You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@openoffice.apache.org by bu...@apache.org on 2016/03/28 06:35:51 UTC

[Issue 126893] New: bundled libxml2 version 2.7.8 has many security vulnerabilities

https://bz.apache.org/ooo/show_bug.cgi?id=126893

          Issue ID: 126893
        Issue Type: DEFECT
           Summary: bundled libxml2 version 2.7.8 has many security
                    vulnerabilities
           Product: Build Tools
           Version: 4.2.0-dev
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: Normal
          Priority: P5 (lowest)
         Component: external prerequisites
          Assignee: issues@openoffice.apache.org
          Reporter: truckman@apache.org

Created attachment 85370
  --> https://bz.apache.org/ooo/attachment.cgi?id=85370&action=edit
patch to upgrade bundled libxml2 to version 2.9.3 and libxslt to version 1.1.28

The libxml2-2.7.8 software bundled with OpenOffice has these security
vulnerabilities:
    CVE-2011-3202
    CVE-2011-3919
    CVE-2013-0338
    CVE-2013-0339
    CVE-2013-2877
    CVE-2014-0191
    CVE-2014-3660
    CVE-2015-1819
    CVE-2015-5312
    CVE-2015-7497
    CVE-2015-7498
    CVE-2015-7499
    CVE-2015-7500
    CVE-2015-7941
    CVE-2015-7942
    CVE-2015-8035
    CVE-2015-8241
    CVE-2015-8242

The attached patch upgrades libxml2 to version 2.9.3 which has no
publicly disclosed vulnerabilities at this time.  The closely
related libxslt is also upgraded from 1.1.26 to 1.1.28, and
the libxslt-CVE-2015-7995.patch to fix CVE-2015-7995 is imported
from the FreeBSD port, which appears to have cherry picked it
from upstream.

The libxml2-configure.patch file was rebased to the new version
of libxml2.  The freebsd-elf change to ltmain.sh was no longer
necessary and was eliminated from the patch.  The fixes in
libxml2-fixes.patch were either fixed upstream or don't seem
to apply anymore, so this patch file was deleted.  The fixes in
libxml2-testapi.patch and libxml2-runtest.patch are in now in
the upstream source, so these patch files have been deleted.
The libxml2-mingw.patch and Solaris-specific
libxml2-global-symbols.patch were not updated and were
disconnected from the build.  Several of the fixes in
libxml2-long-path.patch are now fixed upstream.

The libxslt-configure.patch was rebased to the new version of
libxslt, with the libtool-related changes coming from the
libxslt port to FreeBSD. The fixes in libxslt-bsd.patch are
now present in the upstream source, so this patch was deleted.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

Don Lewis <tr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|CONFIRMED                   |RESOLVED

--- Comment #17 from Don Lewis <tr...@apache.org> ---
The Windows build was successful.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #9 from Don Lewis <tr...@apache.org> ---
That should be librt ... or maybe not.  I managed to get cygwin installed on a
Windows machine here and it includes clock_gettime() in libc.

Something that concerned me about adding a new library as a dependency is that
we would need to make sure that it got bundled into the installation archive. 
It appears that the the cygwin libraries are all static libraries, and my
understanding is that those can't be used when building .dlls, which makes
sense to me.  In that case, either cygwin1.dll or the mingw runtime would be
used.  I see no evidence of the latter, and if I run ldd on libxslt.dll on an
existing OpenOffice Windows installation, I don't see any sign that it is
linked to cygwin1.dll.  Also if we were using cygwin1.dll, then we would need
to bundle a copy and I don't see any sign of that.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #13 from Kay <ks...@apache.org> ---
(In reply to Don Lewis from comment #12)
> Created attachment 85573 [details]
> patch to upgrade bundled libxml2 to version 2.9.3 and libxslt to version
> 1.1.28  #2
> 
> I was able to get a successful build on Ubuntu 12 with this revised patch.

OK. YAY! Successful build for me with this also. I think we need a Windows
clean build before committing this one all things considered. 

Thanks a bunch for this patch! Nice work.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #8 from Kay <ks...@apache.org> ---
A short update. In looking again at the libxslt config output, it did find an
acceptable library for clock_gettime. It seems the build, of libxslt, went bad
in building xsltproc so I'm trying to track this down.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #4 from Kay <ks...@apache.org> ---
Ditto for me on both counts -- clean checkout, and svn patch. I will let you
know build and test results soonish.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #16 from SVN Robot <sv...@dev.null.org> ---
"truckman" committed SVN revision 1748497 into trunk:
#i126893#: Upgrade bundled libxml2 version to 2.9.3 and libxslt to 1.1.28

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #7 from Kay <ks...@apache.org> ---
(In reply to Don Lewis from comment #6)
> The libxslt configure script checks for the presence of clock_gettime() and
> if it sees that the system has it, it appears to add -lrt to the linker
> flags (if needed, I think).  On *nix, this should cause the shared library
> to be built with a dependency on the librt shared library, so anything that
> links to libxslt would then then get librt pulled in as well.  I don't know
> if linking on Windows works the same way.
> 
> It doesn't look like clock_gettime() is vital.  There is a fallback to
> gettimeofday(), and a further fallback to a no-op if that isn't found.  This
> is all part of some sort of profiling code that we probably don't care about
> anyway.
> 
> It looks like it should be possible to disable clock_gettime() by passing
> ac_cv_func_clock_gettime=no to libxslt's configure script.  I think that can
> be done by editing main/libxslt/makefile.mk and adding it to this line:
> 
> CONFIGURE_FLAGS=--without-crypto --without-python --enable-static=no
> --build=i586-pc-mingw32 --host=i586-pc-mingw32 CC="$(xslt_CC)"
> CFLAGS="$(xslt_CFLAGS)" LDFLAGS="-no-undefined
> -Wl,--enable-runtime-pseudo-reloc-v2 -L$(ILIB:s/;/ -L/)" LIBS="$(xslt_LIBS)"
> LIBXML2LIB=$(LIBXML2LIB) OBJDUMP=objdump

Thanks for the tips. I will look further into this soon. I am current building
on CentOS 6.8, 32-bit. But, I do a non-product build which sets up some
additional debugging options. See: 
https://wiki.openoffice.org/wiki/Non_Product_Build

so maybe this had a bearing on dependency checking for me.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #3 from Don Lewis <tr...@apache.org> ---
Very strange ... svn patch now works fine with a clean checkout.  I'll try GNU
patch when I get a chance.  Also, I wonder if it could be a dos vs. unix line
ending mismatch.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

Kay <ks...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kschenk@apache.org

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

Don Lewis <tr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #85370|0                           |1
        is obsolete|                            |

--- Comment #12 from Don Lewis <tr...@apache.org> ---
Created attachment 85573
  --> https://bz.apache.org/ooo/attachment.cgi?id=85573&action=edit
patch to upgrade bundled libxml2 to version 2.9.3 and libxslt to version 1.1.28
 #2

I was able to get a successful build on Ubuntu 12 with this revised patch.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #6 from Don Lewis <tr...@apache.org> ---
The libxslt configure script checks for the presence of clock_gettime() and if
it sees that the system has it, it appears to add -lrt to the linker flags (if
needed, I think).  On *nix, this should cause the shared library to be built
with a dependency on the librt shared library, so anything that links to
libxslt would then then get librt pulled in as well.  I don't know if linking
on Windows works the same way.

It doesn't look like clock_gettime() is vital.  There is a fallback to
gettimeofday(), and a further fallback to a no-op if that isn't found.  This is
all part of some sort of profiling code that we probably don't care about
anyway.

It looks like it should be possible to disable clock_gettime() by passing
ac_cv_func_clock_gettime=no to libxslt's configure script.  I think that can be
done by editing main/libxslt/makefile.mk and adding it to this line:

CONFIGURE_FLAGS=--without-crypto --without-python --enable-static=no
--build=i586-pc-mingw32 --host=i586-pc-mingw32 CC="$(xslt_CC)"
CFLAGS="$(xslt_CFLAGS)" LDFLAGS="-no-undefined
-Wl,--enable-runtime-pseudo-reloc-v2 -L$(ILIB:s/;/ -L/)" LIBS="$(xslt_LIBS)" 
LIBXML2LIB=$(LIBXML2LIB) OBJDUMP=objdump

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #5 from Kay <ks...@apache.org> ---
Well...my build tanked in l10ntools. :(

This uses libxslt which got patched, so maybe the cause? The final error is
kind of odd actually. "undefined symbol: clock_gettime" Do we need some
additional libraries included?

 Error section --

Making:    libhelplinker.so
g++ -Wl,-z,combreloc -Wl,-z,defs -Wl,-Bsymbolic-functions
-Wl,--dynamic-list-cpp-new -Wl,--dynamic-list-cpp-typeinfo
-Wl,--hash-style=both -Wl,-rpath,'$ORIGIN' -shared -L../../unxlngi6/lib
-L../lib -L/home/kschenk/AOO_source/openoffice/trunk/main/solenv/unxlngi6/lib
-L/home/kschenk/AOO_source/openoffice/trunk/main/solver/420/unxlngi6/lib
-L/home/kschenk/AOO_source/openoffice/trunk/main/solenv/unxlngi6/lib
-L/etc/alternatives/java_sdk_1.8.0/lib
-L/etc/alternatives/java_sdk_1.8.0/jre/lib/i386
-L/etc/alternatives/java_sdk_1.8.0/jre/lib/i386/client
-L/etc/alternatives/java_sdk_1.8.0/jre/lib/i386/native_threads -L/usr/lib
../../unxlngi6/slo/helplinker_version.o -o ../../unxlngi6/lib/libhelplinker.so
../../unxlngi6/slo/HelpLinker.o ../../unxlngi6/slo/HelpCompiler.o -luno_sal
-lxslt -lxml2 -lascii_expat_xmlparse -lexpat_xmltok -Wl,--as-needed -ldl
-lpthread -lm -Wl,--no-as-needed 
rm -f ../../unxlngi6/lib/check_libhelplinker.so
mv ../../unxlngi6/lib/libhelplinker.so
../../unxlngi6/lib/check_libhelplinker.so
/home/kschenk/AOO_source/openoffice/trunk/main/solenv/bin/checkdll.sh
-L../../unxlngi6/lib
-L/home/kschenk/AOO_source/openoffice/trunk/main/solver/420/unxlngi6/lib 
../../unxlngi6/lib/check_libhelplinker.so
Checking DLL ../../unxlngi6/lib/check_libhelplinker.so ...: ERROR:
/home/kschenk/AOO_source/openoffice/trunk/main/solver/420/unxlngi6/lib/libxslt.so.1:
undefined symbol: clock_gettime
dmake:  Error code 1, while making '../../unxlngi6/lib/libhelplinker.so'

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #14 from Don Lewis <tr...@apache.org> ---
I've got a Windows build in progress that I hope will complete in the next
couple of hours.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #10 from Don Lewis <tr...@apache.org> ---
If we're using the M$ toolchain, then it looks to me like libxslt should be
using win32/configure.js and no the normal configure script.  In that case it
shouldn't even be looking for clock_gettime().  Consider me puzzled ...

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #2 from Don Lewis <tr...@apache.org> ---
Hmn ... svn patch chokes pretty badly on this patch, but the FreeBSD patch
command likes it.

I see this comment in "svn help patch"

  Hint: If the patch file was created with Subversion, it will contain
        the number of a revision N the patch will cleanly apply to
        (look for lines like '--- foo/bar.txt        (revision N)').
        To avoid rejects, first update to the revision N using
        'svn update -r N', apply the patch, and then update back to the
        HEAD revision. This way, conflicts can be resolved interactively.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

Andrea Pescetti <pe...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pescetti@apache.org
   Target Milestone|---                         |4.2.0

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #11 from Don Lewis <tr...@apache.org> ---
Aha ... brain fog had me thinking you were building on Windows.

I set up a Ubuntu 12 VM and was able to reproduce the problem there.
What is interesting is the the config.log shows a link failure due to
clock_gettime() being undefined, but it goes ahead and sets the flag to use it
anyway!  configure has some code to check twice for the presence of
clock_gettime(), the second time linking with -lrt.  That probably should have
succeeded, but it looks like it didn't even try.

I think the proper approach is to disable the use of clock_gettime() since it
is a new requirement on the system that I don't think we need and it could
cause problems in generating one set of binaries that runs on multiple OS
releases.  Unfortunately my suggestion in #6 did not work. I'll continue to
work on this problem and update the patch when I have something that works.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #1 from Kay <ks...@apache.org> ---
The patch has a formatting issue at line 82 so it's difficult to apply it. I
will try to work around this if I can.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126893] bundled libxml2 version 2.7.8 has many security vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126893

--- Comment #15 from Don Lewis <tr...@apache.org> ---
The Windows build was successful.

-- 
You are receiving this mail because:
You are the assignee for the issue.