198385 2007-11-07 17:47 0000 x11-libs/goffice <0.3.7 Multiple issues in embedded PCRE 2009-03-16 11:04:39 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27543/ B2 [glsa] P2 normal --- 156984 1 rbu@gentoo.org security@gentoo.org esigra@gmail.com gnome-office@gentoo.org sum.notify@gmail.com rbu@gentoo.org 2007-11-07 17:47:34 0000 goffice ships a copy of PCRE which is be vulnerable to several security issues as pointed out in bug #198198. PCRE 7.3 fixes the issues mentioned. goffice 0.2.1 (current stable) ships version 6.3 of PCRE. According to the ChangeLog goffice 0.3.7 requires uses the system PCRE. Gnome-office, please advise. rbu@gentoo.org 2007-11-07 17:48:39 0000 See bug 156984. rbu@gentoo.org 2007-11-20 00:46:49 0000 Gnome-office, please advise. eva@gentoo.org 2007-11-21 22:08:19 0000 per bug #191555, gnumeric can't use newer versions of goffice (limited to <0.3) we could put newer releases of gnumeric but they are still considered development release. A 1.7.90 is out since yesterday so the stable release shouldn't be too far from now. @gnome-office, per the above paragraph, what's the best course of action ? I can take care of bumping gnumeric and goffice if needed. dang@gentoo.org 2007-11-29 03:30:33 0000 Ubuntu ships 1.7.11 in gutsy, so I'd say put a 1.7 version in the tree. rbu@gentoo.org 2007-12-04 01:15:46 0000 ping. eva@gentoo.org 2007-12-10 00:18:27 0000 00:23 < EvaSDK> dang: hey, just so you know, I haven't commited work on goffice bug because the goffice/gnumeric bump doesn't work yet 00:24 < EvaSDK> latest tests tend to show that goffice-0.4.3 doesn't export all required symbol to let gnumeric-1.7.12 (last release to work with 0.4) compile eva@gentoo.org 2007-12-10 23:19:08 0000 I've pushed the work on goffice slots into CVS. I hope I didn't break anything and will check tomorrow morning on a "clean" box . All apps besides gnumeric should already have relevant version checks thanks to RobbieAB (on #-desktop). If anyone can/want to do gnumeric just ping me, I couldn't make gnumeric-1.7.12 compile for me yet, and I'm not sure we want a dev release for goffice 0.5 and gnumeric-1.7.9* in tree just yet (and I'm pretty busy irl these days). eva@gentoo.org 2008-01-01 18:55:00 0000 hi security, ebuilds needed to close this bug are finally in the tree. you'll need to get goffice-0.4, goffice-0.6 and gnumeric-1.8 before when can ditch goffice-0.2 rbu@gentoo.org 2008-01-01 22:16:22 0000 [23:11] <rbu> EvaSDK: do i understand right we need both goffice 0.4.3 and 0.6.1 to be stable? [23:11] <EvaSDK> rbu: afaik, not everything is compatible with goffice-0.6 [23:11] <EvaSDK> abiword-plugins and gnumeric compile against 0.6 [23:12] <EvaSDK> but it seems gnucash doesn't know about 0.6 yet Arches, please test and mark stable x11-libs/goffice-0.4.3, x11-libs/goffice-0.6.1 and app-office/gnumeric-1.8.0. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" ranger@gentoo.org 2008-01-02 00:22:57 0000 OK took care of goffice-1.4 but bumped into a configure error with -1.6 on both ppc64 and ppc. checking for GNOME... yes checking for GOFFICE... configure: error: Package requirements ( glib-2.0 >= 2.8.0 gobject-2.0 >= 2.6.3 gmodule-2.0 >= 2.6.3 libgsf-1 >= 1.13.3 libxml-2.0 >= 2.4.12 pango >= 1.8.1 pangocairo >= 1.8.1 libart-2.0 >= 2.3.11 cairo >= 1.2.0 cairo-svg >= 1.2.0 cairo-pdf >= 1.2.0 cairo-ps >= 1.2.0 gtk+-2.0 >= 2.6.0 libglade-2.0 >= 2.3.6 gconf-2.0 libgnomeui-2.0 >= 2.0.0 libgsf-gnome-1 >= 1.12.2 ) were not met: No package 'cairo-svg' found How do you guys want to deal with this? I assume this is x11-libs/libsvg-cairo ? compnerd@gentoo.org 2008-01-02 01:35:31 0000 Yeap, needs a built_with_use which I added. jer@gentoo.org 2008-01-02 06:14:04 0000 Stable for HPPA. fauli@gentoo.org 2008-01-02 10:17:44 0000 x86 stable jakub@gentoo.org 2008-01-02 10:20:08 0000 *** Bug 204018 has been marked as a duplicate of this bug. *** armin76@gentoo.org 2008-01-02 14:29:42 0000 alpha/ia64/sparc stable ranger@gentoo.org 2008-01-02 17:11:01 0000 ppc and ppc64 done welp@gentoo.org 2008-01-10 19:41:29 0000 amd64 done, apologies about the delay. py@gentoo.org 2008-01-10 19:53:08 0000 glsa request filed ssuominen@gentoo.org 2008-01-10 20:13:02 0000 This is how keywords look in tree now, gnumeric-1.6.3.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86" gnumeric-1.8.0.ebuild:KEYWORDS="alpha amd64 ~hppa ia64 ppc ppc64 sparc x86" Did hppa miss it? jer@gentoo.org 2008-01-11 13:08:22 0000 ... py@gentoo.org 2008-01-30 22:44:27 0000 GLSA 200801-19, sorry for the delay.