Am 07/25/2016 12:45 AM, schrieb Dennis E. Hamilton:
The patched DLL is shipped with an external digital signature. I guess we
could ask that to be installed alongside it. That would be a good tell-tale.
The web site where the patch is downloadable from will have hashes for the
archive containing the patched library and will also have an external signature
for that. These are on a secure AOO infrastructure site, the best place to
retrieve hashes and signature files. There is no reason not to have a hash of
the library inside the downloadable archive for those who, for some reason,
cannot check the signature but can verify the hash.
In the manual procedure, we will ask users to rename the existing
shared-library before copying in the replacement. This will provide a means to
revert to the patched library if a regression results.
There is a difference in file-creation dates and in the size of the files as
well. The procedure for hotfixing with the patched library should provide that
information to discourage attempting to patch a different release and also make
it easier to tell the patch is there.
You're right that different builds by others who look to just extract the
shared library will likely end up with a different binary of that library. For
a binary distribution from any origin that has the patch compiled-in, I would
think something like the static string might be helpful. If we do that in the
AOO4121 tag, we'll have to redo the patched libraries we've already built. I
was hoping we could avoid that and stick with ones we have done some testing on
already.
- file size
- file date+time
- hash value
- signature.
With this we have IMHO enough differences to give the users at hand so
that they can see whats old and new.
Then we have enough differences to avoid to touch the source again.
However, I appreciate this easy and clever thing to make the difference
visible.
Is what we're planning enough?
For the moment I think so.
Marcus
-----Original Message-----
From: Don Lewis [mailto:truck...@apache.org]
Sent: Sunday, July 24, 2016 15:14
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
On 24 Jul, Don Lewis wrote:
At a minimum, we should publish the hash values of buggy and fixed
versions of the library. That might not help someone who builds and
installs from source since the build not be completely repeatable.
For instance the library might contain a timestamp.
Adding a static string "CVE-2016-1513 Fixed" to the source is another
possibiliy. On *nix, the user/administrator can run:
strings whatever.so | grep CVE
and look for the above to verify that the fixed library has been
installed. Someone would have to figure out how to do the equivalent on
Windows.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
