Re: Wheezy update of libreoffice?

To: Rene Engelhard <rene@debian.org>
Cc: Chris Halls <halls@debian.org>, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Wheezy update of libreoffice?
From: Balint Reczey <balint@balintreczey.hu>
Date: Sat, 30 Jul 2016 21:45:51 +0200
Message-id: <[🔎] 82602caa-09f6-fbea-ab6a-6876dd301e54@balintreczey.hu>
In-reply-to: <[🔎] 20160728183641.GB24113@rene-engelhard.de>
References: <[🔎] cae651f9-b313-2c86-94a9-67270cf7e684@balintreczey.hu> <[🔎] 20160728162904.GC7653@rene-engelhard.de> <[🔎] CAK0OdpzkytHS3dt828ga3T0m9ZgFzw1byoysB=7iAGkUD4gaaA@mail.gmail.com> <[🔎] 20160728183641.GB24113@rene-engelhard.de>

Hi Rene,

On 07/28/2016 08:36 PM, Rene Engelhard wrote:
> Hi,
> 
> On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote:
>> Thank you for preparing the patch.
>> I'm building it right now and would like to test it if you have not done so yet.
>> After it is tested feel free to upload it.
> 
> Then it's best you mergechanges and upload after testing, I only built the
> source package, I didn't build it, so if you have a build...

It took some time to get it built due to libgraphite2-dev FTBFS-ing
libreoffice but the attached patch for graphite2 solves that.

A binary build was needed anyway since wheezy-security does not accept
source-only uploads AFAIK.

The fix for the vulnerability works and a the fixed libreoffice can
still parse a valid RTF [1].

Please see the final proposed patch for libreoffice attached, too.

The binary packages for amd64 will also be available for testing here
when the upload is finished:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

I plan uploading both fixed packages tomorrow.

Cheers,
Balint

[1] http://thewalter.net/stef/software/rtfx/sample.rtf

diff -Nru graphite2-1.3.6/debian/changelog graphite2-1.3.6/debian/changelog
--- graphite2-1.3.6/debian/changelog	2016-03-09 12:12:34.000000000 +0100
+++ graphite2-1.3.6/debian/changelog	2016-07-29 19:30:16.000000000 +0200
@@ -1,3 +1,10 @@
+graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium
+
+  * LTS Team upload
+  * Fix .shlibs file to let reverse depenencies build
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 29 Jul 2016 19:29:22 +0200
+
 graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high
 
   * rebuild for oldstable-security 
diff -Nru graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs
--- graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-03-09 12:09:32.000000000 +0100
+++ graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-07-30 00:38:31.000000000 +0200
@@ -1 +1 @@
-libgraphite2	3	libgraphite2-2.0.0
+libgraphite2	2.0.0	libgraphite2-2.0.0 (>= 1.3.6-1~)

diff -Nru libreoffice-3.5.4+dfsg2/debian/changelog libreoffice-3.5.4+dfsg2/debian/changelog
--- libreoffice-3.5.4+dfsg2/debian/changelog	2016-02-11 18:15:51.000000000 +0100
+++ libreoffice-3.5.4+dfsg2/debian/changelog	2016-07-30 12:58:16.000000000 +0200
@@ -1,3 +1,17 @@
+libreoffice (1:3.5.4+dfsg2-0+deb7u7) wheezy-security; urgency=high
+
+  [ Rene Engelhard ]
+  * merge from Ubuntu:
+    - SECURITY UPDATE: Denial of service and possible arbitrary code execution
+      via a crafted RTF file
+      + debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free
+      + CVE-2016-4324
+
+  [ Balint Reczey ]
+  * depend on libgraphite2-dev version which has working shlibs file
+
+ -- Balint Reczey <balint@balintreczey.hu>  Sat, 30 Jul 2016 12:58:14 +0200
+
 libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high
 
   * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro
diff -Nru libreoffice-3.5.4+dfsg2/debian/control libreoffice-3.5.4+dfsg2/debian/control
--- libreoffice-3.5.4+dfsg2/debian/control	2013-05-29 23:22:11.000000000 +0200
+++ libreoffice-3.5.4+dfsg2/debian/control	2016-07-30 12:52:29.000000000 +0200
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
 Uploaders: Rene Engelhard <rene@debian.org>
-Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev
+Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 1.3.6-1~deb7u2) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev
 Build-Depends-Indep: fdupes, xml-core, imagemagick, fontforge
 Build-Conflicts: libcairo2 (= 1.4.8-1), libxul-dev (= 1.8.0.13~pre070720-0etch1), gjdoc (= 0.7.8-2), libc6-dev (= 2.6.1-3) [i386 amd64], libc6-dev (= 2.6.1-4) [i386 amd64], libc0.1-dev (= 2.13-26) [kfreebsd-i386 kfreebsd-amd64], nvidia-glx-dev, nvidia-glx-legacy-dev, gcj-4.2 (= 4.2.2-6), flex (= 2.5.34-1) [amd64], libboost1.39-dev (<< 1.39.0-2), graphicsmagick-imagemagick-compat (<< 1.3.9~), qt3-dev-tools, ant (= 1.8.0-1) [hppa kfreebsd-i386 kfreebsd-amd64], ant (= 1.8.0-2) [hppa kfreebsd-i386 kfreebsd-amd64], ant (= 1.8.0-3) [hppa kfreebsd-i386 kfreebsd-amd64], g++-4.6 (= 4.6.1-10), g++-4.6 (= 4.6.1-11), gcc (>= 4:4.7~) [!i386 !amd64 !kfreebsd-i386 !kfreebsd-amd64], g++ (>= 4:4.7~) [!i386 !amd64 !kfreebsd-i386 !kfreebsd-amd64], base-files (= 6.0), base-files (= 6.0squeeze1), libhsqldb-java (>= 1.8.1~)
 Standards-Version: 3.9.1
diff -Nru libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff
--- libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff	1970-01-01 01:00:00.000000000 +0100
+++ libreoffice-3.5.4+dfsg2/debian/patches/rtf-use-after-free.diff	2016-07-28 17:23:27.000000000 +0200
@@ -0,0 +1,13 @@
+Index: libreoffice-3.5.7/writerfilter/source/rtftok/rtfdocumentimpl.cxx
+===================================================================
+--- libreoffice-3.5.7.orig/writerfilter/source/rtftok/rtfdocumentimpl.cxx	2016-06-25 00:31:33.000000000 +0200
++++ libreoffice-3.5.7/writerfilter/source/rtftok/rtfdocumentimpl.cxx	2016-06-25 02:45:28.997653128 +0200
+@@ -486,6 +486,8 @@
+ 
+ void RTFDocumentImpl::parBreak()
+ {
++    if(m_aStates.empty())
++        return;
+     checkFirstRun();
+     checkNeedPap();
+     // end previous paragraph
diff -Nru libreoffice-3.5.4+dfsg2/debian/patches/series libreoffice-3.5.4+dfsg2/debian/patches/series
--- libreoffice-3.5.4+dfsg2/debian/patches/series	2016-02-05 21:01:41.000000000 +0100
+++ libreoffice-3.5.4+dfsg2/debian/patches/series	2016-07-28 17:32:56.000000000 +0200
@@ -62,3 +62,4 @@
 V-a7vjdei7l7.diff
 V-mgylorku1q.diff
 V-pxk0pgyk9d.diff
+rtf-use-after-free.diff

Reply to:

Follow-Ups:
- Re: Wheezy update of libreoffice?
  - From: Guido Günther <agx@sigxcpu.org>

References:
- Wheezy update of libreoffice?
  - From: Balint Reczey <balint@balintreczey.hu>
- Re: Wheezy update of libreoffice?
  - From: Rene Engelhard <rene@debian.org>
- Re: Wheezy update of libreoffice?
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: Wheezy update of libreoffice?
  - From: Rene Engelhard <rene@debian.org>

Prev by Date: Re: xen_4.1.6.1-1+deb7u2.dsc
Next by Date: Re: Wheezy update of libreoffice?
Previous by thread: Re: Wheezy update of libreoffice?
Next by thread: Re: Wheezy update of libreoffice?
Index(es):
- Date
- Thread