Hi Rene, On 07/28/2016 08:36 PM, Rene Engelhard wrote: > Hi, > > On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote: >> Thank you for preparing the patch. >> I'm building it right now and would like to test it if you have not done so >> yet. >> After it is tested feel free to upload it. > > Then it's best you mergechanges and upload after testing, I only built the > source package, I didn't build it, so if you have a build...
It took some time to get it built due to libgraphite2-dev FTBFS-ing libreoffice but the attached patch for graphite2 solves that. A binary build was needed anyway since wheezy-security does not accept source-only uploads AFAIK. The fix for the vulnerability works and a the fixed libreoffice can still parse a valid RTF [1]. Please see the final proposed patch for libreoffice attached, too. The binary packages for amd64 will also be available for testing here when the upload is finished: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/ I plan uploading both fixed packages tomorrow. Cheers, Balint [1] http://thewalter.net/stef/software/rtfx/sample.rtf
diff -Nru graphite2-1.3.6/debian/changelog graphite2-1.3.6/debian/changelog --- graphite2-1.3.6/debian/changelog 2016-03-09 12:12:34.000000000 +0100 +++ graphite2-1.3.6/debian/changelog 2016-07-29 19:30:16.000000000 +0200 @@ -1,3 +1,10 @@ +graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium + + * LTS Team upload + * Fix .shlibs file to let reverse depenencies build + + -- Balint Reczey <[email protected]> Fri, 29 Jul 2016 19:29:22 +0200 + graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high * rebuild for oldstable-security diff -Nru graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs --- graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs 2016-03-09 12:09:32.000000000 +0100 +++ graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs 2016-07-30 00:38:31.000000000 +0200 @@ -1 +1 @@ -libgraphite2 3 libgraphite2-2.0.0 +libgraphite2 2.0.0 libgraphite2-2.0.0 (>= 1.3.6-1~)
diff -Nru libreoffice-3.5.4+dfsg2/debian/changelog libreoffice-3.5.4+dfsg2/debian/changelog --- libreoffice-3.5.4+dfsg2/debian/changelog 2016-02-11 18:15:51.000000000 +0100 +++ libreoffice-3.5.4+dfsg2/debian/changelog 2016-07-30 12:58:16.000000000 +0200 @@ -1,3 +1,17 @@ +libreoffice (1:3.5.4+dfsg2-0+deb7u7) wheezy-security; urgency=high + + [ Rene Engelhard ] + * merge from Ubuntu: + - SECURITY UPDATE: Denial of service and possible arbitrary code execution + via a crafted RTF file + + debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free + + CVE-2016-4324 + + [ Balint Reczey ] + * depend on libgraphite2-dev version which has working shlibs file + + -- Balint Reczey <[email protected]> Sat, 30 Jul 2016 12:58:14 +0200 + libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro diff -Nru libreoffice-3.5.4+dfsg2/debian/control libreoffice-3.5.4+dfsg2/debian/control --- libreoffice-3.5.4+dfsg2/debian/control 2013-05-29 23:22:11.000000000 +0200 +++ libreoffice-3.5.4+dfsg2/debian/control 2016-07-30 12:52:29.000000000 +0200 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian LibreOffice Maintainers <[email protected]> Uploaders: Rene Engelhard <[email protected]> -Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev +Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 1.3.6-1~deb7u2) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev Build-Depends-Indep: fdupes, xml-core, imagemagick, fontforge Build-Conflicts: libcairo2 (= 1.4.8-1), libxul-dev (= 1.8.0.13~pre070720-0etch1), gjdoc (= 0.7.8-2), libc6-dev (= 2.6.1-3) [i386 amd64], libc6-dev (= 2.6.1-4) [i386 amd64], libc0.1-dev (= 2.13-26) [kfreebsd-i386 kfreebsd-amd64], nvidia-glx-dev, nvidia-glx-legacy-dev, gcj-4.2 (= 4.2.2-6), flex (= 2.5.34-1) [amd64], libboost1.39-dev (<< 1.39.0-2), graphicsmagick-imagemagick-compat (<< 1.3.9~), qt3-dev-tools, ant (= 1.8.0-1) [hppa kfreebsd-i386 kfreebsd-amd64], ant (= 1.8.0-2) [hppa kfreebsd-i386 kfreebsd-amd64], ant (= 1.8.0-3) [hppa kfreebsd-i386 kfreebsd-amd64], g++-4.6 (= 4.6.1-10), g++-4.6 (= 4.6.1-11), gcc (>= 4:4.7~) [!i386 !amd64 !kfreebsd-i386 !kfreebsd-amd64], g++ (>= 4:4.7~) [!i386 !amd64 !kfreebsd-i386 !kfreebsd-amd64], base-files (= 6.0), base-files (= 6.0squeeze1), libhsqldb-java (>= 1.8.1~) Standards-Version: 3.9.1 diff -Nru libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff --- libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff 1970-01-01 01:00:00.000000000 +0100 +++ libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff 2016-07-28 17:23:27.000000000 +0200 @@ -0,0 +1,13 @@ +Index: libreoffice-3.5.7/writerfilter/source/rtftok/rtfdocumentimpl.cxx +=================================================================== +--- libreoffice-3.5.7.orig/writerfilter/source/rtftok/rtfdocumentimpl.cxx 2016-06-25 00:31:33.000000000 +0200 ++++ libreoffice-3.5.7/writerfilter/source/rtftok/rtfdocumentimpl.cxx 2016-06-25 02:45:28.997653128 +0200 +@@ -486,6 +486,8 @@ + + void RTFDocumentImpl::parBreak() + { ++ if(m_aStates.empty()) ++ return; + checkFirstRun(); + checkNeedPap(); + // end previous paragraph diff -Nru libreoffice-3.5.4+dfsg2/debian/patches/series libreoffice-3.5.4+dfsg2/debian/patches/series --- libreoffice-3.5.4+dfsg2/debian/patches/series 2016-02-05 21:01:41.000000000 +0100 +++ libreoffice-3.5.4+dfsg2/debian/patches/series 2016-07-28 17:32:56.000000000 +0200 @@ -62,3 +62,4 @@ V-a7vjdei7l7.diff V-mgylorku1q.diff V-pxk0pgyk9d.diff +rtf-use-after-free.diff
