Bug 198385 - x11-libs/goffice <0.3.7 Multiple issues in embedded PCRE
|
Bug#:
198385
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: rbu@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/27543/
|
|
Summary: x11-libs/goffice <0.3.7 Multiple issues in embedded PCRE
|
|
Keywords:
|
|
Status Whiteboard: B2 [glsa]
|
|
Opened: 2007-11-07 17:47 0000
|
goffice ships a copy of PCRE which is be vulnerable to several security issues
as pointed out in bug #198198.
PCRE 7.3 fixes the issues mentioned. goffice 0.2.1 (current stable) ships
version 6.3 of PCRE.
According to the ChangeLog goffice 0.3.7 requires uses the system PCRE.
Gnome-office, please advise.
Gnome-office, please advise.
per bug #191555, gnumeric can't use newer versions of goffice (limited to <0.3)
we could put newer releases of gnumeric but they are still considered
development release. A 1.7.90 is out since yesterday so the stable release
shouldn't be too far from now.
@gnome-office, per the above paragraph, what's the best course of action ? I
can take care of bumping gnumeric and goffice if needed.
Ubuntu ships 1.7.11 in gutsy, so I'd say put a 1.7 version in the tree.
00:23 < EvaSDK> dang: hey, just so you know, I haven't commited work on goffice
bug because the goffice/gnumeric bump doesn't work yet
00:24 < EvaSDK> latest tests tend to show that goffice-0.4.3 doesn't export all
required symbol to let gnumeric-1.7.12 (last release to work
with 0.4) compile
I've pushed the work on goffice slots into CVS. I hope I didn't break anything
and will check tomorrow morning on a "clean" box .
All apps besides gnumeric should already have relevant version checks thanks to
RobbieAB (on #-desktop). If anyone can/want to do gnumeric just ping me, I
couldn't make gnumeric-1.7.12 compile for me yet, and I'm not sure we want a
dev release for goffice 0.5 and gnumeric-1.7.9* in tree just yet (and I'm
pretty busy irl these days).
hi security, ebuilds needed to close this bug are finally in the tree.
you'll need to get goffice-0.4, goffice-0.6 and gnumeric-1.8 before when can
ditch goffice-0.2
[23:11] <rbu> EvaSDK: do i understand right we need both goffice 0.4.3 and
0.6.1 to be stable?
[23:11] <EvaSDK> rbu: afaik, not everything is compatible with goffice-0.6
[23:11] <EvaSDK> abiword-plugins and gnumeric compile against 0.6
[23:12] <EvaSDK> but it seems gnucash doesn't know about 0.6 yet
Arches, please test and mark stable x11-libs/goffice-0.4.3,
x11-libs/goffice-0.6.1 and app-office/gnumeric-1.8.0.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
OK took care of goffice-1.4 but bumped into a configure error with -1.6 on
both ppc64 and ppc.
checking for GNOME... yes
checking for GOFFICE... configure: error: Package requirements (
glib-2.0 >= 2.8.0
gobject-2.0 >= 2.6.3
gmodule-2.0 >= 2.6.3
libgsf-1 >= 1.13.3
libxml-2.0 >= 2.4.12
pango >= 1.8.1
pangocairo >= 1.8.1
libart-2.0 >= 2.3.11
cairo >= 1.2.0
cairo-svg >= 1.2.0
cairo-pdf >= 1.2.0
cairo-ps >= 1.2.0
gtk+-2.0 >= 2.6.0
libglade-2.0 >= 2.3.6
gconf-2.0
libgnomeui-2.0 >= 2.0.0
libgsf-gnome-1 >= 1.12.2
) were not met:
No package 'cairo-svg' found
How do you guys want to deal with this? I assume this is x11-libs/libsvg-cairo
?
Yeap, needs a built_with_use which I added.
*** Bug 204018 has been marked as a duplicate of this bug. ***
amd64 done, apologies about the delay.
This is how keywords look in tree now,
gnumeric-1.6.3.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
gnumeric-1.8.0.ebuild:KEYWORDS="alpha amd64 ~hppa ia64 ppc ppc64 sparc x86"
Did hppa miss it?
GLSA 200801-19, sorry for the delay.
