Re: [PATCH 0/6] Libreoffice CVE and update

[Leo Famulari]

On Mon, Mar 07, 2016 at 10:03:17PM +0200, Efraim Flashner wrote:
> On Mon,  7 Mar 2016 12:42:01 +0200
> Efraim Flashner <address@hidden> wrote:
> 
> > Now that vigra is building again, I've put together a patch to update
> > libreoffice to address CVE-2016-0794 and CVE-2016-0795. Currently its
> > building on my machine, but hydra says the last successful build took
> > 7 hours and I'm currently ~5.5 into my build, but I'm expecting close
> > to 20 hours for a complete build. So in addition to checking over the
> > patches (notably liblangtag which is new, mdds which has a second version
> > and libreoffice with several changes), if someone with a fast computer
> > wants to see if they can finish building before me that'd be great.
> > 
> > Efraim Flashner (6):
> >   gnu: Add liblangtag.
> >   gnu: mdds: Update to 1.1.0.
> >   gnu: orcus: Update to 0.11.0.
> >   gnu: ixion: Update to 0.11.0.
> >   gnu: libetonyek: Update to 0.1.6.
> >   gnu: libreoffice: Update to 5.1.1.3. [Fixes CVE-2016-{0794, 0795}].
> > 
> >  gnu/packages/boost.scm       | 26 +++++++++++++----
> >  gnu/packages/libreoffice.scm | 67 
> > ++++++++++++++++++++++++++++++++++----------
> >  2 files changed, 73 insertions(+), 20 deletions(-)
> > 
> 
> It turns out libreoffice fails to build with this patch set. After discussing
> it with Andreas and Leo on irc we've decided on trying 5.0.5.2 as per
> https://www.libreoffice.org/about-us/security/advisories/cve-2016-0795/ and
> we'll work on the rest later.

Updated to 5.0.5.2 with commit 165e0382b.

> 
> If anyone wants to work on the update now, mdds stays at 0.12.2, orcus to
> 0.9.2, ixion to 0.9.1, and that's a good starting point.
> 
> -- 
> Efraim Flashner   <address@hidden>   אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted