OpenOffice 3.2 is out and so is the version from go-oo.org. Please add 3.2 ebuilds for the bin and source version. Reproducible: Always
According to upstream security bulletin, this fixes a couple of issues. Two of them are related to bundled libraries, I haven't checked if we use them in Gentoo, one is windows only, the other four are related to OOo-code itself, so we're probably vulnerable.
(In reply to comment #1) > According to upstream security bulletin, this fixes a couple of issues. Two of > them are related to bundled libraries, I haven't checked if we use them in > Gentoo, one is windows only, the other four are related to OOo-code itself, so > we're probably vulnerable. > There are some binaries released on Go-OO.org but as you can see here: http://download.go-oo.org/OOO320/ not all of the sources are quite released yet. The only released file is the new ooo-build. We'll probably have to wait a little bit to see the 3.2.0 sources coming out.
(In reply to comment #2) > (In reply to comment #1) > > According to upstream security bulletin, this fixes a couple of issues. Two of > > them are related to bundled libraries, I haven't checked if we use them in > > Gentoo, one is windows only, the other four are related to OOo-code itself, so > > we're probably vulnerable. > > > > There are some binaries released on Go-OO.org but as you can see here: > http://download.go-oo.org/OOO320/ not all of the sources are quite released > yet. The only released file is the new ooo-build. We'll probably have to wait a > little bit to see the 3.2.0 sources coming out. > We use the upstream source with the ooo-build patchset, so that's not an issue Besides that: Binary is ready to go, will put it in portage soonish About the source-based-build: Unfortunately I still encounter some build issues, so not sure when this will follow, I try to do my best, but time is limited...
openoffice-bin 3.2.0 is in the tree
(In reply to comment #3) > About the source-based-build: Unfortunately I still encounter some build > issues, so not sure when this will follow, I try to do my best, but time is > limited... How about making your ebuild available either masked in the tree, in your overlay or here? That would allow others to help you. Denis.
openoffice-3.2.0 is in the tree, should work fine, had to drop gio-support and fall back to the older gnome-vfs-stuff as there is (at least) one crasher with gio. Also templates-support is disabled for now. as I had a build break in the install stage with it. So: Please test.
Just finished the emerge, seems to work fine tho I couldn't try much yet. Thanks!
The build fails for me, and it stops the same place even after several tries. Entering /var/tmp/portage/app-office/openoffice-3.2.0/work/ooo/build/OOO320_m12/sysui/util /usr/bin/perl checksize.pl Checking:../unxlngx6.pro/ Error: ../unxlngx6.pro/misc/sysui/dummy/localize.sdf 0 Bytes! Error: 1 damaged files encountered dmake: Error code 1, while making '../unxlngx6.pro/misc/checksize.done' ERROR: Error 65280 occurred while making /var/tmp/portage/app-office/openoffice-3.2.0/work/ooo/build/OOO320_m12/sysui/util rmdir /var/tmp/portage/app-office/openoffice-3.2.0/temp/7RM7P5216N make: *** [stamp/build] Error 1 * ERROR: app-office/openoffice-3.2.0 failed: * Build failed * * Call stack: * ebuild.sh, line 48: Called src_compile * environment, line 5582: Called die * The specific snippet of code: * make || die "Build failed" * * If you need support, post the output of 'emerge --info =app-office/openoffice-3.2.0', * the complete build log and the output of 'emerge -pqv =app-office/openoffice-3.2.0'. !!! When you file a bug report, please include the following information: GENTOO_VM=sun-jdk-1.6 CLASSPATH="" JAVA_HOME="/opt/sun-jdk-1.6.0.17" JAVACFLAGS="-source 1.5 -target 1.5" COMPILER="" And my emerge --info Portage 2.2_rc63 (default/linux/amd64/10.0/desktop, gcc-4.4.3, glibc-2.10.1-r1, 2.6.32-gentoo-r6 x86_64) ================================================================= System uname: Linux-2.6.32-gentoo-r6-x86_64-AMD_Phenom-tm-_II_X4_965_Processor-with-gentoo-2.0.1 Timestamp of tree: Sun, 21 Feb 2010 20:15:02 +0000 app-shells/bash: 4.0_p35 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.3.4, 4.4.3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -mfpmath=sse" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=native -O2 -pipe -mfpmath=sse " DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://www.cyberuse.com/gentoo/ http://gentoo.osuosl.org/ http://gentoo.netnitco.net" LDFLAGS="-Wl,-O1" LINGUAS="en_US en" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/kde-sunset /usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="3dnow 3dnowext 7zip X a52 aac accessibility acl acpi alsa amd64 amr amrnb amrwb ao avahi avi berkdb branding bzip2 cairo cddb cdparanoia cdr cli clucene consolekit cracklib crypt cups cxx dbus dga dri dts dv dvd dvdr emboss enca encode esd evo exif fam festival ffmpeg flac fortran gdbm ggi gif gnutls gpm gstreamer gtk hal iconv iproute2 ipv6 java java6 jpeg jpeg2k kde kdehiddenvisibility kvm lame libnotify live lm_sensors loop-aes lzo mad md5sum mikmod mjpeg mmx mmxext mng modules mp2 mp3 mp4 mp4live mpeg mplayer mudflap multilib musepack mysql ncurses nemesi network nls nptl nptlonly nsplugin ogg openal openexr opengl openmp pam pcre pdf perl phonon png pnm postgres ppds pvr python qt3support qt4 quicktime rar readline reflection samba sdl semantic-desktop session slang slp spell spl sqlite srt sse sse2 ssl startup-notification subversion svg sysfs syslog tcpd theora thunar tiff truetype udev unicode urandom usb v4l v4l2 vcd vde vorbis webkit wmf x264 xanim xcomposite xine xinerama xinetd xml xorg xpm xulrunner xv xvid xvmc zeroconf zlib" ALSA_CARDS="cmipci hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" NETBEANS_MODULES="apisupport groovy gsf harness ide j2ee java nb php visualweb websvccommon xml" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Here's my emerge --info, as noted it works for me. Portage 2.2_rc63 (default/linux/amd64/10.0, gcc-4.4.2, glibc-2.11-r1, 2.6.33-rc8 x86_64) ================================================================= System uname: Linux-2.6.33-rc8-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_4600+-with-gentoo-2.0.1 Timestamp of tree: Sat, 20 Feb 2010 21:15:01 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] app-shells/bash: 4.0_p37 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4, 3.1.1-r1 dev-util/cmake: 2.8.0-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.64 sys-devel/automake: 1.8.5-r3, 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.20 sys-devel/gcc: 4.4.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8-sse3 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=k8-sse3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--binpkg-respect-use --with-bdeps=y" FEATURES="assume-digests distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.bytemark.co.uk/gentoo/ http://gentoo.virginmedia.com/sites/gentoo " LANG="en_GB.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="de en_GB en en_US" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/sunrise /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext 7zip X aac acl acpi akonadi alsa amd64 applet ares artworkextra bash-completion bluetooth branding bzip2 cairo cdda cddb cdr cjk cli cracklib crypt cxx dbus desktop device-mapper dhcpcd divx dmraid doc dri dvd dvdr dvdread encode examples exif fam fftw fontforge fortran fortune ftp fuse gdbm gif gmp gpm hal http iconv imap jabber java java6 jpeg kde laptop lm_sensors loop-aes lzma maps mmx mmxext mng modules mono mp3 mpeg mplayer msn mudflap multilib mysql mysqli ncurses nls nowin nptl nptlonly ntfs obex offensive ogg openexr opengl openmp openssl oscar otr pam pcre pda pdf perl phonon png pppd pulseaudio python qt3support qt4 quicktime quota quotas rar readline realmedia reflection reiserfs rubytests samba sasl session smp solver spell spl sqlite sqlite3 sse sse2 sse3 ssl startup-notification svg swig symlink sysfs threads tiff truetype unicode usb utempter vhosts vorbis wma wmp xattr xcomposite xinerama xmp xorg xscreensaver xulrunner xv xvid zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LINGUAS="de en_GB en en_US" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I think it has to do with LINGUAS and OO not liking the en_US all by itself or with en like I had mine, I'm testing now with LINGUAS empty to see what happens. It failed with just en_US.
By setting LINGUAS="" it emerged without any problems.
LINGUAS="en en_US" Fails LINGUAS="en_US" Fails LINGUAS="en" Success LINGUAS="" Success I hope this proves to be useful.
(In reply to comment #12) > LINGUAS="en en_US" Fails > > LINGUAS="en_US" Fails > > LINGUAS="en" Success > > LINGUAS="" Success > > I hope this proves to be useful. > See bug #306221, those cases should be fixed now.
Can 3.2 be stabilized now? You might also want to have a look at bug 307307 before.
(In reply to comment #14) > Can 3.2 be stabilized now? You might also want to have a look at bug 307307 > before. > From my perspective: Yes, no major bugs open as far as I can see (for both source-based and -bin)
Okay, as bug 307307 is now closed, we can move this to stable. Arches, please test and mark stable: =app-office/openoffice-3.2.0 Target keywords : "amd64 ppc x86" =app-office/openoffice-bin-3.2.0 Target keywords : "amd64 x86"
CVE-2006-4339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4339): OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. CVE-2009-0217 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0217): The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. CVE-2009-2949 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2949): Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to execute arbitrary code via a crafted XPM file that triggers a heap-based buffer overflow. CVE-2009-2950 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2950): Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression. CVE-2009-3301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3301): Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document. CVE-2009-3302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3302): filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."
What boost version should we go with?
-bin stable for x86
(In reply to comment #18) > What boost version should we go with? > Well I've tested it mostly with 1.41, but basically everything starting from 1.36 should be fine
x86 stable with boost 1.41-r3
(In reply to comment #21) > x86 stable with boost 1.41-r3 > Would you please stop to stabilize boost without asking the maintainers? There are pending modifications to the -r3 ebuild, which was the reason for not CCing arches on bug 306335.
(In reply to comment #22) > (In reply to comment #21) > > x86 stable with boost 1.41-r3 > > > > Would you please stop to stabilize boost without asking the maintainers? There > are pending modifications to the -r3 ebuild, which was the reason for not CCing > arches on bug 306335. It says so in white ink on white ground. Passing the testsuite on my arch with different USE flags seems to be a good-to-go for me.
(In reply to comment #23) > (In reply to comment #22) > > (In reply to comment #21) > > > x86 stable with boost 1.41-r3 > > > > > > > Would you please stop to stabilize boost without asking the maintainers? There > > are pending modifications to the -r3 ebuild, which was the reason for not CCing > > arches on bug 306335. > > It says so in white ink on white ground. I thought: no arches CCed = no stabilization. > Passing the testsuite on my arch > with different USE flags seems to be a good-to-go for me. > No it's not. That the test suite passes doesn't tell you anything, because it can't fail. It just creates and installs a list of test results. The reason is that always lots of tests fail. boost tends to randomly break API compatibility, which creates a need to actually test the reverse dependencies.
(In reply to comment #24) > (In reply to comment #23) > > (In reply to comment #22) > > > (In reply to comment #21) > > > > x86 stable with boost 1.41-r3 > > > > > > > > > > Would you please stop to stabilize boost without asking the maintainers? There > > > are pending modifications to the -r3 ebuild, which was the reason for not CCing > > > arches on bug 306335. > > > > It says so in white ink on white ground. > > I thought: no arches CCed = no stabilization. Security bugs normally justify out-of-the-line stabilisations, and this equation can be solved in many ways: "no arches CCed = maintainer mia" is one of them. > > Passing the testsuite on my arch > > with different USE flags seems to be a good-to-go for me. > > > > No it's not. That the test suite passes doesn't tell you anything, because it > can't fail. It just creates and installs a list of test results. The reason is > that always lots of tests fail. > > boost tends to randomly break API compatibility, which creates a need to > actually test the reverse dependencies. Some were rebuilt by me to check. To stop bitching: Should we revert stabilisation?
(In reply to comment #25) > (In reply to comment #24) > > (In reply to comment #23) > > > (In reply to comment #22) > > > > (In reply to comment #21) > > > > > x86 stable with boost 1.41-r3 > > > > > > > > > > > > > Would you please stop to stabilize boost without asking the maintainers? There > > > > are pending modifications to the -r3 ebuild, which was the reason for not CCing > > > > arches on bug 306335. > > > > > > It says so in white ink on white ground. > > > > I thought: no arches CCed = no stabilization. > > Security bugs normally justify out-of-the-line stabilisations, and this > equation can be solved in many ways: "no arches CCed = maintainer mia" is one > of them. I'll make it clear next time. > > > > Passing the testsuite on my arch > > > with different USE flags seems to be a good-to-go for me. > > > > > > > No it's not. That the test suite passes doesn't tell you anything, because it > > can't fail. It just creates and installs a list of test results. The reason is > > that always lots of tests fail. > > > > boost tends to randomly break API compatibility, which creates a need to > > actually test the reverse dependencies. > > Some were rebuilt by me to check. To stop bitching: Should we revert > stabilisation? > No, the changes are committed now. To have an OpenOffice without security relevant bugs seems more important than potentially broken smaller packages.
(In reply to comment #0) I'm getting this from emerge -avuND world ... [blocks B ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is blocking dev-libs/boost-1.41.0-r3) Total: 42 packages (37 upgrades, 2 new, 2 in new slots, 1 reinstall, 1 uninstall), Size of downloads: 531,698 kB Conflict: 2 blocks (1 unsatisfied) * Error: The above package list contains packages which cannot be * installed at the same time on the same system. ('ebuild', '/', 'dev-libs/boost-1.41.0-r3', 'merge') pulled in by >=dev-libs/boost-1.36 required by ('ebuild', '/', 'app-office/openoffice-3.2.0', 'merge') Is this related to this bug?
gentooachooiMac ~ # emerge --info Portage 2.1.7.17 (default/linux/x86/10.0/desktop, gcc-4.3.4, glibc-2.10.1-r1, 2.6.31-gentoo-r6 i686) ================================================================= System uname: Linux-2.6.31-gentoo-r6-i686-Intel-R-_Core-TM-2_Duo_CPU_T7700_@_2.40GHz-with-gentoo-1.12.13 Timestamp of tree: Mon, 08 Mar 2010 03:00:23 +0000 distcc 3.1 i686-pc-linux-gnu [enabled] ccache version 2.4 [enabled] app-shells/bash: 4.0_p35 dev-lang/python: 2.5.4-r3, 2.6.4-r1 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distcc distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://gentoo.cites.uiuc.edu/pub/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ ftp://gentoo.mirrors.pair.com/ ftp://gentoo.chem.wisc.edu/gentoo/ " LDFLAGS="-Wl,-O1" LINGUAS="en_US" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa avahi berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo fam firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv jpeg ldap libnotify mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3support quicktime readline reflection sdl session spell spl ssl startup-notification svg sysfs tcpd thunar tiff truetype unicode usb vorbis win32codecs x264 x86 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="kbd keyboard mouse prlmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="prlvideo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
(In reply to comment #27) > [blocks B ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is > blocking dev-libs/boost-1.41.0-r3) > > Is this related to this bug? That's not a bug, you need to manually uninstall the old version.
To be honest I've real problems to find any useful information in the CVEs, which version this relates too, what the vulnerability actually is, could you please help here? btw: are you sure those are actually valid for Linux http://securitytracker.com/alerts/2009/Sep/1022832.html only lists Windows for two of those...
(In reply to comment #30) > To be honest I've real problems to find any useful information in the CVEs, > which version this relates too, what the vulnerability actually is, could you > please help here? > > btw: are you sure those are actually valid for Linux > > http://securitytracker.com/alerts/2009/Sep/1022832.html > > only lists Windows for two of those... > ooops, wrong bug, forget the above comment
(In reply to comment #29) > (In reply to comment #27) > > [blocks B ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is > > blocking dev-libs/boost-1.41.0-r3) > > > > Is this related to this bug? > > That's not a bug, you need to manually uninstall the old version. Thanks for the help, Sebastian. Do you mean manually uninstall boost or openoffice (or both)? I presume one would use --depclean to remove. But if I use --depclean to uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I have to uninstall openoffice, upgrade boost, then recompile openoffice, right?
(In reply to comment #32) > (In reply to comment #29) > > (In reply to comment #27) > > > [blocks B ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is > > > blocking dev-libs/boost-1.41.0-r3) > > > > > > Is this related to this bug? > > > > That's not a bug, you need to manually uninstall the old version. > > Thanks for the help, Sebastian. > > Do you mean manually uninstall boost or openoffice (or both)? > > I presume one would use --depclean to remove. But if I use --depclean to > uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I > have to uninstall openoffice, upgrade boost, then recompile openoffice, right? emerge -C boost emerge -1av openoffice
(In reply to comment #33) > (In reply to comment #32) > > (In reply to comment #29) > > > (In reply to comment #27) > > > > [blocks B ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is > > > > blocking dev-libs/boost-1.41.0-r3) > > > > > > > > Is this related to this bug? > > > > > > That's not a bug, you need to manually uninstall the old version. > > > > Thanks for the help, Sebastian. > > > > Do you mean manually uninstall boost or openoffice (or both)? > > > > I presume one would use --depclean to remove. But if I use --depclean to > > uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I > > have to uninstall openoffice, upgrade boost, then recompile openoffice, right? > > emerge -C boost > emerge -1av openoffice > revdep-rebuild
-bin stable on amd64
(In reply to comment #34) > (In reply to comment #33) > > (In reply to comment #32) > > > (In reply to comment #29) > > > > (In reply to comment #27) > > > > > [blocks B ] <=dev-libs/boost-1.35.0-r2 ("<=dev-libs/boost-1.35.0-r2" is > > > > > blocking dev-libs/boost-1.41.0-r3) > > > > > > > > > > Is this related to this bug? > > > > > > > > That's not a bug, you need to manually uninstall the old version. > > > > > > Thanks for the help, Sebastian. > > > > > > Do you mean manually uninstall boost or openoffice (or both)? > > > > > > I presume one would use --depclean to remove. But if I use --depclean to > > > uninstall boost, it shows openoffice is blocking the uninstall, too. I guess I > > > have to uninstall openoffice, upgrade boost, then recompile openoffice, right? > > > > emerge -C boost > > emerge -1av openoffice > > > revdep-rebuild > Sebastian and Christian, Thank You! Your solution worked like a charm. Take Care, GT
30 Mar 2010; Pacho Ramos <pacho@gentoo.org> openoffice-3.2.0.ebuild: stable x86, security bug 305195 this was amd64 actually...
Marked ppc stable.
All arches finished, so I removed the vulnerable ebuilds from the tree. So I guess we are good to go!
Another fixed OOo security update with the bug still open for no apparent reason...
Added to existing GLSA request.
Still not fixed? :D
This issue was resolved and addressed in GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml by GLSA coordinator Kristian Fiskerstrand (K_F).