Re: Wheezy update of libreoffice #2 (CVE-2016-1513)
Hi, On Fri, Aug 05, 2016 at 07:00:11PM +0200, Bálint Réczey wrote: > 2016-08-04 19:34 GMT+02:00 Rene Engelhard: > > Hi, > > > > On Thu, Aug 04, 2016 at 09:12:04AM +0200, Rene Engelhard wrote: > >> I noticed Balint did some additional changes to deb7u7 (build-depends > >> on fixed graphite2 - thanks for that), so this needs > >> either be merged into my deb7u8 or I can redo it this evening... > > > > now done. > > Thanks! > > Would you like to build and upload it yourself or would you prefer > us to do the rest (build, test, upload, DLA) like before? I'd prefer the latter like before. Regards, Rene
Re: Wheezy update of libreoffice #2 (CVE-2016-1513)
Hi, On Thu, Aug 04, 2016 at 09:12:04AM +0200, Rene Engelhard wrote: > I noticed Balint did some additional changes to deb7u7 (build-depends > on fixed graphite2 - thanks for that), so this needs > either be merged into my deb7u8 or I can redo it this evening... now done. Regards, Rene
Wheezy update of libreoffice #2 (CVE-2016-1513)
[ CC'ing team@security so that they know nothing supported is affected by it. ] Hi, apparently Apache knew it since October 2015, tested with "current" LibreOffices but they said they didn't test with old, so didn't inform LO *at all* until this came up last Thursday again confirming that old LOs *are* affected.. See also http://www.openoffice.org/security/cves/CVE-2016-1513.html The fix already went into (later) 4.2 and 4.3 versions. so: wheezy: affected jessie: 4.3.3 - unaffected, AFAICS [1] stretch/sid: "of course" unaffected A (untested, except that the patch applies) source package is - as last time - available on http://people.debian.org/~rene/libreoffice/wheezy Own-imposed LibreOffice embargo ends today. (I knew it only since last Thursday, too when we wrote about the other issue but of course couldn't write it beforehand to something public..) Regards, Rene [1] (jessie)rene@frodo ..reOffice/libreoffice/libreoffice-4.3.3 % patch -p1 --dry-run < ~/index.html\?id=fd64d444b730f6cb7216dac8f6e3f94b97d7ab60 checking file tools/source/generic/poly2.cxx Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 4 out of 4 hunks ignored checking file vcl/source/gdi/metaact.cxx Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 1 out of 1 hunk ignored
Re: Wheezy update of libreoffice?
Hi, Just a random comment: On Sat, Jul 30, 2016 at 09:45:51PM +0200, Balint Reczey wrote: > Priority: optional > Maintainer: Debian LibreOffice Maintainers >> Uploaders: Rene Engelhard > -Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | > flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, > libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], > zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, > libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, > xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, > libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips > mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], > libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), > libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) > [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, > libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), > libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, > libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= > 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= > 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips > mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], > gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa > kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa > kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), > g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, > libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= > 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 > !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], > libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java > (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], > libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 > !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 > !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 > !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 > !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 > !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 > !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 > !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, > javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), > libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= > 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), > libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), > libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), > libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev > (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev > (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), > libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= > 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= > 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), > libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, > libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), > libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev > +Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | > flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, > libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], > zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, > libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, > xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, > libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips > mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], > libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), > libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= > 1.3.6-1~deb7u2) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), > libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= > 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, > libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= > 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= > 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips > mipsel powerpc
Re: Wheezy update of libreoffice?
Hi Rene, On 07/28/2016 08:36 PM, Rene Engelhard wrote: > Hi, > > On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote: >> Thank you for preparing the patch. >> I'm building it right now and would like to test it if you have not done so >> yet. >> After it is tested feel free to upload it. > > Then it's best you mergechanges and upload after testing, I only built the > source package, I didn't build it, so if you have a build... It took some time to get it built due to libgraphite2-dev FTBFS-ing libreoffice but the attached patch for graphite2 solves that. A binary build was needed anyway since wheezy-security does not accept source-only uploads AFAIK. The fix for the vulnerability works and a the fixed libreoffice can still parse a valid RTF [1]. Please see the final proposed patch for libreoffice attached, too. The binary packages for amd64 will also be available for testing here when the upload is finished: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/ I plan uploading both fixed packages tomorrow. Cheers, Balint [1] http://thewalter.net/stef/software/rtfx/sample.rtf diff -Nru graphite2-1.3.6/debian/changelog graphite2-1.3.6/debian/changelog --- graphite2-1.3.6/debian/changelog 2016-03-09 12:12:34.0 +0100 +++ graphite2-1.3.6/debian/changelog 2016-07-29 19:30:16.0 +0200 @@ -1,3 +1,10 @@ +graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium + + * LTS Team upload + * Fix .shlibs file to let reverse depenencies build + + -- Balint ReczeyFri, 29 Jul 2016 19:29:22 +0200 + graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high * rebuild for oldstable-security diff -Nru graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs --- graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs 2016-03-09 12:09:32.0 +0100 +++ graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs 2016-07-30 00:38:31.0 +0200 @@ -1 +1 @@ -libgraphite2 3 libgraphite2-2.0.0 +libgraphite2 2.0.0 libgraphite2-2.0.0 (>= 1.3.6-1~) diff -Nru libreoffice-3.5.4+dfsg2/debian/changelog libreoffice-3.5.4+dfsg2/debian/changelog --- libreoffice-3.5.4+dfsg2/debian/changelog 2016-02-11 18:15:51.0 +0100 +++ libreoffice-3.5.4+dfsg2/debian/changelog 2016-07-30 12:58:16.0 +0200 @@ -1,3 +1,17 @@ +libreoffice (1:3.5.4+dfsg2-0+deb7u7) wheezy-security; urgency=high + + [ Rene Engelhard ] + * merge from Ubuntu: +- SECURITY UPDATE: Denial of service and possible arbitrary code execution + via a crafted RTF file + + debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free + + CVE-2016-4324 + + [ Balint Reczey ] + * depend on libgraphite2-dev version which has working shlibs file + + -- Balint Reczey Sat, 30 Jul 2016 12:58:14 +0200 + libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro diff -Nru libreoffice-3.5.4+dfsg2/debian/control libreoffice-3.5.4+dfsg2/debian/control --- libreoffice-3.5.4+dfsg2/debian/control 2013-05-29 23:22:11.0 +0200 +++ libreoffice-3.5.4+dfsg2/debian/control 2016-07-30 12:52:29.0 +0200 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian LibreOffice Maintainers Uploaders: Rene Engelhard -Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java,
Re: Wheezy update of libreoffice?
Hi, On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote: > Thank you for preparing the patch. > I'm building it right now and would like to test it if you have not done so > yet. > After it is tested feel free to upload it. Then it's best you mergechanges and upload after testing, I only built the source package, I didn't build it, so if you have a build... Regards, Rene
Re: Wheezy update of libreoffice?
Hi Rene, 2016-07-28 18:29 GMT+02:00 Rene Engelhard: > Hi again, > > On Wed, Jul 27, 2016 at 10:03:13AM +0200, Balint Reczey wrote: >> If that workflow is a burden to you, feel free to just prepare an >> updated source package and send it to debian-lts@lists.debian.org >> (via a debdiff, or with an URL pointing to the source package, >> or even with a pointer to your packaging repository), and the members >> of the LTS team will take care of the rest. Indicate clearly whether you >> have tested the updated package or not. > > Untested (but it's the identical patch Ubuntu has, so..): > http://people.debian.org/~rene/libreoffice/wheezy > >> PS: A member of the LTS team might start working on this update at >> any point in time. You can verify whether someone is registered >> on this update in this file: >> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > > I see you already claimed this, so should I upload this or not? Thank you for preparing the patch. I'm building it right now and would like to test it if you have not done so yet. After it is tested feel free to upload it. Cheers, Balint
Re: Wheezy update of libreoffice?
Hi again, On Wed, Jul 27, 2016 at 10:03:13AM +0200, Balint Reczey wrote: > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. Untested (but it's the identical patch Ubuntu has, so..): http://people.debian.org/~rene/libreoffice/wheezy > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup I see you already claimed this, so should I upload this or not? Regards,
Re: Wheezy update of libreoffice?
Hi, On Wed, Jul 27, 2016 at 10:03:13AM +0200, Balint Reczey wrote: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of libreoffice: > https://security-tracker.debian.org/tracker/CVE-2016-4324 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development Didn't plan to... At least the patch doesn't apply and the code looks considerably different, so given wheezy was EOL anyways I just didn't care. But I see that Ubuntu fixed it because they apparently still support it? libreoffice (1:3.5.7-0ubuntu11) precise-security; urgency=low * SECURITY UPDATE: Denial of service and possible arbitrary code execution via a crafted RTF file - debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free - CVE-2016-4324 -- Bjoern MichaelsenFri, 24 Jun 2016 21:56:05 +0200 so I could take this as a base... > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. I would actually believe (almost) noone will use 3.5 anymore but (at least, if they stayed on wheezy) wheezy-backports - that one would need the update, too, though.. - or something newer (jessie?) so I consider this not that important... But will do so. Regards, Rene