bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]

[Marius Bakke]

[the café I'm at is blocking outgoing email, so resending through a browser]

On Sun, Feb 11, 2018, at 1:27 AM, Marius Bakke wrote:
> 
> 
> On February 10, 2018 10:49:52 PM GMT+01:00, Leo Famulari 
> <address@hidden> wrote:
> >I'm trying to update LibreOffice to 5.4.5.1.
> >
> >This version of LibreOffice requires cppunit to be updated to 1.14.0.
> >
> >However, this new version of cppunit requires C++11.
> >
> >This is not the default C++ standard in GCC 5, so this update requires
> >sprinkling "CXXFLAGS=-std=c++11" across several packages, AFAICT.
> 
> Could we package the newer version separately and override CXXFLAGS for 
> libreoffice only?

I gave this a go, and there were (of course) a lot more changes
necessary to make this newer libreoffice build.  In particular, it now
works with an external xmlsec (albeit NSS only), and it wants to build
PDFium(!) in the same fashion as xmlsec was previously.

However PDFium fails to build due to requiring newer C++ features, and
my attempts at patching "external/pdfium/Library_pdfium.mk" to add
CXXFLAGS were unsuccessful.  So in the end I disabled PDFium support.

It also required libjpeg-turbo instead of libjpeg, although this is
supposedly fixed in 6.0.1:
<https://bugs.documentfoundation.org/show_bug.cgi?id=115416>.

Then there were some other problems related to not finding GPGME
headers, as well as an upstream regression when GTK2 support is
disabled.

Without further ado, here is the patch.  I'm still building it, but plan
to push shortly if there are no further issues.

0001-gnu-libreoffice-Update-to-5.4.5.1-CVE-2018-6871.patch
Description: Text Data