Re: Wheezy update of libreoffice #2 (CVE-2016-1513)

2016-08-06 Thread Rene Engelhard 
Hi,

On Fri, Aug 05, 2016 at 07:00:11PM +0200, Bálint Réczey wrote:
> 2016-08-04 19:34 GMT+02:00 Rene Engelhard :
> > Hi,
> >
> > On Thu, Aug 04, 2016 at 09:12:04AM +0200, Rene Engelhard wrote:
> >> I noticed Balint did some additional changes to deb7u7 (build-depends
> >> on fixed graphite2 - thanks for that), so this needs
> >> either be merged into my deb7u8 or I can redo it this evening...
> >
> > now done.
> 
> Thanks!
> 
> Would you like to build and upload it yourself or would you prefer
> us to do the rest (build, test, upload, DLA) like before?

I'd prefer the latter like before.

Regards,

Rene

Re: Wheezy update of libreoffice #2 (CVE-2016-1513)

2016-08-04 Thread Rene Engelhard 
Hi,

On Thu, Aug 04, 2016 at 09:12:04AM +0200, Rene Engelhard wrote:
> I noticed Balint did some additional changes to deb7u7 (build-depends
> on fixed graphite2 - thanks for that), so this needs
> either be merged into my deb7u8 or I can redo it this evening...

now done.

Regards,
  
Rene

Wheezy update of libreoffice #2 (CVE-2016-1513)

2016-08-03 Thread Rene Engelhard 
[ CC'ing team@security so that they know nothing supported is affected by
it. ]

Hi,

apparently Apache knew it since October 2015, tested with "current" LibreOffices
but they said they didn't test with old, so didn't inform LO *at all* until
this came up last Thursday again confirming that old LOs *are* affected..

See also http://www.openoffice.org/security/cves/CVE-2016-1513.html

The fix already went into (later) 4.2 and 4.3 versions.

so: 

wheezy: affected
jessie: 4.3.3 - unaffected, AFAICS [1]
stretch/sid: "of course" unaffected

A (untested, except that the patch applies) source package is - as last time -
available on http://people.debian.org/~rene/libreoffice/wheezy

Own-imposed LibreOffice embargo ends today. (I knew it only since last
Thursday, too when we wrote about the other issue but of course couldn't
write it beforehand to something public..)

Regards,

Rene

[1]
(jessie)rene@frodo ..reOffice/libreoffice/libreoffice-4.3.3 % patch -p1 
--dry-run < ~/index.html\?id=fd64d444b730f6cb7216dac8f6e3f94b97d7ab60 
checking file tools/source/generic/poly2.cxx
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
4 out of 4 hunks ignored
checking file vcl/source/gdi/metaact.cxx
Reversed (or previously applied) patch detected!  Assume -R? [n] Apply anyway? 
[n] Skipping patch.
1 out of 1 hunk ignored

Re: Wheezy update of libreoffice?

2016-07-30 Thread Guido Günther 
Hi,

Just a random comment:

On Sat, Jul 30, 2016 at 09:45:51PM +0200, Balint Reczey wrote:
>  Priority: optional
>  Maintainer: Debian LibreOffice Maintainers 
> 
>  Uploaders: Rene Engelhard 
> -Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | 
> flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, 
> libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], 
> zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, 
> libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, 
> xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, 
> libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips 
> mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], 
> libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), 
> libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) 
> [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, 
> libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), 
> libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, 
> libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 
> 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 
> 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips 
> mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], 
> gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa 
> kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa 
> kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), 
> g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, 
> libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 
> 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], 
> libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java 
> (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], 
> libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, 
> javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), 
> libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= 
> 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), 
> libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), 
> libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), 
> libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev 
> (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev 
> (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), 
> libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= 
> 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= 
> 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), 
> libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, 
> libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), 
> libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev
> +Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | 
> flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, 
> libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], 
> zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, 
> libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, 
> xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, 
> libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips 
> mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], 
> libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), 
> libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 
> 1.3.6-1~deb7u2) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), 
> libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 
> 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, 
> libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 
> 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 
> 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips 
> mipsel powerpc

Re: Wheezy update of libreoffice?

2016-07-30 Thread Balint Reczey 
Hi Rene,

On 07/28/2016 08:36 PM, Rene Engelhard wrote:
> Hi,
> 
> On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote:
>> Thank you for preparing the patch.
>> I'm building it right now and would like to test it if you have not done so 
>> yet.
>> After it is tested feel free to upload it.
> 
> Then it's best you mergechanges and upload after testing, I only built the
> source package, I didn't build it, so if you have a build...

It took some time to get it built due to libgraphite2-dev FTBFS-ing
libreoffice but the attached patch for graphite2 solves that.

A binary build was needed anyway since wheezy-security does not accept
source-only uploads AFAIK.

The fix for the vulnerability works and a the fixed libreoffice can
still parse a valid RTF [1].

Please see the final proposed patch for libreoffice attached, too.

The binary packages for amd64 will also be available for testing here
when the upload is finished:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

I plan uploading both fixed packages tomorrow.

Cheers,
Balint

[1] http://thewalter.net/stef/software/rtfx/sample.rtf

diff -Nru graphite2-1.3.6/debian/changelog graphite2-1.3.6/debian/changelog
--- graphite2-1.3.6/debian/changelog	2016-03-09 12:12:34.0 +0100
+++ graphite2-1.3.6/debian/changelog	2016-07-29 19:30:16.0 +0200
@@ -1,3 +1,10 @@
+graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium
+
+  * LTS Team upload
+  * Fix .shlibs file to let reverse depenencies build
+
+ -- Balint Reczey   Fri, 29 Jul 2016 19:29:22 +0200
+
 graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high
 
   * rebuild for oldstable-security 
diff -Nru graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs
--- graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-03-09 12:09:32.0 +0100
+++ graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-07-30 00:38:31.0 +0200
@@ -1 +1 @@
-libgraphite2	3	libgraphite2-2.0.0
+libgraphite2	2.0.0	libgraphite2-2.0.0 (>= 1.3.6-1~)
diff -Nru libreoffice-3.5.4+dfsg2/debian/changelog libreoffice-3.5.4+dfsg2/debian/changelog
--- libreoffice-3.5.4+dfsg2/debian/changelog	2016-02-11 18:15:51.0 +0100
+++ libreoffice-3.5.4+dfsg2/debian/changelog	2016-07-30 12:58:16.0 +0200
@@ -1,3 +1,17 @@
+libreoffice (1:3.5.4+dfsg2-0+deb7u7) wheezy-security; urgency=high
+
+  [ Rene Engelhard ]
+  * merge from Ubuntu:
+- SECURITY UPDATE: Denial of service and possible arbitrary code execution
+  via a crafted RTF file
+  + debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free
+  + CVE-2016-4324
+
+  [ Balint Reczey ]
+  * depend on libgraphite2-dev version which has working shlibs file
+
+ -- Balint Reczey   Sat, 30 Jul 2016 12:58:14 +0200
+
 libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high
 
   * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro
diff -Nru libreoffice-3.5.4+dfsg2/debian/control libreoffice-3.5.4+dfsg2/debian/control
--- libreoffice-3.5.4+dfsg2/debian/control	2013-05-29 23:22:11.0 +0200
+++ libreoffice-3.5.4+dfsg2/debian/control	2016-07-30 12:52:29.0 +0200
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian LibreOffice Maintainers 
 Uploaders: Rene Engelhard 
-Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java,

Re: Wheezy update of libreoffice?

2016-07-28 Thread Rene Engelhard 
Hi,

On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote:
> Thank you for preparing the patch.
> I'm building it right now and would like to test it if you have not done so 
> yet.
> After it is tested feel free to upload it.

Then it's best you mergechanges and upload after testing, I only built the
source package, I didn't build it, so if you have a build...

Regards,

Rene

Re: Wheezy update of libreoffice?

2016-07-28 Thread Bálint Réczey 
Hi Rene,

2016-07-28 18:29 GMT+02:00 Rene Engelhard :
> Hi again,
>
> On Wed, Jul 27, 2016 at 10:03:13AM +0200, Balint Reczey wrote:
>> If that workflow is a burden to you, feel free to just prepare an
>> updated source package and send it to debian-lts@lists.debian.org
>> (via a debdiff, or with an URL pointing to the source package,
>> or even with a pointer to your packaging repository), and the members
>> of the LTS team will take care of the rest. Indicate clearly whether you
>> have tested the updated package or not.
>
> Untested (but it's the identical patch Ubuntu has, so..):
> http://people.debian.org/~rene/libreoffice/wheezy
>
>> PS: A member of the LTS team might start working on this update at
>> any point in time. You can verify whether someone is registered
>> on this update in this file:
>> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>
> I see you already claimed this, so should I upload this or not?


Thank you for preparing the patch.
I'm building it right now and would like to test it if you have not done so yet.
After it is tested feel free to upload it.

Cheers,
Balint

Re: Wheezy update of libreoffice?

2016-07-28 Thread Rene Engelhard 
Hi again,

On Wed, Jul 27, 2016 at 10:03:13AM +0200, Balint Reczey wrote:
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.

Untested (but it's the identical patch Ubuntu has, so..):
http://people.debian.org/~rene/libreoffice/wheezy

> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

I see you already claimed this, so should I upload this or not?

Regards,

Re: Wheezy update of libreoffice?

2016-07-28 Thread Rene Engelhard 
Hi,

On Wed, Jul 27, 2016 at 10:03:13AM +0200, Balint Reczey wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libreoffice:
> https://security-tracker.debian.org/tracker/CVE-2016-4324
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development

Didn't plan to...

At least the patch doesn't apply and the code looks considerably
different, so given wheezy was EOL anyways I just didn't care.

But I see that Ubuntu fixed it because they apparently still support it?

libreoffice (1:3.5.7-0ubuntu11) precise-security; urgency=low

  * SECURITY UPDATE: Denial of service and possible arbitrary code execution
via a crafted RTF file
- debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free
- CVE-2016-4324

 -- Bjoern Michaelsen   Fri, 24 Jun 2016 
21:56:05 +0200

so I could take this as a base...

> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

I would actually believe (almost) noone will use 3.5 anymore but (at least,
if they stayed on wheezy) wheezy-backports - that one would need the update,
too, though.. - or something newer (jessie?) so I consider this not that
important... But will do so.

Regards,

Rene