[ooo-build] ooo-build Digest, Vol 7, Issue 10

Mackenzie, Stewart / Kuehne + Nagel / Hkg RI-ED Stewart.Mackenzie at kuehne-nagel.com
Thu Dec 17 17:04:07 PST 2009


yes you right there were two missing! just recently moved workspaces.

ooo-build-request at lists.freedesktop.org wrote:
> Send ooo-build mailing list submissions to
> 	ooo-build at lists.freedesktop.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freedesktop.org/mailman/listinfo/ooo-build
> or, via email, send a message with subject or body 'help' to
> 	ooo-build-request at lists.freedesktop.org
>
> You can reach the person managing the list at
> 	ooo-build-owner at lists.freedesktop.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ooo-build digest..."
>
>
> Today's Topics:
>
>    1. security fix for CVE-2009-3736 (Rafael Cabral)
>    2. Re: security fix for CVE-2009-3736 (Rene Engelhard)
>    3. Re: security fix for CVE-2009-3736 (Rene Engelhard)
>    4. Re: Building OOo without webdav (Davide Dozza)
>    5. REMINDER: Release 3.2-rc1 from ooo-build master (Petr Mladek)
>    6. Re: Building OOo without webdav (Petr Mladek)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 16 Dec 2009 20:55:42 -0200
> From: Rafael Cabral <cabral at mandriva.com>
> Subject: [ooo-build] security fix for CVE-2009-3736
> To: ooo-build at lists.freedesktop.org
> Message-ID: <4B29656E.7050102 at mandriva.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> Do you know if there is some --with-system-libxmlsec available ?  We are 
> dealing with the CVE-2009-3736 [1] that affects libltd and which is 
> bundled in the xmlsec. As far as I didn't find any option to link 
> ooo-build 3.1.1 with a fixed system version I've adapted a patch our 
> secteam has done to fix xmlsec 1.2.10 based on [2].
>
> The patch (xmlsec-CVE-2009-3736.diff) appends the fix in the 
> ./libxmlsec/xmlsec1-1.2.6.patch to be properly applied.
>
> 1 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
> 2 - http://lists.gnu.org/archive/html/libtool/2009-11/msg00065.html
>
> tks
> Rafael Cabral
> Mandriva
>
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: xmlsec-CVE-2009-3736.diff
> Url: http://lists.freedesktop.org/archives/ooo-build/attachments/20091216/52d81364/attachment.ksh 
>
> ------------------------------
>
> Message: 2
> Date: Thu, 17 Dec 2009 00:24:38 +0100
> From: Rene Engelhard <rene at debian.org>
> Subject: Re: [ooo-build] security fix for CVE-2009-3736
> To: ooo-build at lists.freedesktop.org
> Cc: securityteam at openoffice.org
> Message-ID: <20091216232438.GA21855 at rene-engelhard.de>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi,
>
> On Wed, Dec 16, 2009 at 08:55:42PM -0200, Rafael Cabral wrote:
>   
>> Do you know if there is some --with-system-libxmlsec available ?  We are  
>>     
>
> There isn't. There was one once, but it will not work ever unless
> the whole stuff is drastically changed. (Or you patch your xmlsec
> with all the intrusive changes OOo did on xmlsec). At least it got
> updated to a current upstream in 3.2, but still with an intrusive patch...
>
> If there was one, distros would already be using it, be sure :-)
>
>   
>> dealing with the CVE-2009-3736 [1] that affects libltd and which is  
>> bundled in the xmlsec. As far as I didn't find any option to link  
>> ooo-build 3.1.1 with a fixed system version I've adapted a patch our  
>> secteam has done to fix xmlsec 1.2.10 based on [2].
>>     
>
> OOo builds do *not* use --enable-crypto_dl for xmlsec.
> So no ltdl usage afaics -> not affected.
>
>   
>> The patch (xmlsec-CVE-2009-3736.diff) appends the fix in the  
>> ./libxmlsec/xmlsec1-1.2.6.patch to be properly applied.
>>     
>
> Yes, that's the correct way if you want to fix it, but as said it's probably
> not needed anyway.
>
> In any case, you should have talked with the OOo security team, I Cc them
> for reference...
>
>   
>> diff -p -up ./libxmlsec/xmlsec1-1.2.6.patch.orig_ ./libxmlsec/xmlsec1-1.2.6.patch
>> --- ./libxmlsec/xmlsec1-1.2.6.patch.orig_	2009-12-16 15:18:47.000000000 -0500
>> +++ ./libxmlsec/xmlsec1-1.2.6.patch	2009-12-16 15:22:24.000000000 -0500
>> @@ -15361,3 +15361,183 @@
>>   XMLSEC_NSS_ALIBS    	= smime3.lib ssl3.lib nss3.lib libnspr4_s.lib libplds4_s.lib libplc4_s.lib kernel32.lib user32.lib gdi32.lib
>>   
>>   XMLSEC_MSCRYPTO_SOLIBS  = kernel32.lib user32.lib gdi32.lib Crypt32.lib Advapi32.lib
>> +diff -p -up xmlsec1-1.2.10/src/ltdl.c.ltdl xmlsec1-1.2.10/src/ltdl.c
>> +--- misc/xmlsec1-1.2.6/src/ltdl.c.ltdl	2003-09-11 19:40:14.000000000 -0400
>> ++++ misc/build/xmlsec1-1.2.6/src/ltdl.c	2009-11-26 15:23:46.000000000 -0500
>> +@@ -1426,9 +1426,10 @@ lt_dlexit ()
>> + }
>> + 
>> + static int
>> +-tryall_dlopen (handle, filename)
>> ++tryall_dlopen (handle, filename, useloader)
>> +      lt_dlhandle *handle;
>> +      const char *filename;
>> ++     const char *useloader;
>> + {
>> +   lt_dlhandle	 cur;
>> +   lt_dlloader   *loader;
>> +@@ -1484,6 +1485,11 @@ tryall_dlopen (handle, filename)
>> + 
>> +   while (loader)
>> +     {
>> ++      if (useloader && strcmp(loader->loader_name, useloader))
>> ++	{
>> ++	  loader = loader->next;
>> ++	  continue;
>> ++	}
>> +       lt_user_data data = loader->dlloader_data;
>> + 
>> +       cur->module = loader->module_open (data, filename);
>> +@@ -1526,7 +1532,7 @@ find_module (handle, dir, libdir, dlname
>> +   /* try to open the old library first; if it was dlpreopened,
>> +      we want the preopened version of it, even if a dlopenable
>> +      module is available */
>> +-  if (old_name && tryall_dlopen(handle, old_name) == 0)
>> ++  if (old_name && tryall_dlopen(handle, old_name, "dlpreload") == 0)
>> +     {
>> +       return 0;
>> +     }
>> +@@ -1549,7 +1555,7 @@ find_module (handle, dir, libdir, dlname
>> + 	    }
>> + 
>> + 	  sprintf (filename, "%s/%s", libdir, dlname);
>> +-	  error = (tryall_dlopen (handle, filename) != 0);
>> ++	  error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + 	  LT_DLFREE (filename);
>> + 
>> + 	  if (!error)
>> +@@ -1581,7 +1587,7 @@ find_module (handle, dir, libdir, dlname
>> + 	  strcat(filename, objdir);
>> + 	  strcat(filename, dlname);
>> + 
>> +-	  error = tryall_dlopen (handle, filename) != 0;
>> ++	  error = tryall_dlopen (handle, filename, NULL) != 0;
>> + 	  LT_DLFREE (filename);
>> + 	  if (!error)
>> + 	    {
>> +@@ -1604,7 +1610,7 @@ find_module (handle, dir, libdir, dlname
>> + 	  }
>> + 	strcat(filename, dlname);
>> + 
>> +-	error = (tryall_dlopen (handle, filename) != 0);
>> ++	error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + 	LT_DLFREE (filename);
>> + 	if (!error)
>> + 	  {
>> +@@ -1719,7 +1725,7 @@ find_file (basename, search_path, pdir, 
>> +       strcpy(filename+lendir, basename);
>> +       if (handle)
>> + 	{
>> +-	  if (tryall_dlopen (handle, filename) == 0)
>> ++	  if (tryall_dlopen (handle, filename, NULL) == 0)
>> + 	    {
>> + 	      result = (lt_ptr) handle;
>> + 	      goto cleanup;
>> +@@ -2032,7 +2038,7 @@ lt_dlopen (filename)
>> +       /* lt_dlclose()ing yourself is very bad!  Disallow it.  */
>> +       LT_DLSET_FLAG (handle, LT_DLRESIDENT_FLAG);
>> + 
>> +-      if (tryall_dlopen (&newhandle, 0) != 0)
>> ++      if (tryall_dlopen (&newhandle, 0, NULL) != 0)
>> + 	{
>> + 	  LT_DLFREE (handle);
>> + 	  return 0;
>> +@@ -2324,7 +2330,7 @@ lt_dlopen (filename)
>> + #ifdef LTDL_SYSSEARCHPATH
>> + 		   && !find_file (basename, sys_search_path, 0, &newhandle)
>> + #endif
>> +-		   )) && tryall_dlopen (&newhandle, filename))
>> ++		   )) && tryall_dlopen (&newhandle, filename, NULL))
>> + 	{
>> + 	  LT_DLFREE (handle);
>> + 	  goto cleanup;
>> +diff -p -up xmlsec1-1.2.10/src/xmlsec-ltdl.c.ltdl xmlsec1-1.2.10/src/xmlsec-ltdl.c
>> +--- misc/xmlsec1-1.2.6/src/xmlsec-ltdl.c.ltdl	2006-06-12 16:15:08.000000000 -0400
>> ++++ misc/build/xmlsec1-1.2.6/src/xmlsec-ltdl.c	2009-11-26 15:25:33.000000000 -0500
>> +@@ -1426,9 +1426,10 @@ xmlsec_lt_dlexit ()
>> + }
>> + 
>> + static int
>> +-tryall_dlopen (handle, filename)
>> ++tryall_dlopen (handle, filename, useloader)
>> +      xmlsec_lt_dlhandle *handle;
>> +      const char *filename;
>> ++     const char *useloader;
>> + {
>> +   xmlsec_lt_dlhandle	 cur;
>> +   xmlsec_lt_dlloader   *loader;
>> +@@ -1484,6 +1485,11 @@ tryall_dlopen (handle, filename)
>> + 
>> +   while (loader)
>> +     {
>> ++      if (useloader && strcmp(loader->loader_name, useloader))
>> ++	{
>> ++	  loader = loader->next;
>> ++	  continue;
>> ++	}
>> +       xmlsec_lt_user_data data = loader->dlloader_data;
>> + 
>> +       cur->module = loader->module_open (data, filename);
>> +@@ -1526,7 +1532,7 @@ find_module (handle, dir, libdir, dlname
>> +   /* try to open the old library first; if it was dlpreopened,
>> +      we want the preopened version of it, even if a dlopenable
>> +      module is available */
>> +-  if (old_name && tryall_dlopen(handle, old_name) == 0)
>> ++  if (old_name && tryall_dlopen(handle, old_name, "dlpreload") == 0)
>> +     {
>> +       return 0;
>> +     }
>> +@@ -1549,7 +1555,7 @@ find_module (handle, dir, libdir, dlname
>> + 	    }
>> + 
>> + 	  sprintf (filename, "%s/%s", libdir, dlname);
>> +-	  error = (tryall_dlopen (handle, filename) != 0);
>> ++	  error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + 	  LT_DLFREE (filename);
>> + 
>> + 	  if (!error)
>> +@@ -1581,7 +1587,7 @@ find_module (handle, dir, libdir, dlname
>> + 	  strcat(filename, objdir);
>> + 	  strcat(filename, dlname);
>> + 
>> +-	  error = tryall_dlopen (handle, filename) != 0;
>> ++	  error = tryall_dlopen (handle, filename, NULL) != 0;
>> + 	  LT_DLFREE (filename);
>> + 	  if (!error)
>> + 	    {
>> +@@ -1604,7 +1610,7 @@ find_module (handle, dir, libdir, dlname
>> + 	  }
>> + 	strcat(filename, dlname);
>> + 
>> +-	error = (tryall_dlopen (handle, filename) != 0);
>> ++	error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + 	LT_DLFREE (filename);
>> + 	if (!error)
>> + 	  {
>> +@@ -1719,7 +1725,7 @@ find_file (basename, search_path, pdir, 
>> +       strcpy(filename+lendir, basename);
>> +       if (handle)
>> + 	{
>> +-	  if (tryall_dlopen (handle, filename) == 0)
>> ++	  if (tryall_dlopen (handle, filename, NULL) == 0)
>> + 	    {
>> + 	      result = (xmlsec_lt_ptr) handle;
>> + 	      goto cleanup;
>> +@@ -2032,7 +2038,7 @@ xmlsec_lt_dlopen (filename)
>> +       /* xmlsec_lt_dlclose()ing yourself is very bad!  Disallow it.  */
>> +       LT_DLSET_FLAG (handle, LT_DLRESIDENT_FLAG);
>> + 
>> +-      if (tryall_dlopen (&newhandle, 0) != 0)
>> ++      if (tryall_dlopen (&newhandle, 0, NULL) != 0)
>> + 	{
>> + 	  LT_DLFREE (handle);
>> + 	  return 0;
>> +@@ -2324,7 +2330,7 @@ xmlsec_lt_dlopen (filename)
>> + #ifdef LTDL_SYSSEARCHPATH
>> + 		   && !find_file (basename, sys_search_path, 0, &newhandle)
>> + #endif
>> +-		   )) && tryall_dlopen (&newhandle, filename))
>> ++		   )) && tryall_dlopen (&newhandle, filename, NULL))
>> + 	{
>> + 	  LT_DLFREE (handle);
>> + 	  goto cleanup;
>>     
>
> Gr??e/Regards,
>
> Rene
>   

-- 
Kind regards,

Stewart Mackenzie / Kuehne + Nagel / Hkg RI-ED

Tel: (+852) 2864 5039
Fax: (+852) 2823 7127




More information about the ooo-build mailing list