configure.ac | 4 -
connectivity/Library_postgresql-sdbc-impl.mk | 3
download.lst | 4 -
extensions/Library_ldapbe2.mk | 4 -
external/openldap/ExternalProject_openldap.mk | 20 ++----
external/openldap/README | 2
external/openldap/openldap-2.4.44.patch.1 | 67 ----------------------
external/postgresql/ExternalProject_postgresql.mk | 6 -
8 files changed, 18 insertions(+), 92 deletions(-)
New commits:
commit f5d1b16ca2b85901d04e6f9dcad16cd36bad2333
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Mon Dec 5 01:47:35 2022 +0900
Commit: خالد حسني <kha...@libreoffice.org>
CommitDate: Tue Jul 25 10:57:39 2023 +0200
openldap: upgrade to release 2.6.4
Fixes CVE-2023-2953.
Because NSS support has been removed in release 2.5,
switch TLS/SSL module used by OpenLDAP to OpenSSL.
Add -pthread flag to openldap_LDFLAGS when building on Linux.
This avoids errors that occur in libcrypto.a
(libcrypto-lib-threads_pthread.o).
Change-Id: I4779ce40233d144d930f20e85db7b4ba08f91ea1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/143646
Tested-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
(cherry picked from commit 299ea597d154e1dc3d0f09adf67e05747cca54cf)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/154414
Tested-by: Jenkins
Reviewed-by: خالد حسني <kha...@libreoffice.org>
diff --git a/configure.ac b/configure.ac
index b399b34ff23b..d519ee72a7d6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10654,14 +10654,14 @@ dnl
===================================================================
if test "$test_openldap" = yes; then
AC_MSG_CHECKING([whether to enable LDAP support])
- if test "$enable_ldap" = yes -a \( "$ENABLE_NSS" = TRUE -o
"$with_system_openldap" = yes \); then
+ if test "$enable_ldap" = yes -a \( "$enable_openssl" = yes -o
"$with_system_openldap" = yes \); then
AC_MSG_RESULT([yes])
ENABLE_LDAP=TRUE
else
if test "$enable_ldap" != "yes"; then
AC_MSG_RESULT([no])
else
- AC_MSG_RESULT([no (needs NSS or system openldap)])
+ AC_MSG_RESULT([no (needs OPENSSL or system openldap)])
fi
fi
diff --git a/connectivity/Library_postgresql-sdbc-impl.mk
b/connectivity/Library_postgresql-sdbc-impl.mk
index 497f5b742ef4..19a61ff92534 100644
--- a/connectivity/Library_postgresql-sdbc-impl.mk
+++ b/connectivity/Library_postgresql-sdbc-impl.mk
@@ -49,9 +49,6 @@ $(eval $(call gb_Library_use_externals,postgresql-sdbc-impl,\
$(if $(ENABLE_OPENSSL),openssl) \
$(if $(ENABLE_LDAP), \
openldap \
- nss3 \
- plc4 \
- ssl3 \
) \
) \
))
diff --git a/download.lst b/download.lst
index 9a7ae74a1a9e..a218a4c388e8 100644
--- a/download.lst
+++ b/download.lst
@@ -418,8 +418,8 @@ OFFICEOTRON_JAR :=
8249374c274932a21846fa7629c2aa9b-officeotron-0.7.4-master.jar
# three static lines
# so that git cherry-pick
# will not run into conflicts
-OPENLDAP_SHA256SUM :=
99f37d6747d88206c470067eda624d5e48c1011e943ec0ab217bae8712e22f34
-OPENLDAP_TARBALL := openldap-2.4.59.tgz
+OPENLDAP_SHA256SUM :=
d51704e50178430c06cf3d8aa174da66badf559747a47d920bb54b2d4aa40991
+OPENLDAP_TARBALL := openldap-2.6.4.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/extensions/Library_ldapbe2.mk b/extensions/Library_ldapbe2.mk
index 58ea11b2d0ce..c08ed88f744e 100644
--- a/extensions/Library_ldapbe2.mk
+++ b/extensions/Library_ldapbe2.mk
@@ -46,9 +46,7 @@ else # 0S!=WNT
$(eval $(call gb_Library_use_externals,ldapbe2,\
boost_headers \
openldap \
- nss3 \
- plc4 \
- ssl3 \
+ openssl \
))
endif
diff --git a/external/openldap/ExternalProject_openldap.mk
b/external/openldap/ExternalProject_openldap.mk
index 6914d167b56c..e02a35d9943f 100644
--- a/external/openldap/ExternalProject_openldap.mk
+++ b/external/openldap/ExternalProject_openldap.mk
@@ -9,7 +9,7 @@
$(eval $(call gb_ExternalProject_ExternalProject,openldap))
-$(eval $(call gb_ExternalProject_use_externals,openldap,nss3))
+$(eval $(call gb_ExternalProject_use_externals,openldap,openssl))
$(eval $(call gb_ExternalProject_register_targets,openldap,\
build \
@@ -25,12 +25,10 @@ openldap_CFLAGS = -D_XOPEN_SOURCE=500 -D_DEFAULT_SOURCE
-D_BSD_SOURCE
endif
openldap_LDFLAGS = $(call gb_ExternalProject_get_link_flags,openldap)
-ifeq ($(SYSTEM_NSS),)
-openldap_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib
+ifeq ($(SYSTEM_OPENSSL),)
+openldap_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,openssl)
endif
-# Help openldap's configure determine that it needs -lpthread even if
libasan.so
-# contains a pthread_create override:
-ifneq ($(filter -fsanitize=address,$(CC)),)
+ifeq ($(OS),LINUX)
openldap_LDFLAGS += -pthread
endif
@@ -40,7 +38,7 @@ $(call gb_ExternalProject_get_state_target,openldap,build) :
$(gb_RUN_CONFIGURE) ./configure \
--disable-slapd \
--with-pic \
- --with-tls=moznss \
+ --with-tls=openssl \
--without-cyrus-sasl \
--disable-shared \
--enable-static \
@@ -49,11 +47,11 @@ $(call gb_ExternalProject_get_state_target,openldap,build) :
--with-yielding_select=yes \
ac_cv_func_memcmp_working=yes \
) \
- $(if $(SYSTEM_NSS), \
- CPPFLAGS="$(CPPFLAGS) $(NSS_CFLAGS)"
CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(NSS_CFLAGS) $(call
gb_ExternalProject_get_build_flags,openldap)" LDFLAGS="$(LDFLAGS) $(NSS_LIBS)" \
+ $(if $(SYSTEM_OPENSSL), \
+ CPPFLAGS="$(CPPFLAGS) $(OPENSSL_CFLAGS)"
CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(OPENSSL_CFLAGS) $(call
gb_ExternalProject_get_build_flags,openldap)" LDFLAGS="$(LDFLAGS)
$(openldap_LDFLAGS) $(OPENSSL_LIBS)" \
, \
- CPPFLAGS="$(CPPFLAGS) -I$(call
gb_UnpackedTarball_get_dir,nss)/dist/public/nss -I$(call
gb_UnpackedTarball_get_dir,nss)/dist/out/include" \
- CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(call
gb_ExternalProject_get_build_flags,openldap) -I$(call
gb_UnpackedTarball_get_dir,nss)/dist/public/nss -I$(call
gb_UnpackedTarball_get_dir,nss)/dist/out/include" \
+ CPPFLAGS="$(CPPFLAGS) -I$(call
gb_UnpackedTarball_get_dir,openssl)/include" \
+ CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(call
gb_ExternalProject_get_build_flags,openldap) -I$(call
gb_UnpackedTarball_get_dir,openssl)/include" \
) \
$(if $(openldap_LDFLAGS),LDFLAGS="$(LDFLAGS)
$(openldap_LDFLAGS)") \
&& MAKEFLAGS= && $(MAKE) \
diff --git a/external/openldap/README b/external/openldap/README
index 0c1828c12b93..48da788f5447 100644
--- a/external/openldap/README
+++ b/external/openldap/README
@@ -1,3 +1,3 @@
OpenLDAP provides an LDAP client library
-http://www.openldap.org/
+https://www.openldap.org/
diff --git a/external/openldap/openldap-2.4.44.patch.1
b/external/openldap/openldap-2.4.44.patch.1
index 317ef9a62e56..1521e86a2664 100644
--- a/external/openldap/openldap-2.4.44.patch.1
+++ b/external/openldap/openldap-2.4.44.patch.1
@@ -1,69 +1,4 @@
-*- Mode: diff -*-
---- openldap.org/configure
-+++ openldap/configure
-@@ -15735,7 +15735,7 @@
- $as_echo_n "(cached) " >&6
- else
- ac_check_lib_save_LIBS=$LIBS
--LIBS="-lnss3 $LIBS"
-+LIBS="-lnss3 -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 $LIBS"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
---- openldap.org/configure.in
-+++ openldap/configure.in
-@@ -1239,7 +1239,8 @@
- AC_CHECK_HEADERS([nssutil.h])
- if test "$ac_cv_header_nssutil_h" = yes ; then
- AC_CHECK_LIB([nss3], [NSS_Initialize],
-- [ have_moznss=yes ], [
have_moznss=no ])
-+ [ have_moznss=yes ], [
have_moznss=no ],
-+ [ -lssl3 -lsmime3 -lnss3
-lnssutil3 -lplds4 -lplc4 -lnspr4 ])
- fi
-
- if test "$have_moznss" = yes ; then
---- openldap.org/libraries/libldap/tls_m.c
-+++ openldap/libraries/libldap/tls_m.c
-@@ -49,17 +49,17 @@
- #include <termios.h> /* for echo on/off */
- #endif
-
--#include <nspr/nspr.h>
--#include <nspr/private/pprio.h>
--#include <nss/nss.h>
--#include <nss/ssl.h>
--#include <nss/sslerr.h>
--#include <nss/sslproto.h>
--#include <nss/pk11pub.h>
--#include <nss/secerr.h>
--#include <nss/keyhi.h>
--#include <nss/secmod.h>
--#include <nss/cert.h>
-+#include <nspr.h>
-+#include <private/pprio.h>
-+#include <nss.h>
-+#include <ssl.h>
-+#include <sslerr.h>
-+#include <sslproto.h>
-+#include <pk11pub.h>
-+#include <secerr.h>
-+#include <keyhi.h>
-+#include <secmod.h>
-+#include <cert.h>
-
- #undef NSS_VERSION_INT
- #define NSS_VERSION_INT ((NSS_VMAJOR << 24) | (NSS_VMINOR << 16) | \
---- openldap.org/libraries/libldap/tls2.c
-+++ openldap.org/libraries/libldap/tls2.c
-@@ -80,6 +80,8 @@
- { BER_BVNULL, BER_BVNULL }
- };
-
-+int ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in );
-+
- #ifdef HAVE_TLS
-
- void
--- openldap.org/Makefile.in
+++ openldap/Makefile.in
@@ -13,7 +13,7 @@
@@ -82,4 +17,4 @@
-
-check: test
-test: FORCE
-- cd tests; $(MAKE) test
+- cd tests && $(MAKE) test
diff --git a/external/postgresql/ExternalProject_postgresql.mk
b/external/postgresql/ExternalProject_postgresql.mk
index 24e54adf3e0c..1d0a13b6bb03 100644
--- a/external/postgresql/ExternalProject_postgresql.mk
+++ b/external/postgresql/ExternalProject_postgresql.mk
@@ -44,7 +44,7 @@ endif
ifeq ($(ENABLE_OPENSSL),TRUE)
ifeq ($(SYSTEM_OPENSSL),)
postgresql_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,openssl)/include
-postgresql_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,openssl)/ $(if
$(filter $(OS),LINUX),-pthread)
+postgresql_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,openssl) $(if
$(filter $(OS),LINUX),-pthread)
endif
endif
@@ -54,8 +54,6 @@ postgresql_LDFLAGS += \
-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/libldap_r/.libs
\
-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/libldap/.libs \
-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/liblber/.libs \
- $(if $(SYSTEM_NSS),,\
- -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib) \
endif
@@ -76,7 +74,7 @@ $(call gb_ExternalProject_get_state_target,postgresql,build) :
CFLAGS="-fPIC" \
CPPFLAGS="$(postgresql_CPPFLAGS)" \
LDFLAGS="$(postgresql_LDFLAGS)" \
- $(if $(ENABLE_LDAP),EXTRA_LDAP_LIBS="-llber -lssl3
-lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4") \
+ $(if $(ENABLE_LDAP),EXTRA_LDAP_LIBS="-llber") \
&& cd src/interfaces/libpq \
&& MAKEFLAGS= && $(MAKE) MAKELEVEL=0 all-static-lib)
$(call gb_Trace_EndRange,postgresql,EXTERNAL)
