[ooo-build] security fix for CVE-2009-3736

Rene Engelhard rene at debian.org
Wed Dec 16 15:30:10 PST 2009


Hi again,

On Thu, Dec 17, 2009 at 12:24:38AM +0100, Rene Engelhard wrote:
> There isn't. There was one once, but it will not work ever unless
> the whole stuff is drastically changed. (Or you patch your xmlsec
> with all the intrusive changes OOo did on xmlsec). At least it got
> updated to a current upstream in 3.2, but still with an intrusive patch...

Actually, 1.2.12 instead of 1.2.14 (which has that CVE fixed), but as
said, we're probably not affected anyhow

> If there was one, distros would already be using it, be sure :-)
> 
> > dealing with the CVE-2009-3736 [1] that affects libltd and which is  
> > bundled in the xmlsec. As far as I didn't find any option to link  
> > ooo-build 3.1.1 with a fixed system version I've adapted a patch our  
> > secteam has done to fix xmlsec 1.2.10 based on [2].
> 
> OOo builds do *not* use --enable-crypto_dl for xmlsec.
> So no ltdl usage afaics -> not affected.

FTR, this was discussed in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559831

Grüße/Regards,
 
Rene
-- 
 .''`.  René Engelhard -- Debian GNU/Linux Developer
 : :' : http://www.debian.org | http://people.debian.org/~rene/
 `. `'  rene at debian.org | GnuPG-Key ID: D03E3E70
   `-   Fingerprint: E12D EA46 7506 70CF A960 801D 0AA0 4571 D03E 3E70


More information about the ooo-build mailing list