bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Marius Bakke]

Leo Famulari <address@hidden> writes:

>> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <address@hidden>
>> Date: Sun, 11 Feb 2018 11:46:27 +0100
>> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
>> 
>> * gnu/packages/check.scm (cppunit-1.14): New public variable.
>> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
>> (libreoffice): Update to 5.4.5.1.
>> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
>> [inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Replace
>> LIBJPEG with LIBJPEG-TURBO.
>> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
>> headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
>> "--disable-pdfium" to #:configure-flags.
>> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
>
> The only change I suggest is to remove the obsolete comment at the
> beginning of libreoffice's native-inputs about the xmlsec tarball.

Good catch.  It seems the autoconf and automake inputs are no longer
required.  But I unfortunately spoke too soon earlier, it failed very
late in the build:

[build CMP] filter/source/xsltdialog/xsltdlg
ld: cannot find -lltdl
collect2: error: ld returned 1 exit status
make[1]: *** 
[/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10:
 
/tmp/guix-build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/libxsec_xmlsec.so]
 Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:269: build] Error 2
phase `build' failed after 2114.1 seconds

I've attached a revised patch that adds libltdl, and removes the
automake inputs.  However, I have to leave now, so could you please
verify that it works and push?  I can provide moral support on #guix if
nothing else :-)

TIA!

0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch
Description: Text Data