonyek" ,libetonyek) ("libexttextcat" ,libexttextcat) ("libfreehand" ,libfreehand) ("liblangtag" ,liblangtag) + ;; XXX: Perhaps this should be propagated from xmlsec. + ("libltdl" ,libltdl) ("libmspub" ,libmspub) ("libmwaw" ,libmwaw) ("libodfgen" ,libodfgen) @@ -935,7 +922,7 @@ and to return information on pronunciations, meanings and synonyms.") ("unixodbc" ,unixodbc) ("unzip" ,unzip) ("vigra" ,vigra) - ("xmlsec-src" ,xmlsec-src-libreoffice) + ("xmlsec" ,xmlsec-nss) ("zip" ,zip))) (arguments `(#:tests? #f ; Building the tests already fails. @@ -944,26 +931,27 @@ and to return information on pronunciations, meanings and synonyms.") (modify-phases %standard-phases (add-before 'configure 'prepare-src (lambda* (#:key inputs #:allow-other-keys) - (let ((xmlsec (assoc-ref inputs "xmlsec-src"))) + (let ((gpgme (assoc-ref inputs "gpgme"))) (substitute* (list "sysui/CustomTarget_share.mk" "solenv/gbuild/gbuild.mk" "solenv/gbuild/platform/unxgcc.mk") (("/bin/sh") (which "sh"))) - (mkdir "external/tarballs") - (symlink - xmlsec - (string-append "external/tarballs/" - "86b1daaa438f5a7bea9a52d7b9799ac0-" - "xmlsec1-1.2.23.tar.gz")) - ;; The following is required for building xmlsec from the - ;; unpatched external tarball; since "configure" starts with - ;; "/bin/sh", it needs to be executed by a command invoking - ;; the shell. - (setenv "SHELL" (which "bash")) - (setenv "CONFIG_SHELL" (which "bash")) - (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk" - (("./configure") "$(CONFIG_SHELL) ./configure" )) + + ;; GPGME++ headers are installed in a gpgme++ subdirectory, + ;; but files in "xmlsecurity/source/gpg/" expect to find them + ;; on the include path without a prefix. + (substitute* "xmlsecurity/Library_xsec_xmlsec.mk" + (("\\$\\$\\(INCLUDE\\)") + (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++"))) + + ;; XXX: When GTK2 is disabled, one header file is not included. + ;; This is likely fixed in later versions. See also + ;; <https://bugs.gentoo.org/641812>. + (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx" + (("#include <unx/gtk/gtkgdi.hxx>") + "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>")) + #t))) (add-after 'install 'bin-and-desktop-install ;; Create 'soffice' and 'libreoffice' symlinks to the executable @@ -1037,6 +1025,10 @@ and to return information on pronunciations, meanings and synonyms.") "--disable-coinmp" "--disable-firebird-sdbc" ; embedded firebird "--disable-gltf" + ;; XXX: PDFium support requires fetching an external tarball and + ;; patching the build scripts to work with GCC5. Try enabling this + ;; when our default compiler is >=GCC 6. + "--disable-pdfium" "--disable-gtk" ; disable use of GTK+ 2 "--without-doxygen"))) (home-page "https://www.libreoffice.org/") diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index a0937582f..39cfc4530 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -13,7 +13,7 @@ ;;; Copyright © 2016 Jan Nieuwenhuizen <jann...@gnu.org> ;;; Copyright © 2016, 2017 ng0 <contact....@cryptolab.net> ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <m...@tobias.gr> -;;; Copyright © 2016, 2017 Marius Bakke <mba...@fastmail.com> +;;; Copyright © 2016, 2017, 2018 Marius Bakke <mba...@fastmail.com> ;;; Copyright © 2017 Adriano Peluso <caton...@gmail.com> ;;; Copyright © 2017 Gregor Giesen <gie...@zaehlwerk.net> ;;; Copyright © 2017 Alex Vong <alexvong1...@gmail.com> @@ -40,6 +40,7 @@ #:use-module (gnu packages autotools) #:use-module (gnu packages compression) #:use-module (gnu packages gnupg) + #:use-module (gnu packages gnuzilla) #:use-module (gnu packages perl) #:use-module (gnu packages perl-check) #:use-module (gnu packages python) @@ -970,6 +971,15 @@ Libxml2).") (license (license:x11-style "file://COPYING" "See 'COPYING' in the distribution.")))) +(define-public xmlsec-nss + (package + (inherit xmlsec) + (name "xmlsec-nss") + (inputs + `(("nss" ,nss) + ("libltdl" ,libltdl))) + (synopsis "XML Security Library (using NSS instead of GnuTLS)"))) + (define-public minixml (package (name "minixml") -- 2.16.1