From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
From: Marius Bakke <address@hidden>
Date: Sun, 11 Feb 2018 11:46:27 +0100
Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].

* gnu/packages/check.scm (cppunit-1.14): New public variable.
* gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
(libreoffice): Update to 5.4.5.1.
[native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
[inputs]: Add GPGME and XMLSEC-NSS.  Remove XMLSEC-SRC-LIBREOFFICE.  Replace
LIBJPEG with LIBJPEG-TURBO.
[arguments]: Remove xmlsec code from PREPARE-SRC-PHASE.  Make sure GPGME++
headers are found.  Add workaround for <https://bugs.gentoo.org/641812>.  Add
"--disable-pdfium" to #:configure-flags.
* gnu/packages/xml.scm (xmlsec-nss): New public variable.
---
 gnu/packages/check.scm       | 17 ++++++++++++
 gnu/packages/libreoffice.scm | 61 ++++++++++++++++++++------------------------
 gnu/packages/xml.scm         | 12 ++++++++-
 3 files changed, 56 insertions(+), 34 deletions(-)

diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 1276c0fda..8f21baa09 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -157,6 +157,23 @@ unit testing.  Test output is in XML for automatic testing and GUI based for
 supervised tests.")
     (license license:lgpl2.1))) ; no copyright notices. LGPL2.1 is in the tarball
 
+;; Some packages require this newer version of cppunit.  However, it needs
+;; C++11 support, which is not enabled by default in our current GCC, and
+;; updating in-place would require adding CXXFLAGS to many dependent packages.
+;; Thus, keep as a separate variable for now.
+;; TODO: Remove this when our default GCC is updated to 6 or higher.
+(define-public cppunit-1.14
+  (package
+    (inherit cppunit)
+    (version "1.14.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://dev-www.libreoffice.org/src/"
+                                  "cppunit-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1027cyfx5gsjkdkaf6c2wnjh68882grw8n672018cj3vs9lrhmix"))))))
+
 (define-public catch-framework
   (package
     (name "catch")
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 799b06243..b2546e146 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <address@hidden>
 ;;; Copyright © 2017 Andy Wingo <address@hidden>
 ;;; Copyright © 2017 Ludovic Courtès <address@hidden>
-;;; Copyright © 2017 Marius Bakke <address@hidden>
+;;; Copyright © 2017, 2018 Marius Bakke <address@hidden>
 ;;; Copyright © 2017 Rutger Helling <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -54,6 +54,7 @@
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gnome)
   #:use-module (gnu packages gperf)
+  #:use-module (gnu packages gnupg)
   #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages gstreamer)
   #:use-module (gnu packages gtk)
@@ -839,22 +840,10 @@ and to return information on pronunciations, meanings and synonyms.")
     (license (non-copyleft "file://COPYING"
                            "See COPYING in the distribution."))))
 
-;; LibreOffice requires an xmlsec source tarball; it does not even check
-;; for the presence of an externally compiled library.
-(define xmlsec-src-libreoffice
-  (origin
-    (method url-fetch)
-    (uri
-      (string-append
-       "http://dev-www.libreoffice.org/src/"
-       "86b1daaa438f5a7bea9a52d7b9799ac0-xmlsec1-1.2.23.tar.gz"))
-    (sha256 (base32
-             "17qfw5crkqn4v6xbkjxrjvcccfc00dy053892wrwv54qdk8n7m21"))))
-
 (define-public libreoffice
   (package
     (name "libreoffice")
-    (version "5.3.7.2")
+    (version "5.4.5.1")
     (source
      (origin
       (method url-fetch)
@@ -863,7 +852,7 @@ and to return information on pronunciations, meanings and synonyms.")
           "https://download.documentfoundation.org/libreoffice/src/"
           (version-prefix version 3) "/libreoffice-" version ".tar.xz"))
       (sha256 (base32
-               "0z7fssp0jcj09wxad1wmhy69n71a2mwl933lxp9dz5sdvzncxmy3"))))
+               "167bh6jgyhfcvn3g7xghkg4nb99h91diypdlry5df21xs8bis5gb"))))
     (build-system gnu-build-system)
     (native-inputs
      `(;; autoreconf is run by the LibreOffice build system, since after
@@ -872,7 +861,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("autoconf" ,autoconf)
        ("automake" ,automake)
        ("bison" ,bison)
-       ("cppunit" ,cppunit)
+       ("cppunit" ,cppunit-1.14)
        ("flex" ,flex)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -888,6 +877,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("glew" ,glew)
        ("glm" ,glm)
        ("gperf" ,gperf)
+       ("gpgme" ,gpgme)
        ("graphite2" ,graphite2)
        ("gst-plugins-base" ,gst-plugins-base)
        ("gtk+" ,gtk+)
@@ -897,7 +887,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("libabw" ,libabw)
        ("libcdr" ,libcdr)
        ("libcmis" ,libcmis)
-       ("libjpeg" ,libjpeg)
+       ("libjpeg-turbo" ,libjpeg-turbo)
        ("libe-book" ,libe-book)
        ("libetonyek" ,libetonyek)
        ("libexttextcat" ,libexttextcat)
@@ -935,7 +925,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("unixodbc" ,unixodbc)
        ("unzip" ,unzip)
        ("vigra" ,vigra)
-       ("xmlsec-src" ,xmlsec-src-libreoffice)
+       ("xmlsec" ,xmlsec-nss)
        ("zip" ,zip)))
     (arguments
      `(#:tests? #f ; Building the tests already fails.
@@ -944,26 +934,27 @@ and to return information on pronunciations, meanings and synonyms.")
          (modify-phases %standard-phases
            (add-before 'configure 'prepare-src
              (lambda* (#:key inputs #:allow-other-keys)
-               (let ((xmlsec (assoc-ref inputs "xmlsec-src")))
+               (let ((gpgme (assoc-ref inputs "gpgme")))
                  (substitute*
                    (list "sysui/CustomTarget_share.mk"
                          "solenv/gbuild/gbuild.mk"
                          "solenv/gbuild/platform/unxgcc.mk")
                    (("/bin/sh") (which "sh")))
-                 (mkdir "external/tarballs")
-                 (symlink
-                   xmlsec
-                   (string-append "external/tarballs/"
-                                  "86b1daaa438f5a7bea9a52d7b9799ac0-"
-                                  "xmlsec1-1.2.23.tar.gz"))
-                 ;; The following is required for building xmlsec from the
-                 ;; unpatched external tarball; since "configure" starts with
-                 ;; "/bin/sh", it needs to be executed by a command invoking
-                 ;; the shell.
-                 (setenv "SHELL" (which "bash"))
-                 (setenv "CONFIG_SHELL" (which "bash"))
-                 (substitute* "external/libxmlsec/ExternalProject_xmlsec.mk"
-                   (("./configure") "$(CONFIG_SHELL) ./configure" ))
+
+                 ;; GPGME++ headers are installed in a gpgme++ subdirectory,
+                 ;; but files in "xmlsecurity/source/gpg/" expect to find them
+                 ;; on the include path without a prefix.
+                 (substitute* "xmlsecurity/Library_xsec_xmlsec.mk"
+                   (("\\$\\$\\(INCLUDE\\)")
+                    (string-append "$$(INCLUDE) -I" gpgme "/include/gpgme++")))
+
+                 ;; XXX: When GTK2 is disabled, one header file is not included.
+                 ;; This is likely fixed in later versions.  See also
+                 ;; <https://bugs.gentoo.org/641812>.
+                 (substitute* "vcl/unx/gtk3/gtk3gtkframe.cxx"
+                   (("#include <unx/gtk/gtkgdi.hxx>")
+                    "#include <unx/gtk/gtkgdi.hxx>\n#include <unx/gtk/gtksalmenu.hxx>"))
+
                  #t)))
            (add-after 'install 'bin-and-desktop-install
              ;; Create 'soffice' and 'libreoffice' symlinks to the executable
@@ -1037,6 +1028,10 @@ and to return information on pronunciations, meanings and synonyms.")
           "--disable-coinmp"
           "--disable-firebird-sdbc" ; embedded firebird
           "--disable-gltf"
+          ;; XXX: PDFium support requires fetching an external tarball and
+          ;; patching the build scripts to work with GCC5.  Try enabling this
+          ;; when our default compiler is >=GCC 6.
+          "--disable-pdfium"
           "--disable-gtk" ; disable use of GTK+ 2
           "--without-doxygen")))
     (home-page "https://www.libreoffice.org/")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index a0937582f..39cfc4530 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <address@hidden>
 ;;; Copyright © 2016, 2017 ng0 <address@hidden>
 ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <address@hidden>
-;;; Copyright © 2016, 2017 Marius Bakke <address@hidden>
+;;; Copyright © 2016, 2017, 2018 Marius Bakke <address@hidden>
 ;;; Copyright © 2017 Adriano Peluso <address@hidden>
 ;;; Copyright © 2017 Gregor Giesen <address@hidden>
 ;;; Copyright © 2017 Alex Vong <address@hidden>
@@ -40,6 +40,7 @@
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages perl-check)
   #:use-module (gnu packages python)
@@ -970,6 +971,15 @@ Libxml2).")
     (license (license:x11-style "file://COPYING"
                                 "See 'COPYING' in the distribution."))))
 
+(define-public xmlsec-nss
+  (package
+    (inherit xmlsec)
+    (name "xmlsec-nss")
+    (inputs
+     `(("nss" ,nss)
+       ("libltdl" ,libltdl)))
+    (synopsis "XML Security Library (using NSS instead of GnuTLS)")))
+
 (define-public minixml
   (package
     (name "minixml")
-- 
2.16.1