Re: [VOTE] Release apache-openoffice-4.1.2-patch1 Source

[Ariel Constenla-Haile]

On Tue, Aug 02, 2016 at 07:48:12PM -0700, Dennis E. Hamilton wrote:
> Please vote by reply to this dev@-list thread on the approval of the 
> candidate for release.
> 
>  [  ] +1 Approve, with description
>  [  ]  0 Abstain
>  [  ] -1 Disapprove, with explanation

+1

I've checked the signatures and the patch, which is the same I've
applied to build the MacOSX and Linux binaries.


Regards
-- 
Ariel Constenla-Haile


signature.asc
Description: Digital signature

Re: [VOTE] Release apache-openoffice-4.1.2-patch1 Source

[Patricia Shanahan]

+1

Because of whitespace differences from the patch I had previously tests, 
I applied the patch to a clean 4.1.2 checkout, built from scratch, and 
tested the result.


I have checked the signature and hashes. The signature file shows the 
web-of-trust issues previously discussed.


On 8/2/2016 7:48 PM, Dennis E. Hamilton wrote:

[BCC to PMC]

The Apache OpenOffice 4.1.2-patch1 source code mitigates the security vulnerability 
described in the CVE-2016-1513 advisory 
.

The patch has been applied in the building of modified Apache 4.1.2 binaries.  
The modified binaries have been successfully used as the source of single 
modified shared-library files that can be copied into existing Apache 4.1.2 
programs in order to eliminate the vulnerability.

This ballot is for release of the source code on which replacement or patched 
Apache 4.1.2 binaries can be based.  The candidate source-code release for 
patch1 is the archive
apache-openoffice-4.1.2-patch1.zip located at
.
There are accompanying hash files (.md5 and .sha256) and a digital signature 
file (.asc) for the source-code archive.

Please vote by reply to this dev@-list thread on the approval of the candidate 
for release.

 [  ] +1 Approve, with description
 [  ]  0 Abstain
 [  ] -1 Disapprove, with explanation

For +1 Approve votes, please describe the results of verifying the patch 
materials and success in building a 4.1.2 binary having the patch applied to a 
particular 4.1.2 binary build.

Please do not do anything but [VOTE] (with any +1 descriptions and -1 
explanations) on this thread.

To discuss this vote or the process, please use a [DISCUSS][VOTE] reply rather 
than discussing on the [VOTE] thread.

The [VOTE] will conclude no sooner than Monday, 2016-08-08T15:00Z.

 - Dennis E. Hamilton
   For the Apache OpenOffice Project Management Committee


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [VOTE] Release apache-openoffice-4.1.2-patch1 Source

[Marcus]

Am 08/03/2016 04:48 AM, schrieb Dennis E. Hamilton:


Please vote by reply to this dev@-list thread on the approval of the candidate 
for release.

  [  ] +1 Approve, with description
  [  ]  0 Abstain
  [  ] -1 Disapprove, with explanation


+1 Approve


For +1 Approve votes, please describe the results of verifying the patch 
materials and success in building a 4.1.2 binary having the patch applied to a 
particular 4.1.2 binary build.


1. I've verified the hashes:

$ md5sum -c apache-openoffice-4.1.2-patch1.zip.md5
--> OK (but only without the line break)

$ sha256sum -c apache-openoffice-4.1.2-patch1.zip.sha256
--> OK (but only without the line break)

$ gpg --verify apache-openoffice-4.1.2-patch1.zip.asc 
apache-openoffice-4.1.2-patch1.zip


--> ...
gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
"
...



2. As for the source code, I've checked out the fix from the code base 
in SVN and compared it with the zipped patch.


2a. Compared patched "poly2.cxx" with SVN revision previous to the patch:



$ svn co 
https://svn.apache.org/repos/asf/openoffice/trunk/main/tools/source/generic/ 
/home/marcus/aoo


$ svn diff -c 1753426 /home/marcus/aoo/poly2.cxx

Index: poly2.cxx
===
--- poly2.cxx   (revision 1753425)
+++ poly2.cxx   (revision 1753426)
@@ -198,6 +198,7 @@
 {
DBG_CHKTHIS( PolyPolygon, NULL );
DBG_ASSERT( nPos < Count(), "PolyPolygon::Remove(): nPos >= nSize" );
+   if ( nPos >= Count() ) return; // not removable

if ( mpImplPolyPolygon->mnRefCount > 1 )
{
@@ -218,6 +219,7 @@
 {
DBG_CHKTHIS( PolyPolygon, NULL );
DBG_ASSERT( nPos < Count(), "PolyPolygon::Replace(): nPos >= nSize" );
+   if ( nPos >= Count() ) return; // not replaceable

if ( mpImplPolyPolygon->mnRefCount > 1 )
{

--> OK, only the patched lines are the difference.



2b. Compared patched "poly2.cxx" with SVN current revision:

$ svn co 
https://svn.apache.org/repos/asf/openoffice/trunk/main/tools/source/generic/ 
/home/marcus/aoo


$ diff 
/home/marcus/patch/source/apache-openoffice-4.1.2-patch1/poly2.cxx 
/home/marcus/aoo/poly2.cxx


--> OK, many diffs but only due to white spaces.



Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [VOTE] Release apache-openoffice-4.1.2-patch1 Source

[Carl Marcum]

 +1 Approve

VERIFICATION...

I downloaded the patch from:
https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/source/

$ md5sum --check apache-openoffice-4.1.2-patch1.zip.md5
apache-openoffice-4.1.2-patch1.zip: OK

$ sha256sum --check apache-openoffice-4.1.2-patch1.zip.sha256
apache-openoffice-4.1.2-patch1.zip: OK

$ gpg --verify apache-openoffice-4.1.2-patch1.zip.asc
...
gpg: Good signature from "Dennis E. Hamilton (orcmid) "
...

I copied the patched poly2.cxx from the zip file into 4.1.2 source downloaded 
from:
https://dist.apache.org/repos/dist/release/openoffice/4.1.2/source/

I built this patched AOO source with the following config on Fedora 20 x86-64:
./configure   \
--with-build-version="$(date +"%Y-%m-%d %H:%M") - `uname -sm`" \
--enable-verbose \
--with-system-stdlibs \
--enable-crashdump=yes \
--enable-category-b \
--enable-wiki-publisher \
--enable-bundled-dictionaries \
--enable-opengl  \
--enable-dbus  \
--enable-gstreamer \
--with-package-format="rpm deb" \
--with-lang="${LANGS}" \

--with-dmake-url=http://dmake.apache-extras.org.codespot.com/files/dmake-4.12.tar.bz2
 \

--with-epm-url=http://www.msweet.org/files/project2/epm-3.7-source.tar.gz \
--with-jdk-home=/usr/java/jdk1.7.0_60

I uninstalled my existing AOO 4.1.2 and re-installed this build via rpm.

I ran the included smoketestdoc.swx document and ran the contained macro and 
got the same result as usual.
It failed on install extension as it has with previous tests.

Additionally I tested various new and existing documents and I am satisfied 
with the results.

Best regards,
Carl


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [VOTE] Release apache-openoffice-4.1.2-patch1 Source

[Kay Schenk]

On 08/02/2016 07:48 PM, Dennis E. Hamilton wrote:
> [BCC to PMC]
> 
> The Apache OpenOffice 4.1.2-patch1 source code mitigates the security 
> vulnerability described in the CVE-2016-1513 advisory 
> .
> 
> The patch has been applied in the building of modified Apache 4.1.2 binaries. 
>  The modified binaries have been successfully used as the source of single 
> modified shared-library files that can be copied into existing Apache 4.1.2 
> programs in order to eliminate the vulnerability.
> 
> This ballot is for release of the source code on which replacement or patched 
> Apache 4.1.2 binaries can be based.  The candidate source-code release for 
> patch1 is the archive 
> apache-openoffice-4.1.2-patch1.zip located at
> . 
> There are accompanying hash files (.md5 and .sha256) and a digital signature 
> file (.asc) for the source-code archive.
> 
> Please vote by reply to this dev@-list thread on the approval of the 
> candidate for release.
> 
>  [  ] +1 Approve, with description
+1 verified this was the patch I used for testing on CentOS 6.8, Linux-32
Checked md5 on download.

Verified sig as belonging to Dennis Hamilton.

>  [  ]  0 Abstain
>  [  ] -1 Disapprove, with explanation
> 
> For +1 Approve votes, please describe the results of verifying the patch 
> materials and success in building a 4.1.2 binary having the patch applied to 
> a particular 4.1.2 binary build.  
> 
> Please do not do anything but [VOTE] (with any +1 descriptions and -1 
> explanations) on this thread.
> 
> To discuss this vote or the process, please use a [DISCUSS][VOTE] reply 
> rather than discussing on the [VOTE] thread.
> 
> The [VOTE] will conclude no sooner than Monday, 2016-08-08T15:00Z.
> 
>  - Dennis E. Hamilton
>For the Apache OpenOffice Project Management Committee
> 

-- 

MzK

"Time spent with cats is never wasted."
   -- Sigmund Freud

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [VOTE] Release apache-openoffice-4.1.2-patch1 Source

[Andrea Pescetti]

Dennis E. Hamilton wrote:

https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/source
Please vote by reply to this dev@-list thread on the approval of the candidate 
for release.
  [  ] +1 Approve, with description
  [  ]  0 Abstain
  [  ] -1 Disapprove, with explanation


+1 Approve.


For +1 Approve votes, please describe the results of verifying the patch 
materials


$ svn co 
https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/source


$ dos2unix apache-openoffice-4.1.2-patch1.zip.md5

(this is needed as apparently md5sum will get confused by newlines in 
the checksum file).


$ md5sum -c apache-openoffice-4.1.2-patch1.zip.md5
apache-openoffice-4.1.2-patch1.zip: OK

$ dos2unix apache-openoffice-4.1.2-patch1.zip.sha256
$ sha256sum -c apache-openoffice-4.1.2-patch1.zip.sha256
apache-openoffice-4.1.2-patch1.zip: OK

$ gpg --verify apache-openoffice-4.1.2-patch1.zip.asc 
apache-openoffice-4.1.2-patch1.zip


(worked and reported a valid signature by Dennis)

As for building, I verified that the poly2.cxx included is identical to 
the one in my AOO410 checkout, which I used to build OpenOffice on 
linux-64 a few days ago and run tests.


Additionally, the provided patch file matches with the output of
$ svn diff -c r1754535 main/tools/source/generic/poly2.cxx
as expected.

Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org