Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 305195 - <app-office/openoffice-3.2.0: Multiple vulnerabilities (CVE-2006-4339,CVE-2009-{0217,2949,2950,3301,3302})
Summary: <app-office/openoffice-3.2.0: Multiple vulnerabilities (CVE-2006-4339,CVE-200...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.openoffice.org/security/bu...
Whiteboard: A2 [glsa]
Keywords:
Depends on: CVE-2009-0217
Blocks: 306333
  Show dependency tree
 
Reported: 2010-02-15 07:20 UTC by mikopp
Modified: 2014-08-31 15:21 UTC (History)
14 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mikopp 2010-02-15 07:20:18 UTC
OpenOffice 3.2 is out and so is the version from go-oo.org.

Please add 3.2 ebuilds for the bin and source version.

Reproducible: Always
Comment 1 Hanno Böck gentoo-dev 2010-02-15 12:03:43 UTC
According to upstream security bulletin, this fixes a couple of issues. Two of them are related to bundled libraries, I haven't checked if we use them in Gentoo, one is windows only, the other four are related to OOo-code itself, so we're probably vulnerable.
Comment 2 Iskren Slavov 2010-02-15 12:37:52 UTC
(In reply to comment #1)
> According to upstream security bulletin, this fixes a couple of issues. Two of
> them are related to bundled libraries, I haven't checked if we use them in
> Gentoo, one is windows only, the other four are related to OOo-code itself, so
> we're probably vulnerable.
> 

There are some binaries released on Go-OO.org but as you can see here: http://download.go-oo.org/OOO320/ not all of the sources are quite released yet. The only released file is the new ooo-build. We'll probably have to wait a little bit to see the 3.2.0 sources coming out.
Comment 3 Andreas Proschofsky (RETIRED) gentoo-dev 2010-02-15 13:37:29 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > According to upstream security bulletin, this fixes a couple of issues. Two of
> > them are related to bundled libraries, I haven't checked if we use them in
> > Gentoo, one is windows only, the other four are related to OOo-code itself, so
> > we're probably vulnerable.
> > 
> 
> There are some binaries released on Go-OO.org but as you can see here:
> http://download.go-oo.org/OOO320/ not all of the sources are quite released
> yet. The only released file is the new ooo-build. We'll probably have to wait a
> little bit to see the 3.2.0 sources coming out.
> 

We use the upstream source with the ooo-build patchset, so that's not an issue

Besides that: Binary is ready to go, will put it in portage soonish

About the source-based-build: Unfortunately I still encounter some build issues, so not sure when this will follow, I try to do my best, but time is limited...
Comment 4 Andreas Proschofsky (RETIRED) gentoo-dev 2010-02-15 13:51:56 UTC
openoffice-bin 3.2.0 is in the tree
Comment 5 Denis Dupeyron (RETIRED) gentoo-dev 2010-02-16 22:28:09 UTC
(In reply to comment #3)
> About the source-based-build: Unfortunately I still encounter some build
> issues, so not sure when this will follow, I try to do my best, but time is
> limited...

How about making your ebuild available either masked in the tree, in your overlay or here? That would allow others to help you.

Denis.
Comment 6 Andreas Proschofsky (RETIRED) gentoo-dev 2010-02-20 21:10:22 UTC
openoffice-3.2.0 is in the tree, should work fine, had to drop gio-support and fall back to the older gnome-vfs-stuff as there is (at least) one crasher with gio. Also templates-support is disabled for now. as I had a build break in the install stage with it.

So: Please test.
Comment 7 Steffen Schaumburg 2010-02-21 04:51:04 UTC
Just finished the emerge, seems to work fine tho I couldn't try much yet.
Thanks!
Comment 8 George L. Emigh 2010-02-21 22:09:30 UTC
The build fails for me, and it stops the same place even after several tries.

Entering /var/tmp/portage/app-office/openoffice-3.2.0/work/ooo/build/OOO320_m12/sysui/util
/usr/bin/perl checksize.pl                                                                
Checking:../unxlngx6.pro/                                                                 
Error: ../unxlngx6.pro/misc/sysui/dummy/localize.sdf 0 Bytes!                             
Error: 1 damaged files encountered                                                        
dmake:  Error code 1, while making '../unxlngx6.pro/misc/checksize.done'                  

ERROR: Error 65280 occurred while making /var/tmp/portage/app-office/openoffice-3.2.0/work/ooo/build/OOO320_m12/sysui/util                                                                                                                  
rmdir /var/tmp/portage/app-office/openoffice-3.2.0/temp/7RM7P5216N                                                    
make: *** [stamp/build] Error 1                                                                                       
 * ERROR: app-office/openoffice-3.2.0 failed:                                                                         
 *   Build failed                                                                                                     
 *                                                                                                                    
 * Call stack:                                                                                                        
 *     ebuild.sh, line  48:  Called src_compile                                                                       
 *   environment, line 5582:  Called die                                                                              
 * The specific snippet of code:                                                                                      
 *       make || die "Build failed"                                                                                   
 *                                                                                                                    
 * If you need support, post the output of 'emerge --info =app-office/openoffice-3.2.0',                              
 * the complete build log and the output of 'emerge -pqv =app-office/openoffice-3.2.0'.
!!! When you file a bug report, please include the following information:
GENTOO_VM=sun-jdk-1.6  CLASSPATH="" JAVA_HOME="/opt/sun-jdk-1.6.0.17"
JAVACFLAGS="-source 1.5 -target 1.5" COMPILER=""


And my emerge --info

Portage 2.2_rc63 (default/linux/amd64/10.0/desktop, gcc-4.4.3, glibc-2.10.1-r1, 2.6.32-gentoo-r6 x86_64)
=================================================================                                       
System uname: Linux-2.6.32-gentoo-r6-x86_64-AMD_Phenom-tm-_II_X4_965_Processor-with-gentoo-2.0.1        
Timestamp of tree: Sun, 21 Feb 2010 20:15:02 +0000                                                      
app-shells/bash:     4.0_p35                                                                            
dev-java/java-config: 2.1.10                                                                            
dev-lang/python:     2.6.4                                                                              
dev-util/cmake:      2.6.4-r3                                                                           
sys-apps/baselayout: 2.0.1                                                                              
sys-apps/openrc:     0.6.0-r1                                                                           
sys-apps/sandbox:    2.2                                                                                
sys-devel/autoconf:  2.13, 2.63-r1                                                                      
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2                                               
sys-devel/binutils:  2.18-r3                                                                            
sys-devel/gcc:       4.3.4, 4.4.3                                                                       
sys-devel/gcc-config: 1.4.1                                                                             
sys-devel/libtool:   2.2.6b                                                                             
virtual/os-headers:  2.6.30-r1                                                                          
ACCEPT_KEYWORDS="amd64"                                                                                 
ACCEPT_LICENSE="*"                                                                                      
CBUILD="x86_64-pc-linux-gnu"                                                                            
CFLAGS="-march=native -O2 -pipe  -mfpmath=sse"                                                          
CHOST="x86_64-pc-linux-gnu"                                                                             
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=native -O2 -pipe  -mfpmath=sse "
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://www.cyberuse.com/gentoo/ http://gentoo.osuosl.org/ http://gentoo.netnitco.net"
LDFLAGS="-Wl,-O1"
LINGUAS="en_US en"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/kde-sunset /usr/local/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 7zip X a52 aac accessibility acl acpi alsa amd64 amr amrnb amrwb ao avahi avi berkdb branding bzip2 cairo cddb cdparanoia cdr cli clucene consolekit cracklib crypt cups cxx dbus dga dri dts dv dvd dvdr emboss enca encode esd evo exif fam festival ffmpeg flac fortran gdbm ggi gif gnutls gpm gstreamer gtk hal iconv iproute2 ipv6 java java6 jpeg jpeg2k kde kdehiddenvisibility kvm lame libnotify live lm_sensors loop-aes lzo mad md5sum mikmod mjpeg mmx mmxext mng modules mp2 mp3 mp4 mp4live mpeg mplayer mudflap multilib musepack mysql ncurses nemesi network nls nptl nptlonly nsplugin ogg openal openexr opengl openmp pam pcre pdf perl phonon png pnm postgres ppds pvr python qt3support qt4 quicktime rar readline reflection samba sdl semantic-desktop session slang slp spell spl sqlite srt sse sse2 ssl startup-notification subversion svg sysfs syslog tcpd theora thunar tiff truetype udev unicode urandom usb v4l v4l2 vcd vde vorbis webkit wmf x264 xanim xcomposite xine xinerama xinetd xml xorg xpm xulrunner xv xvid xvmc zeroconf zlib" ALSA_CARDS="cmipci hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" NETBEANS_MODULES="apisupport groovy gsf harness ide j2ee java nb php visualweb websvccommon xml" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 9 Steffen Schaumburg 2010-02-21 22:14:44 UTC
Here's my emerge --info, as noted it works for me.
Portage 2.2_rc63 (default/linux/amd64/10.0, gcc-4.4.2, glibc-2.11-r1, 2.6.33-rc8 x86_64)                                                         
=================================================================                                                                                
System uname: Linux-2.6.33-rc8-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_4600+-with-gentoo-2.0.1                                           
Timestamp of tree: Sat, 20 Feb 2010 21:15:01 +0000                                                                                               
distcc 3.1 x86_64-pc-linux-gnu [disabled]                                                                                                        
app-shells/bash:     4.0_p37                                                                                                                     
dev-java/java-config: 2.1.10                                                                                                                     
dev-lang/python:     2.6.4, 3.1.1-r1                                                                                                             
dev-util/cmake:      2.8.0-r2                                                                                                                    
sys-apps/baselayout: 2.0.1                                                                                                                       
sys-apps/openrc:     0.6.0-r1                                                                                                                    
sys-apps/sandbox:    2.2                                                                                                                         
sys-devel/autoconf:  2.13, 2.64                                                                                                                  
sys-devel/automake:  1.8.5-r3, 1.9.6-r2, 1.10.3, 1.11.1                                                                                          
sys-devel/binutils:  2.20                                                                                                                        
sys-devel/gcc:       4.4.2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8-sse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=k8-sse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--binpkg-respect-use --with-bdeps=y"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.bytemark.co.uk/gentoo/ http://gentoo.virginmedia.com/sites/gentoo "
LANG="en_GB.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="de en_GB en en_US"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/sunrise /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 7zip X aac acl acpi akonadi alsa amd64 applet ares artworkextra bash-completion bluetooth branding bzip2 cairo cdda cddb cdr cjk cli cracklib crypt cxx dbus desktop device-mapper dhcpcd divx dmraid doc dri dvd dvdr dvdread encode examples exif fam fftw fontforge fortran fortune ftp fuse gdbm gif gmp gpm hal http iconv imap jabber java java6 jpeg kde laptop lm_sensors loop-aes lzma maps mmx mmxext mng modules mono mp3 mpeg mplayer msn mudflap multilib mysql mysqli ncurses nls nowin nptl nptlonly ntfs obex offensive ogg openexr opengl openmp openssl oscar otr pam pcre pda pdf perl phonon png pppd pulseaudio python qt3support qt4 quicktime quota quotas rar readline realmedia reflection reiserfs rubytests samba sasl session smp solver spell spl sqlite sqlite3 sse sse2 sse3 ssl startup-notification svg swig symlink sysfs threads tiff truetype unicode usb utempter vhosts vorbis wma wmp xattr xcomposite xinerama xmp xorg xscreensaver xulrunner xv xvid zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LINGUAS="de en_GB en en_US" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 10 George L. Emigh 2010-02-21 23:25:25 UTC
I think it has to do with LINGUAS and OO not liking the en_US all by itself or with en like I had mine, I'm testing now with LINGUAS empty to see what happens.

It failed with just en_US.
Comment 11 George L. Emigh 2010-02-21 23:47:49 UTC
By setting LINGUAS="" it emerged without any problems.
Comment 12 George L. Emigh 2010-02-22 01:30:03 UTC
LINGUAS="en en_US" Fails

LINGUAS="en_US" Fails

LINGUAS="en" Success

LINGUAS="" Success

I hope this proves to be useful.
Comment 13 Andreas Proschofsky (RETIRED) gentoo-dev 2010-02-22 22:26:25 UTC
(In reply to comment #12)
> LINGUAS="en en_US" Fails
> 
> LINGUAS="en_US" Fails
> 
> LINGUAS="en" Success
> 
> LINGUAS="" Success
> 
> I hope this proves to be useful.
> 

See bug #306221, those cases should be fixed now.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 13:45:27 UTC
Can 3.2 be stabilized now? You might also want to have a look at bug 307307 before.
Comment 15 Andreas Proschofsky (RETIRED) gentoo-dev 2010-03-01 14:45:49 UTC
(In reply to comment #14)
> Can 3.2 be stabilized now? You might also want to have a look at bug 307307
> before.
> 

From my perspective: Yes, no major bugs open as far as I can see (for both source-based and -bin)
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 21:28:19 UTC
Okay, as bug 307307 is now closed, we can move this to stable.

Arches, please test and mark stable:

=app-office/openoffice-3.2.0
Target keywords : "amd64 ppc x86"

=app-office/openoffice-bin-3.2.0
Target keywords : "amd64 x86"

Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 21:51:08 UTC
CVE-2006-4339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4339):
  OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c,
  when using an RSA key with exponent 3, removes PKCS-1 padding before
  generating a hash, which allows remote attackers to forge a PKCS #1
  v1.5 signature that is signed by that RSA key and prevents OpenSSL
  from correctly verifying X.509 and other certificates that use
  PKCS #1. 

CVE-2009-0217 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0217):
  The design of the W3C XML Signature Syntax and Processing (XMLDsig)
  recommendation, as implemented in products including (1) the Oracle
  Security Developer Tools component in Oracle Application Server
  10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component
  in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6;
  (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5)
  IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1
  through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update
  14 and earlier; and other products uses a parameter that defines an
  HMAC truncation length (HMACOutputLength) but does not require a
  minimum for this length, which allows attackers to spoof HMAC-based
  signatures and bypass authentication by specifying a truncation length
  with a small number of bits. 

CVE-2009-2949 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2949):
  Integer overflow in the XPMReader::ReadXPM function in
  filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2
  allows remote attackers to execute arbitrary code via a crafted XPM
  file that triggers a heap-based buffer overflow.

CVE-2009-2950 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2950):
  Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor
  function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before
  3.2 allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted GIF file,
  related to LZW decompression. 

CVE-2009-3301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3301):
  Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo)
  before 3.2 allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a crafted
  sprmTDefTable table property modifier in a Word document.

CVE-2009-3302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3302):
  filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted sprmTSetBrc table
  property modifier in a Word document, related to a "boundary error
  flaw."
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-02 09:00:58 UTC
What boost version should we go with?
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-02 09:12:38 UTC
-bin stable for x86
Comment 20 Andreas Proschofsky (RETIRED) gentoo-dev 2010-03-02 09:45:40 UTC
(In reply to comment #18)
> What boost version should we go with?
> 

Well I've tested it mostly with 1.41, but basically everything starting from 1.36 should be fine
Comment 21 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-03 10:58:05 UTC
x86 stable with boost 1.41-r3
Comment 22 Sebastian Luther (few) 2010-03-03 12:22:32 UTC
(In reply to comment #21)
> x86 stable with boost 1.41-r3
> 

Would you please stop to stabilize boost without asking the maintainers? There are pending modifications to the -r3 ebuild, which was the reason for not CCing arches on bug 306335.
Comment 23 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-03 12:32:07 UTC
(In reply to comment #22)
> (In reply to comment #21)
> > x86 stable with boost 1.41-r3
> > 
> 
> Would you please stop to stabilize boost without asking the maintainers? There
> are pending modifications to the -r3 ebuild, which was the reason for not CCing
> arches on bug 306335.

 It says so in white ink on white ground.  Passing the testsuite on my arch with different USE flags seems to be a good-to-go for me.
Comment 24 Sebastian Luther (few) 2010-03-03 12:44:19 UTC
(In reply to comment #23)
> (In reply to comment #22)
> > (In reply to comment #21)
> > > x86 stable with boost 1.41-r3
> > > 
> > 
> > Would you please stop to stabilize boost without asking the maintainers? There
> > are pending modifications to the -r3 ebuild, which was the reason for not CCing
> > arches on bug 306335.
> 
>  It says so in white ink on white ground.  

I thought: no arches CCed = no stabilization.

> Passing the testsuite on my arch
> with different USE flags seems to be a good-to-go for me.
> 

No it's not. That the test suite passes doesn't tell you anything, because it can't fail. It just creates and installs a list of test results. The reason is that always lots of tests fail.

boost tends to randomly break API compatibility, which creates a need to actually test the reverse dependencies.
Comment 25 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-03 12:55:07 UTC
(In reply to comment #24)
> (In reply to comment #23)
> > (In reply to comment #22)
> > > (In reply to comment #21)
> > > > x86 stable with boost 1.41-r3
> > > > 
> > > 
> > > Would you please stop to stabilize boost without asking the maintainers? There
> > > are pending modifications to the -r3 ebuild, which was the reason for not CCing
> > > arches on bug 306335.
> > 
> >  It says so in white ink on white ground.  
> 
> I thought: no arches CCed = no stabilization.

 Security bugs normally justify out-of-the-line stabilisations, and this equation can be solved in many ways:  "no arches CCed =  maintainer mia" is one of them.

> > Passing the testsuite on my arch
> > with different USE flags seems to be a good-to-go for me.
> > 
> 
> No it's not. That the test suite passes doesn't tell you anything, because it
> can't fail. It just creates and installs a list of test results. The reason is
> that always lots of tests fail.
> 
> boost tends to randomly break API compatibility, which creates a need to
> actually test the reverse dependencies.

 Some were rebuilt by me to check.  To stop bitching: Should we revert stabilisation?

Comment 26 Sebastian Luther (few) 2010-03-03 13:05:44 UTC
(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #23)
> > > (In reply to comment #22)
> > > > (In reply to comment #21)
> > > > > x86 stable with boost 1.41-r3
> > > > > 
> > > > 
> > > > Would you please stop to stabilize boost without asking the maintainers? There
> > > > are pending modifications to the -r3 ebuild, which was the reason for not CCing
> > > > arches on bug 306335.
> > > 
> > >  It says so in white ink on white ground.  
> > 
> > I thought: no arches CCed = no stabilization.
> 
>  Security bugs normally justify out-of-the-line stabilisations, and this
> equation can be solved in many ways:  "no arches CCed =  maintainer mia" is one
> of them.

I'll make it clear next time.

> 
> > > Passing the testsuite on my arch
> > > with different USE flags seems to be a good-to-go for me.
> > > 
> > 
> > No it's not. That the test suite passes doesn't tell you anything, because it
> > can't fail. It just creates and installs a list of test results. The reason is
> > that always lots of tests fail.
> > 
> > boost tends to randomly break API compatibility, which creates a need to
> > actually test the reverse dependencies.
> 
>  Some were rebuilt by me to check.  To stop bitching: Should we revert
> stabilisation?
>

No, the changes are committed now. To have an OpenOffice without security relevant bugs seems more important than potentially broken smaller packages.
Comment 27 GrowlTiger 2010-03-08 05:11:11 UTC
(In reply to comment #0)
I'm getting this from

emerge -avuND world

...

[blocks B     ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is blocking dev-libs/boost-1.41.0-r3)

Total: 42 packages (37 upgrades, 2 new, 2 in new slots, 1 reinstall, 1 uninstall), Size of downloads: 531,698 kB
Conflict: 2 blocks (1 unsatisfied)

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  ('ebuild', '/', 'dev-libs/boost-1.41.0-r3', 'merge') pulled in by
    >=dev-libs/boost-1.36 required by ('ebuild', '/', 'app-office/openoffice-3.2.0', 'merge')


Is this related to this bug?
Comment 28 GrowlTiger 2010-03-08 05:12:22 UTC
gentooachooiMac ~ # emerge --info
Portage 2.1.7.17 (default/linux/x86/10.0/desktop, gcc-4.3.4, glibc-2.10.1-r1, 2.6.31-gentoo-r6 i686)
=================================================================
System uname: Linux-2.6.31-gentoo-r6-i686-Intel-R-_Core-TM-2_Duo_CPU_T7700_@_2.40GHz-with-gentoo-1.12.13
Timestamp of tree: Mon, 08 Mar 2010 03:00:23 +0000
distcc 3.1 i686-pc-linux-gnu [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.0_p35
dev-lang/python:     2.5.4-r3, 2.6.4-r1
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests ccache distcc distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://gentoo.cites.uiuc.edu/pub/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ ftp://gentoo.mirrors.pair.com/ ftp://gentoo.chem.wisc.edu/gentoo/ "
LDFLAGS="-Wl,-O1"
LINGUAS="en_US"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa avahi berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo fam firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv jpeg ldap libnotify mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3support quicktime readline reflection sdl session spell spl ssl startup-notification svg sysfs tcpd thunar tiff truetype unicode usb vorbis win32codecs x264 x86 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="kbd keyboard mouse prlmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="prlvideo" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 29 Sebastian Luther (few) 2010-03-08 07:00:20 UTC
(In reply to comment #27)
> [blocks B     ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is
> blocking dev-libs/boost-1.41.0-r3)
>
> Is this related to this bug?

That's not a bug, you need to manually uninstall the old version.

Comment 30 Andreas Proschofsky (RETIRED) gentoo-dev 2010-03-08 10:00:16 UTC
To be honest I've real problems to find any useful information in the CVEs, which version this relates too, what the vulnerability actually is, could you please help here?

btw: are you sure those are actually valid for Linux

http://securitytracker.com/alerts/2009/Sep/1022832.html

only lists Windows for two of those...
Comment 31 Andreas Proschofsky (RETIRED) gentoo-dev 2010-03-08 10:23:01 UTC
(In reply to comment #30)
> To be honest I've real problems to find any useful information in the CVEs,
> which version this relates too, what the vulnerability actually is, could you
> please help here?
> 
> btw: are you sure those are actually valid for Linux
> 
> http://securitytracker.com/alerts/2009/Sep/1022832.html
> 
> only lists Windows for two of those...
> 

ooops, wrong bug, forget the above comment
Comment 32 GrowlTiger 2010-03-08 16:20:21 UTC
(In reply to comment #29)
> (In reply to comment #27)
> > [blocks B     ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is
> > blocking dev-libs/boost-1.41.0-r3)
> >
> > Is this related to this bug?
> 
> That's not a bug, you need to manually uninstall the old version.

Thanks for the help, Sebastian.

Do you mean manually uninstall boost or openoffice (or both)?

I presume one would use --depclean to remove. But if I use --depclean to uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I have to uninstall openoffice, upgrade boost, then recompile openoffice, right?

Comment 33 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-08 16:21:56 UTC
(In reply to comment #32)
> (In reply to comment #29)
> > (In reply to comment #27)
> > > [blocks B     ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is
> > > blocking dev-libs/boost-1.41.0-r3)
> > >
> > > Is this related to this bug?
> > 
> > That's not a bug, you need to manually uninstall the old version.
> 
> Thanks for the help, Sebastian.
> 
> Do you mean manually uninstall boost or openoffice (or both)?
> 
> I presume one would use --depclean to remove. But if I use --depclean to
> uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I
> have to uninstall openoffice, upgrade boost, then recompile openoffice, right?

 emerge -C boost
 emerge -1av openoffice
Comment 34 Sebastian Luther (few) 2010-03-08 16:43:45 UTC
(In reply to comment #33)
> (In reply to comment #32)
> > (In reply to comment #29)
> > > (In reply to comment #27)
> > > > [blocks B     ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is
> > > > blocking dev-libs/boost-1.41.0-r3)
> > > >
> > > > Is this related to this bug?
> > > 
> > > That's not a bug, you need to manually uninstall the old version.
> > 
> > Thanks for the help, Sebastian.
> > 
> > Do you mean manually uninstall boost or openoffice (or both)?
> > 
> > I presume one would use --depclean to remove. But if I use --depclean to
> > uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I
> > have to uninstall openoffice, upgrade boost, then recompile openoffice, right?
> 
>  emerge -C boost
>  emerge -1av openoffice
> 
revdep-rebuild
Comment 35 Richard Freeman gentoo-dev 2010-03-08 18:14:24 UTC
-bin stable on amd64
Comment 36 GrowlTiger 2010-03-09 07:20:17 UTC
(In reply to comment #34)
> (In reply to comment #33)
> > (In reply to comment #32)
> > > (In reply to comment #29)
> > > > (In reply to comment #27)
> > > > > [blocks B     ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is
> > > > > blocking dev-libs/boost-1.41.0-r3)
> > > > >
> > > > > Is this related to this bug?
> > > > 
> > > > That's not a bug, you need to manually uninstall the old version.
> > > 
> > > Thanks for the help, Sebastian.
> > > 
> > > Do you mean manually uninstall boost or openoffice (or both)?
> > > 
> > > I presume one would use --depclean to remove. But if I use --depclean to
> > > uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I
> > > have to uninstall openoffice, upgrade boost, then recompile openoffice, right?
> > 
> >  emerge -C boost
> >  emerge -1av openoffice
> > 
> revdep-rebuild
> 

Sebastian and Christian,

Thank You! Your solution worked like a charm.

Take Care,

GT
Comment 37 Markus Meier gentoo-dev 2010-04-16 05:19:07 UTC
  30 Mar 2010; Pacho Ramos <pacho@gentoo.org> openoffice-3.2.0.ebuild:
  stable x86, security bug 305195

this was amd64 actually...
Comment 38 Joe Jezak (RETIRED) gentoo-dev 2010-04-17 23:53:06 UTC
Marked ppc stable.
Comment 39 Andreas Proschofsky (RETIRED) gentoo-dev 2010-04-18 13:43:33 UTC
All arches finished, so I removed the vulnerable ebuilds from the tree. So I guess we are good to go!
Comment 40 Andreas Proschofsky (RETIRED) gentoo-dev 2010-11-11 19:37:54 UTC
Another fixed OOo security update with the bug still open for no apparent reason...
Comment 41 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:23:32 UTC
Added to existing GLSA request.
Comment 42 Jaak Ristioja 2013-07-11 19:48:55 UTC
Still not fixed? :D
Comment 43 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:21:08 UTC
This issue was resolved and addressed in
 GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).