[ooo-build] ooo-build Digest, Vol 7, Issue 10
Mackenzie, Stewart / Kuehne + Nagel / Hkg RI-ED
Stewart.Mackenzie at kuehne-nagel.com
Thu Dec 17 17:04:07 PST 2009
yes you right there were two missing! just recently moved workspaces.
ooo-build-request at lists.freedesktop.org wrote:
> Send ooo-build mailing list submissions to
> ooo-build at lists.freedesktop.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freedesktop.org/mailman/listinfo/ooo-build
> or, via email, send a message with subject or body 'help' to
> ooo-build-request at lists.freedesktop.org
>
> You can reach the person managing the list at
> ooo-build-owner at lists.freedesktop.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ooo-build digest..."
>
>
> Today's Topics:
>
> 1. security fix for CVE-2009-3736 (Rafael Cabral)
> 2. Re: security fix for CVE-2009-3736 (Rene Engelhard)
> 3. Re: security fix for CVE-2009-3736 (Rene Engelhard)
> 4. Re: Building OOo without webdav (Davide Dozza)
> 5. REMINDER: Release 3.2-rc1 from ooo-build master (Petr Mladek)
> 6. Re: Building OOo without webdav (Petr Mladek)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 16 Dec 2009 20:55:42 -0200
> From: Rafael Cabral <cabral at mandriva.com>
> Subject: [ooo-build] security fix for CVE-2009-3736
> To: ooo-build at lists.freedesktop.org
> Message-ID: <4B29656E.7050102 at mandriva.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> Do you know if there is some --with-system-libxmlsec available ? We are
> dealing with the CVE-2009-3736 [1] that affects libltd and which is
> bundled in the xmlsec. As far as I didn't find any option to link
> ooo-build 3.1.1 with a fixed system version I've adapted a patch our
> secteam has done to fix xmlsec 1.2.10 based on [2].
>
> The patch (xmlsec-CVE-2009-3736.diff) appends the fix in the
> ./libxmlsec/xmlsec1-1.2.6.patch to be properly applied.
>
> 1 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
> 2 - http://lists.gnu.org/archive/html/libtool/2009-11/msg00065.html
>
> tks
> Rafael Cabral
> Mandriva
>
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: xmlsec-CVE-2009-3736.diff
> Url: http://lists.freedesktop.org/archives/ooo-build/attachments/20091216/52d81364/attachment.ksh
>
> ------------------------------
>
> Message: 2
> Date: Thu, 17 Dec 2009 00:24:38 +0100
> From: Rene Engelhard <rene at debian.org>
> Subject: Re: [ooo-build] security fix for CVE-2009-3736
> To: ooo-build at lists.freedesktop.org
> Cc: securityteam at openoffice.org
> Message-ID: <20091216232438.GA21855 at rene-engelhard.de>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi,
>
> On Wed, Dec 16, 2009 at 08:55:42PM -0200, Rafael Cabral wrote:
>
>> Do you know if there is some --with-system-libxmlsec available ? We are
>>
>
> There isn't. There was one once, but it will not work ever unless
> the whole stuff is drastically changed. (Or you patch your xmlsec
> with all the intrusive changes OOo did on xmlsec). At least it got
> updated to a current upstream in 3.2, but still with an intrusive patch...
>
> If there was one, distros would already be using it, be sure :-)
>
>
>> dealing with the CVE-2009-3736 [1] that affects libltd and which is
>> bundled in the xmlsec. As far as I didn't find any option to link
>> ooo-build 3.1.1 with a fixed system version I've adapted a patch our
>> secteam has done to fix xmlsec 1.2.10 based on [2].
>>
>
> OOo builds do *not* use --enable-crypto_dl for xmlsec.
> So no ltdl usage afaics -> not affected.
>
>
>> The patch (xmlsec-CVE-2009-3736.diff) appends the fix in the
>> ./libxmlsec/xmlsec1-1.2.6.patch to be properly applied.
>>
>
> Yes, that's the correct way if you want to fix it, but as said it's probably
> not needed anyway.
>
> In any case, you should have talked with the OOo security team, I Cc them
> for reference...
>
>
>> diff -p -up ./libxmlsec/xmlsec1-1.2.6.patch.orig_ ./libxmlsec/xmlsec1-1.2.6.patch
>> --- ./libxmlsec/xmlsec1-1.2.6.patch.orig_ 2009-12-16 15:18:47.000000000 -0500
>> +++ ./libxmlsec/xmlsec1-1.2.6.patch 2009-12-16 15:22:24.000000000 -0500
>> @@ -15361,3 +15361,183 @@
>> XMLSEC_NSS_ALIBS = smime3.lib ssl3.lib nss3.lib libnspr4_s.lib libplds4_s.lib libplc4_s.lib kernel32.lib user32.lib gdi32.lib
>>
>> XMLSEC_MSCRYPTO_SOLIBS = kernel32.lib user32.lib gdi32.lib Crypt32.lib Advapi32.lib
>> +diff -p -up xmlsec1-1.2.10/src/ltdl.c.ltdl xmlsec1-1.2.10/src/ltdl.c
>> +--- misc/xmlsec1-1.2.6/src/ltdl.c.ltdl 2003-09-11 19:40:14.000000000 -0400
>> ++++ misc/build/xmlsec1-1.2.6/src/ltdl.c 2009-11-26 15:23:46.000000000 -0500
>> +@@ -1426,9 +1426,10 @@ lt_dlexit ()
>> + }
>> +
>> + static int
>> +-tryall_dlopen (handle, filename)
>> ++tryall_dlopen (handle, filename, useloader)
>> + lt_dlhandle *handle;
>> + const char *filename;
>> ++ const char *useloader;
>> + {
>> + lt_dlhandle cur;
>> + lt_dlloader *loader;
>> +@@ -1484,6 +1485,11 @@ tryall_dlopen (handle, filename)
>> +
>> + while (loader)
>> + {
>> ++ if (useloader && strcmp(loader->loader_name, useloader))
>> ++ {
>> ++ loader = loader->next;
>> ++ continue;
>> ++ }
>> + lt_user_data data = loader->dlloader_data;
>> +
>> + cur->module = loader->module_open (data, filename);
>> +@@ -1526,7 +1532,7 @@ find_module (handle, dir, libdir, dlname
>> + /* try to open the old library first; if it was dlpreopened,
>> + we want the preopened version of it, even if a dlopenable
>> + module is available */
>> +- if (old_name && tryall_dlopen(handle, old_name) == 0)
>> ++ if (old_name && tryall_dlopen(handle, old_name, "dlpreload") == 0)
>> + {
>> + return 0;
>> + }
>> +@@ -1549,7 +1555,7 @@ find_module (handle, dir, libdir, dlname
>> + }
>> +
>> + sprintf (filename, "%s/%s", libdir, dlname);
>> +- error = (tryall_dlopen (handle, filename) != 0);
>> ++ error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + LT_DLFREE (filename);
>> +
>> + if (!error)
>> +@@ -1581,7 +1587,7 @@ find_module (handle, dir, libdir, dlname
>> + strcat(filename, objdir);
>> + strcat(filename, dlname);
>> +
>> +- error = tryall_dlopen (handle, filename) != 0;
>> ++ error = tryall_dlopen (handle, filename, NULL) != 0;
>> + LT_DLFREE (filename);
>> + if (!error)
>> + {
>> +@@ -1604,7 +1610,7 @@ find_module (handle, dir, libdir, dlname
>> + }
>> + strcat(filename, dlname);
>> +
>> +- error = (tryall_dlopen (handle, filename) != 0);
>> ++ error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + LT_DLFREE (filename);
>> + if (!error)
>> + {
>> +@@ -1719,7 +1725,7 @@ find_file (basename, search_path, pdir,
>> + strcpy(filename+lendir, basename);
>> + if (handle)
>> + {
>> +- if (tryall_dlopen (handle, filename) == 0)
>> ++ if (tryall_dlopen (handle, filename, NULL) == 0)
>> + {
>> + result = (lt_ptr) handle;
>> + goto cleanup;
>> +@@ -2032,7 +2038,7 @@ lt_dlopen (filename)
>> + /* lt_dlclose()ing yourself is very bad! Disallow it. */
>> + LT_DLSET_FLAG (handle, LT_DLRESIDENT_FLAG);
>> +
>> +- if (tryall_dlopen (&newhandle, 0) != 0)
>> ++ if (tryall_dlopen (&newhandle, 0, NULL) != 0)
>> + {
>> + LT_DLFREE (handle);
>> + return 0;
>> +@@ -2324,7 +2330,7 @@ lt_dlopen (filename)
>> + #ifdef LTDL_SYSSEARCHPATH
>> + && !find_file (basename, sys_search_path, 0, &newhandle)
>> + #endif
>> +- )) && tryall_dlopen (&newhandle, filename))
>> ++ )) && tryall_dlopen (&newhandle, filename, NULL))
>> + {
>> + LT_DLFREE (handle);
>> + goto cleanup;
>> +diff -p -up xmlsec1-1.2.10/src/xmlsec-ltdl.c.ltdl xmlsec1-1.2.10/src/xmlsec-ltdl.c
>> +--- misc/xmlsec1-1.2.6/src/xmlsec-ltdl.c.ltdl 2006-06-12 16:15:08.000000000 -0400
>> ++++ misc/build/xmlsec1-1.2.6/src/xmlsec-ltdl.c 2009-11-26 15:25:33.000000000 -0500
>> +@@ -1426,9 +1426,10 @@ xmlsec_lt_dlexit ()
>> + }
>> +
>> + static int
>> +-tryall_dlopen (handle, filename)
>> ++tryall_dlopen (handle, filename, useloader)
>> + xmlsec_lt_dlhandle *handle;
>> + const char *filename;
>> ++ const char *useloader;
>> + {
>> + xmlsec_lt_dlhandle cur;
>> + xmlsec_lt_dlloader *loader;
>> +@@ -1484,6 +1485,11 @@ tryall_dlopen (handle, filename)
>> +
>> + while (loader)
>> + {
>> ++ if (useloader && strcmp(loader->loader_name, useloader))
>> ++ {
>> ++ loader = loader->next;
>> ++ continue;
>> ++ }
>> + xmlsec_lt_user_data data = loader->dlloader_data;
>> +
>> + cur->module = loader->module_open (data, filename);
>> +@@ -1526,7 +1532,7 @@ find_module (handle, dir, libdir, dlname
>> + /* try to open the old library first; if it was dlpreopened,
>> + we want the preopened version of it, even if a dlopenable
>> + module is available */
>> +- if (old_name && tryall_dlopen(handle, old_name) == 0)
>> ++ if (old_name && tryall_dlopen(handle, old_name, "dlpreload") == 0)
>> + {
>> + return 0;
>> + }
>> +@@ -1549,7 +1555,7 @@ find_module (handle, dir, libdir, dlname
>> + }
>> +
>> + sprintf (filename, "%s/%s", libdir, dlname);
>> +- error = (tryall_dlopen (handle, filename) != 0);
>> ++ error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + LT_DLFREE (filename);
>> +
>> + if (!error)
>> +@@ -1581,7 +1587,7 @@ find_module (handle, dir, libdir, dlname
>> + strcat(filename, objdir);
>> + strcat(filename, dlname);
>> +
>> +- error = tryall_dlopen (handle, filename) != 0;
>> ++ error = tryall_dlopen (handle, filename, NULL) != 0;
>> + LT_DLFREE (filename);
>> + if (!error)
>> + {
>> +@@ -1604,7 +1610,7 @@ find_module (handle, dir, libdir, dlname
>> + }
>> + strcat(filename, dlname);
>> +
>> +- error = (tryall_dlopen (handle, filename) != 0);
>> ++ error = (tryall_dlopen (handle, filename, NULL) != 0);
>> + LT_DLFREE (filename);
>> + if (!error)
>> + {
>> +@@ -1719,7 +1725,7 @@ find_file (basename, search_path, pdir,
>> + strcpy(filename+lendir, basename);
>> + if (handle)
>> + {
>> +- if (tryall_dlopen (handle, filename) == 0)
>> ++ if (tryall_dlopen (handle, filename, NULL) == 0)
>> + {
>> + result = (xmlsec_lt_ptr) handle;
>> + goto cleanup;
>> +@@ -2032,7 +2038,7 @@ xmlsec_lt_dlopen (filename)
>> + /* xmlsec_lt_dlclose()ing yourself is very bad! Disallow it. */
>> + LT_DLSET_FLAG (handle, LT_DLRESIDENT_FLAG);
>> +
>> +- if (tryall_dlopen (&newhandle, 0) != 0)
>> ++ if (tryall_dlopen (&newhandle, 0, NULL) != 0)
>> + {
>> + LT_DLFREE (handle);
>> + return 0;
>> +@@ -2324,7 +2330,7 @@ xmlsec_lt_dlopen (filename)
>> + #ifdef LTDL_SYSSEARCHPATH
>> + && !find_file (basename, sys_search_path, 0, &newhandle)
>> + #endif
>> +- )) && tryall_dlopen (&newhandle, filename))
>> ++ )) && tryall_dlopen (&newhandle, filename, NULL))
>> + {
>> + LT_DLFREE (handle);
>> + goto cleanup;
>>
>
> Gr??e/Regards,
>
> Rene
>
--
Kind regards,
Stewart Mackenzie / Kuehne + Nagel / Hkg RI-ED
Tel: (+852) 2864 5039
Fax: (+852) 2823 7127
More information about the ooo-build
mailing list