[Libreoffice-commits] core.git: Branch 'distro/mimo/mimo-6-2' - 3 commits - configure.ac download.lst external/libxslt external/openssl
Andras Timar (via logerrit)
logerrit at kemper.freedesktop.org
Fri Sep 10 18:39:08 UTC 2021
Rebased ref, commits from common ancestor:
commit 332f2851c6cbb83d5a5d07b293819a5aba3e7049
Author: Andras Timar <andras.timar at collabora.com>
AuthorDate: Thu Sep 9 13:43:04 2021 +0200
Commit: Andras Timar <andras.timar at collabora.com>
CommitDate: Fri Sep 10 20:38:24 2021 +0200
Bump product version to 6.2.8.2.M5
Change-Id: I59145513f596b583c80f5e9a843956b3175aa3d2
diff --git a/configure.ac b/configure.ac
index 078dfca928d7..a60bef2d6124 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,7 +9,7 @@ dnl in order to create a configure script.
# several non-alphanumeric characters, those are split off and used only for the
# ABOUTBOXPRODUCTVERSIONSUFFIX in openoffice.lst. Why that is necessary, no idea.
-AC_INIT([LibreOffice],[6.2.8.2.M4],[],[],[http://documentfoundation.org/])
+AC_INIT([LibreOffice],[6.2.8.2.M5],[],[],[http://documentfoundation.org/])
AC_PREREQ([2.59])
commit 043c6900bdc560a5e916a636eb5e566dfb42756b
Author: Michael Stahl <michael.stahl at allotropia.de>
AuthorDate: Wed Aug 25 11:32:11 2021 +0200
Commit: Andras Timar <andras.timar at collabora.com>
CommitDate: Fri Sep 10 20:38:24 2021 +0200
openssl: add patch for CVE-2021-3712
Change-Id: I4061cbac18ddf9c7f932a27bf2b54a2b1c2f9d99
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121029
Tested-by: Michael Stahl <michael.stahl at allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl at allotropia.de>
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index ad600cce1412..e7fca1116545 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -22,6 +22,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/openssl-3650-masm.patch.1 \
external/openssl/openssl-fixbuild.patch.1 \
external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1 \
+ external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
new file mode 100644
index 000000000000..cf809750ecfb
--- /dev/null
+++ b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
@@ -0,0 +1,56 @@
+From ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Tue, 17 Aug 2021 14:41:48 +0100
+Subject: [PATCH] Fix a read buffer overrun in X509_CERT_AUX_print()
+
+This is a backport of commit c5dc9ab965f to 1.0.2. That commit fixed
+the same bug but in master/1.1.1 it is in the function X509_aux_print().
+The original commit had the following description:
+
+Fix a read buffer overrun in X509_aux_print().
+
+The ASN1_STRING_get0_data(3) manual explitely cautions the reader
+that the data is not necessarily NUL-terminated, and the function
+X509_alias_set1(3) does not sanitize the data passed into it in any
+way either, so we must assume the return value from X509_alias_get0(3)
+is merely a byte array and not necessarily a string in the sense
+of the C language.
+
+I found this bug while writing manual pages for X509_print_ex(3)
+and related functions. Theo Buehler <tb at openbsd.org> checked my
+patch to fix the same bug in LibreSSL, see
+
+http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9
+
+As an aside, note that the function still produces incomplete and
+misleading results when the data contains a NUL byte in the middle
+and that error handling is consistently absent throughout, even
+though the function provides an "int" return value obviously intended
+to be 1 for success and 0 for failure, and even though this function
+is called by another function that also wants to return 1 for success
+and 0 for failure and even does so in many of its code paths, though
+not in others. But let's stay focussed. Many things would be nice
+to have in the wide wild world, but a buffer overflow must not be
+allowed to remain in our backyard.
+
+CVE-2021-3712
+
+Reviewed-by: Paul Dale <pauli at openssl.org>
+---
+ crypto/asn1/t_x509a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c
+index d1b897a469fd..b1bc9d0cd28b 100644
+--- a/crypto/asn1/t_x509a.c
++++ b/crypto/asn1/t_x509a.c
+@@ -104,7 +104,8 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
+ } else
+ BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+ if (aux->alias)
+- BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data);
++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", aux->alias->length,
++ aux->alias->data);
+ if (aux->keyid) {
+ BIO_printf(out, "%*sKey Id: ", indent, "");
+ for (i = 0; i < aux->keyid->length; i++)
commit d789344f41be91b0f6308e30fa6b97a1b2d7e11e
Author: Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Nov 20 15:08:24 2019 +0100
Commit: Andras Timar <andras.timar at collabora.com>
CommitDate: Fri Sep 10 20:38:24 2021 +0200
libxslt: upgrade to release 1.1.34
Fixes CVE-2019-18197.
Remove obsolete e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1.
Change-Id: I95cf498e245083528f98bfef8cdd240bbe2211b9
Reviewed-on: https://gerrit.libreoffice.org/83312
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl at cib.de>
(cherry picked from commit e9ea24cc004a8b9a5856f2f268bd40433c504db1)
Reviewed-on: https://gerrit.libreoffice.org/83377
(cherry picked from commit d19b32c779bfeb51ef9570c3de8ed1925ec44473)
Reviewed-on: https://gerrit.libreoffice.org/83419
Tested-by: Michael Stahl <michael.stahl at cib.de>
diff --git a/download.lst b/download.lst
index 720b66ff4017..22d73b69a31f 100644
--- a/download.lst
+++ b/download.lst
@@ -159,8 +159,8 @@ export XMLSEC_TARBALL := xmlsec1-1.2.27.tar.gz
export LIBXML_SHA256SUM := c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92
export LIBXML_VERSION_MICRO := 12
export LIBXML_TARBALL := libxml2-2.9.$(LIBXML_VERSION_MICRO).tar.gz
-export LIBXSLT_SHA256SUM := 8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8
-export LIBXSLT_VERSION_MICRO := 33
+export LIBXSLT_SHA256SUM := 98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f
+export LIBXSLT_VERSION_MICRO := 34
export LIBXSLT_TARBALL := libxslt-1.1.$(LIBXSLT_VERSION_MICRO).tar.gz
export LPSOLVE_SHA256SUM := 171816288f14215c69e730f7a4f1c325739873e21f946ff83884b350574e6695
export LPSOLVE_TARBALL := 26b3e95ddf3d9c077c480ea45874b3b8-lp_solve_5.5.tar.gz
diff --git a/external/libxslt/UnpackedTarball_libxslt.mk b/external/libxslt/UnpackedTarball_libxslt.mk
index beb591b8b2a8..b035e99f0a79 100644
--- a/external/libxslt/UnpackedTarball_libxslt.mk
+++ b/external/libxslt/UnpackedTarball_libxslt.mk
@@ -19,7 +19,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,libxslt,\
external/libxslt/libxslt-msvc.patch.2 \
external/libxslt/libxslt-1.1.26-memdump.patch \
external/libxslt/rpath.patch.0 \
- external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1 \
+ external/libxslt/e2584eed1c84c18f16e42188c30d2c3d8e3e8853.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1 b/external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1
deleted file mode 100644
index 260f35d1a35e..000000000000
--- a/external/libxslt/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch.1
+++ /dev/null
@@ -1,120 +0,0 @@
-From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer at aevum.de>
-Date: Sun, 24 Mar 2019 09:51:39 +0100
-Subject: [PATCH] Fix security framework bypass
-
-xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
-don't check for this condition and allow access. With a specially
-crafted URL, xsltCheckRead could be tricked into returning an error
-because of a supposedly invalid URL that would still be loaded
-succesfully later on.
-
-Fixes #12.
-
-Thanks to Felix Wilhelm for the report.
----
- libxslt/documents.c | 18 ++++++++++--------
- libxslt/imports.c | 9 +++++----
- libxslt/transform.c | 9 +++++----
- libxslt/xslt.c | 9 +++++----
- 4 files changed, 25 insertions(+), 20 deletions(-)
-
-diff --git a/libxslt/documents.c b/libxslt/documents.c
-index 3f3a7312..4aad11bb 100644
---- a/libxslt/documents.c
-+++ b/libxslt/documents.c
-@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
- int res;
-
- res = xsltCheckRead(ctxt->sec, ctxt, URI);
-- if (res == 0) {
-- xsltTransformError(ctxt, NULL, NULL,
-- "xsltLoadDocument: read rights for %s denied\n",
-- URI);
-+ if (res <= 0) {
-+ if (res == 0)
-+ xsltTransformError(ctxt, NULL, NULL,
-+ "xsltLoadDocument: read rights for %s denied\n",
-+ URI);
- return(NULL);
- }
- }
-@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
- int res;
-
- res = xsltCheckRead(sec, NULL, URI);
-- if (res == 0) {
-- xsltTransformError(NULL, NULL, NULL,
-- "xsltLoadStyleDocument: read rights for %s denied\n",
-- URI);
-+ if (res <= 0) {
-+ if (res == 0)
-+ xsltTransformError(NULL, NULL, NULL,
-+ "xsltLoadStyleDocument: read rights for %s denied\n",
-+ URI);
- return(NULL);
- }
- }
-diff --git a/libxslt/imports.c b/libxslt/imports.c
-index 874870cc..3783b247 100644
---- a/libxslt/imports.c
-+++ b/libxslt/imports.c
-@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
- int secres;
-
- secres = xsltCheckRead(sec, NULL, URI);
-- if (secres == 0) {
-- xsltTransformError(NULL, NULL, NULL,
-- "xsl:import: read rights for %s denied\n",
-- URI);
-+ if (secres <= 0) {
-+ if (secres == 0)
-+ xsltTransformError(NULL, NULL, NULL,
-+ "xsl:import: read rights for %s denied\n",
-+ URI);
- goto error;
- }
- }
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 13793914..0636dbd0 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
- */
- if (ctxt->sec != NULL) {
- ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
-- if (ret == 0) {
-- xsltTransformError(ctxt, NULL, inst,
-- "xsltDocumentElem: write rights for %s denied\n",
-- filename);
-+ if (ret <= 0) {
-+ if (ret == 0)
-+ xsltTransformError(ctxt, NULL, inst,
-+ "xsltDocumentElem: write rights for %s denied\n",
-+ filename);
- xmlFree(URL);
- xmlFree(filename);
- return;
-diff --git a/libxslt/xslt.c b/libxslt/xslt.c
-index 780a5ad7..a234eb79 100644
---- a/libxslt/xslt.c
-+++ b/libxslt/xslt.c
-@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
- int res;
-
- res = xsltCheckRead(sec, NULL, filename);
-- if (res == 0) {
-- xsltTransformError(NULL, NULL, NULL,
-- "xsltParseStylesheetFile: read rights for %s denied\n",
-- filename);
-+ if (res <= 0) {
-+ if (res == 0)
-+ xsltTransformError(NULL, NULL, NULL,
-+ "xsltParseStylesheetFile: read rights for %s denied\n",
-+ filename);
- return(NULL);
- }
- }
---
-2.18.1
-
diff --git a/external/libxslt/e2584eed1c84c18f16e42188c30d2c3d8e3e8853.patch.1 b/external/libxslt/e2584eed1c84c18f16e42188c30d2c3d8e3e8853.patch.1
new file mode 100644
index 000000000000..f82c2e4f77ee
--- /dev/null
+++ b/external/libxslt/e2584eed1c84c18f16e42188c30d2c3d8e3e8853.patch.1
@@ -0,0 +1,69 @@
+From e2584eed1c84c18f16e42188c30d2c3d8e3e8853 Mon Sep 17 00:00:00 2001
+From: Chun-wei Fan <fanchunwei at src.gnome.org>
+Date: Tue, 12 Nov 2019 17:37:05 +0800
+Subject: [PATCH] win32: Add configuration for profiler
+
+Without this the generated xsltconfig.h will not be complete as there
+will be a configuration variable that is left in the header, breaking
+builds.
+
+This will allow one to enable or disable profiler support in Windows
+builds, and the default is to enable this.
+---
+ win32/configure.js | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/win32/configure.js b/win32/configure.js
+index 56694cce..12c99f30 100644
+--- a/win32/configure.js
++++ b/win32/configure.js
+@@ -47,6 +47,7 @@ var withIconv = true;
+ var withZlib = false;
+ var withCrypto = true;
+ var withModules = false;
++var withProfiler = true;
+ /* Win32 build options. */
+ var dirSep = "\\";
+ var compiler = "msvc";
+@@ -106,6 +107,7 @@ function usage()
+ txt += " zlib: Use zlib library (" + (withZlib? "yes" : "no") + ")\n";
+ txt += " crypto: Enable Crypto support (" + (withCrypto? "yes" : "no") + ")\n";
+ txt += " modules: Enable Module support (" + (withModules? "yes" : "no") + ")\n";
++ txt += " profiler: Enable Profiler support (" + (withProfiler? "yes" : "no") + ")\n";
+ txt += "\nWin32 build options, default value given in parentheses:\n\n";
+ txt += " compiler: Compiler to be used [msvc|mingw] (" + compiler + ")\n";
+ txt += " cruntime: C-runtime compiler option (only msvc) (" + cruntime + ")\n";
+@@ -192,6 +194,7 @@ function discoverVersion()
+ vf.WriteLine("WITH_ZLIB=" + (withZlib? "1" : "0"));
+ vf.WriteLine("WITH_CRYPTO=" + (withCrypto? "1" : "0"));
+ vf.WriteLine("WITH_MODULES=" + (withModules? "1" : "0"));
++ vf.WriteLine("WITH_PROFILER=" + (withProfiler? "1" : "0"));
+ vf.WriteLine("DEBUG=" + (buildDebug? "1" : "0"));
+ vf.WriteLine("STATIC=" + (buildStatic? "1" : "0"));
+ vf.WriteLine("PREFIX=" + buildPrefix);
+@@ -240,6 +243,8 @@ function configureXslt()
+ of.WriteLine(s.replace(/\@WITH_DEBUGGER\@/, withDebugger? "1" : "0"));
+ } else if (s.search(/\@WITH_MODULES\@/) != -1) {
+ of.WriteLine(s.replace(/\@WITH_MODULES\@/, withModules? "1" : "0"));
++ } else if (s.search(/\@WITH_PROFILER\@/) != -1) {
++ of.WriteLine(s.replace(/\@WITH_PROFILER\@/, withProfiler? "1" : "0"));
+ } else if (s.search(/\@LIBXSLT_DEFAULT_PLUGINS_PATH\@/) != -1) {
+ of.WriteLine(s.replace(/\@LIBXSLT_DEFAULT_PLUGINS_PATH\@/, "NULL"));
+ } else
+@@ -343,6 +348,8 @@ for (i = 0; (i < WScript.Arguments.length) && (error == 0); i++) {
+ withCrypto = strToBool(arg.substring(opt.length + 1, arg.length));
+ else if (opt == "modules")
+ withModules = strToBool(arg.substring(opt.length + 1, arg.length));
++ else if (opt == "profiler")
++ withProfiler = strToBool(arg.substring(opt.length + 1, arg.length));
+ else if (opt == "compiler")
+ compiler = arg.substring(opt.length + 1, arg.length);
+ else if (opt == "cruntime")
+@@ -477,6 +484,7 @@ txtOut += " Use iconv: " + boolToStr(withIconv) + "\n";
+ txtOut += " With zlib: " + boolToStr(withZlib) + "\n";
+ txtOut += " Crypto: " + boolToStr(withCrypto) + "\n";
+ txtOut += " Modules: " + boolToStr(withModules) + "\n";
++txtOut += " Profiler: " + boolToStr(withProfiler) + "\n";
+ txtOut += "\n";
+ txtOut += "Win32 build configuration\n";
+ txtOut += "-------------------------\n";
diff --git a/external/libxslt/libxslt-config.patch.1 b/external/libxslt/libxslt-config.patch.1
index 5f9d107bd1e7..e4ce5d9e27cf 100644
--- a/external/libxslt/libxslt-config.patch.1
+++ b/external/libxslt/libxslt-config.patch.1
@@ -23,13 +23,13 @@ Hack the xslt-config to return paths into WORKDIR.
usage()
{
-@@ -89,7 +95,8 @@
- shift
- done
+@@ -92,7 +98,8 @@
+ libs="@XSLT_LIBDIR@ $libs"
+ fi
--the_libs="@XSLT_LIBDIR@ @XSLT_LIBS@ @EXTRA_LIBS@"
-+#the_libs="@XSLT_LIBDIR@ @XSLT_LIBS@ @EXTRA_LIBS@"
-+the_libs="-L${libdir}/libxslt/.libs -L${libdir}/libexslt/.libs -lxslt -lm"
- if test "$includedir" != "/usr/include"; then
- the_flags="$the_flags -I$includedir `@XML_CONFIG@ --cflags`"
- else
+- libs="$libs @EXTRA_LIBS@"
++ #libs="$libs @EXTRA_LIBS@"
++ libs="-L${libdir}/libxslt/.libs -L${libdir}/libexslt/.libs -lxslt -lm"
+ ;;
+
+ *)
diff --git a/external/libxslt/libxslt-internal-symbols.patch.1 b/external/libxslt/libxslt-internal-symbols.patch.1
index 7b13e1007c00..84a15154d729 100644
--- a/external/libxslt/libxslt-internal-symbols.patch.1
+++ b/external/libxslt/libxslt-internal-symbols.patch.1
@@ -1,13 +1,13 @@
--- xslt/libxslt/libxslt.syms.orig 2017-09-05 16:25:50.504966267 +0200
+++ xslt/libxslt/libxslt.syms 2017-09-05 16:41:00.256895709 +0200
@@ -497,5 +497,10 @@
- # xsltInternals
- xsltFlagRVTs;
- xsltDecimalFormatGetByQName;
+
+ # pattern
+ xsltCompMatchClearCache;
+
+# Solaris ld needs explicit auto-reduction (or, alternatively, "-B local")
+ local:
+ *;
+
- } LIBXML2_1.1.27;
+ } LIBXML2_1.1.30;
More information about the Libreoffice-commits
mailing list