RepositoryExternal.mk | 2
download.lst | 12 +-
external/curl/ExternalPackage_curl.mk | 4
external/curl/ExternalProject_curl.mk | 7 -
external/curl/curl-7.26.0_win-proxy.patch | 2
external/curl/curl-msvc-disable-protocols.patch.1 | 7 -
external/curl/zlib.patch.0 | 4
external/expat/expat-winapi.patch | 14 ++
external/libxml2/libxml2-config.patch.1 | 4
external/libxml2/libxml2-global-symbols.patch | 4
external/openssl/UnpackedTarball_openssl.mk | 1
external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 | 56
++++++++++
12 files changed, 95 insertions(+), 22 deletions(-)
New commits:
commit f4bf50d26f141e9b573dfd53db4e07634afd19bd
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Aug 25 11:32:11 2021 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 11:08:52 2021 +0200
openssl: add patch for CVE-2021-3712
Change-Id: I4061cbac18ddf9c7f932a27bf2b54a2b1c2f9d99
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121029
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/external/openssl/UnpackedTarball_openssl.mk
b/external/openssl/UnpackedTarball_openssl.mk
index ad600cce1412..e7fca1116545 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -22,6 +22,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/openssl-3650-masm.patch.1 \
external/openssl/openssl-fixbuild.patch.1 \
external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1 \
+ external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
new file mode 100644
index 000000000000..cf809750ecfb
--- /dev/null
+++ b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
@@ -0,0 +1,56 @@
+From ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <m...@openssl.org>
+Date: Tue, 17 Aug 2021 14:41:48 +0100
+Subject: [PATCH] Fix a read buffer overrun in X509_CERT_AUX_print()
+
+This is a backport of commit c5dc9ab965f to 1.0.2. That commit fixed
+the same bug but in master/1.1.1 it is in the function X509_aux_print().
+The original commit had the following description:
+
+Fix a read buffer overrun in X509_aux_print().
+
+The ASN1_STRING_get0_data(3) manual explitely cautions the reader
+that the data is not necessarily NUL-terminated, and the function
+X509_alias_set1(3) does not sanitize the data passed into it in any
+way either, so we must assume the return value from X509_alias_get0(3)
+is merely a byte array and not necessarily a string in the sense
+of the C language.
+
+I found this bug while writing manual pages for X509_print_ex(3)
+and related functions. Theo Buehler <t...@openbsd.org> checked my
+patch to fix the same bug in LibreSSL, see
+
+http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9
+
+As an aside, note that the function still produces incomplete and
+misleading results when the data contains a NUL byte in the middle
+and that error handling is consistently absent throughout, even
+though the function provides an "int" return value obviously intended
+to be 1 for success and 0 for failure, and even though this function
+is called by another function that also wants to return 1 for success
+and 0 for failure and even does so in many of its code paths, though
+not in others. But let's stay focussed. Many things would be nice
+to have in the wide wild world, but a buffer overflow must not be
+allowed to remain in our backyard.
+
+CVE-2021-3712
+
+Reviewed-by: Paul Dale <pa...@openssl.org>
+---
+ crypto/asn1/t_x509a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c
+index d1b897a469fd..b1bc9d0cd28b 100644
+--- a/crypto/asn1/t_x509a.c
++++ b/crypto/asn1/t_x509a.c
+@@ -104,7 +104,8 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int
indent)
+ } else
+ BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+ if (aux->alias)
+- BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data);
++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", aux->alias->length,
++ aux->alias->data);
+ if (aux->keyid) {
+ BIO_printf(out, "%*sKey Id: ", indent, "");
+ for (i = 0; i < aux->keyid->length; i++)
commit 030d609774d8f87d6b0c1528bceef2c54706f304
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Jul 21 11:57:51 2021 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 11:08:40 2021 +0200
curl: upgrade to release 7.78.0
* Fixes CVE-2020-8284 CVE-2021-22924
* Also fixes these which don't look relevant to LO:
CVE-2020-8231
CVE-2020-8285 CVE-2020-8286
CVE-2021-22876 CVE-2021-22890
CVE-2021-22897 CVE-2021-22898 CVE-2021-22901
CVE-2021-22922 CVE-2021-22923 CVE-2021-22925 CVE-2021-22926
* disable some new protocols and dependencies
* remove curl-ios.patch.1 as the code no longer exists upstream
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119313
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 946f457c885bd10ff1a7281c351f3981f035f5a7)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119262
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
(cherry picked from commit 020eb3b363a5c9444c97075a2e15b63ccbe7bf2d)
Change-Id: I12d5f87f4d503a5f9859226a05cfe2a07e46d993
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119427
Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk
index e029f3f32026..a892a59452e3 100644
--- a/RepositoryExternal.mk
+++ b/RepositoryExternal.mk
@@ -2775,7 +2775,7 @@ $(call gb_LinkTarget_set_include,$(1),\
ifeq ($(COM),MSC)
$(call gb_LinkTarget_add_libs,$(1),\
- $(call gb_UnpackedTarball_get_dir,curl)/builds/libcurl-vc12-$(if
$(filter X86_64,$(CPUNAME)),x64,x86)-$(if
$(MSVC_USE_DEBUG_RUNTIME),debug,release)-dll-ipv6-sspi-winssl/lib/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).lib \
+ $(call gb_UnpackedTarball_get_dir,curl)/builds/libcurl-vc12-$(if
$(filter X86_64,$(CPUNAME)),x64,x86)-$(if
$(MSVC_USE_DEBUG_RUNTIME),debug,release)-dll-ipv6-sspi-schannel/lib/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).lib \
)
else
$(call gb_LinkTarget_add_libs,$(1),\
diff --git a/download.lst b/download.lst
index 6e5b355beabc..b4f7df8d263c 100644
--- a/download.lst
+++ b/download.lst
@@ -29,8 +29,8 @@ export CPPUNIT_SHA256SUM :=
3d569869d27b48860210c758c4f313082103a5e58219a7669b52
export CPPUNIT_TARBALL := cppunit-1.14.0.tar.gz
export CT2N_SHA256SUM :=
71b238efd2734be9800af07566daea8d6685aeed28db5eb5fa0e6453f4d85de3
export CT2N_TARBALL :=
1f467e5bb703f12cbbb09d5cf67ecf4a-converttexttonumber-1-5-0.oxt
-export CURL_SHA256SUM :=
cdf18794393d8bead915312708a9e5d819c6e9919de14b20d5c8e7987abd9772
-export CURL_TARBALL := curl-7.71.0.tar.xz
+export CURL_SHA256SUM :=
be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5
+export CURL_TARBALL := curl-7.78.0.tar.xz
export EBOOK_SHA256SUM :=
7e8d8ff34f27831aca3bc6f9cc532c2f90d2057c778963b884ff3d1e34dfe1f9
export EBOOK_TARBALL := libe-book-0.1.3.tar.xz
export EPOXY_SHA256SUM :=
1d8668b0a259c709899e1c4bab62d756d9002d546ce4f59c9665e2fc5f001a64
diff --git a/external/curl/ExternalPackage_curl.mk
b/external/curl/ExternalPackage_curl.mk
index 8da569e3e0cf..1fb360c85ca9 100644
--- a/external/curl/ExternalPackage_curl.mk
+++ b/external/curl/ExternalPackage_curl.mk
@@ -14,13 +14,13 @@ $(eval $(call
gb_ExternalPackage_use_external_project,curl,curl))
ifneq ($(DISABLE_DYNLOADING),TRUE)
ifeq ($(COM),MSC)
-$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).dll,builds/libcurl-vc12-$(if $(filter
X86_64,$(CPUNAME)),x64,x86)-$(if
$(MSVC_USE_DEBUG_RUNTIME),debug,release)-dll-ipv6-sspi-winssl/bin/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).dll))
+$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).dll,builds/libcurl-vc12-$(if $(filter
X86_64,$(CPUNAME)),x64,x86)-$(if
$(MSVC_USE_DEBUG_RUNTIME),debug,release)-dll-ipv6-sspi-schannel/bin/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).dll))
else ifeq ($(OS),MACOSX)
$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.4.dylib,lib/.libs/libcurl.4.dylib))
else ifeq ($(OS),AIX)
$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so,lib/.libs/libcurl.so.4))
else
-$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so.4,lib/.libs/libcurl.so.4.6.0))
+$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so.4,lib/.libs/libcurl.so.4.7.0))
endif
endif # $(DISABLE_DYNLOADING)
diff --git a/external/curl/ExternalProject_curl.mk
b/external/curl/ExternalProject_curl.mk
index ebcb6068b7c1..81886b36fbc5 100644
--- a/external/curl/ExternalProject_curl.mk
+++ b/external/curl/ExternalProject_curl.mk
@@ -35,13 +35,13 @@ ifeq ($(SYSTEM_NSS),)
curl_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss
endif
-# use --with-darwinssl on Mac OS X >10.5 and iOS to get a native UI for SSL
certs for CMIS usage
+# use --with-secure-transport on Mac OS X >10.5 and iOS to get a native UI for
SSL certs for CMIS usage
# use --with-nss only on platforms other than Mac OS X and iOS
$(call gb_ExternalProject_get_state_target,curl,build):
$(call gb_ExternalProject_run,build,\
./configure \
$(if $(filter IOS MACOSX,$(OS)),\
- --with-darwinssl,\
+ --with-secure-transport,\
$(if $(ENABLE_NSS),--with-nss$(if
$(SYSTEM_NSS),,="$(call
gb_UnpackedTarball_get_dir,nss)/dist/out"),--without-nss)) \
--without-ssl --without-gnutls --without-polarssl
--without-cyassl --without-axtls --without-mbedtls \
--enable-ftp --enable-http --enable-ipv6 \
@@ -49,7 +49,8 @@ $(call gb_ExternalProject_get_state_target,curl,build):
--without-libssh2 --without-metalink --without-nghttp2 \
--without-libssh --without-brotli \
--without-ngtcp2 --without-quiche \
- --disable-ares \
+ --without-zstd --without-hyper --without-gsasl
--without-gssapi \
+ --disable-mqtt --disable-ares \
--disable-dict --disable-file --disable-gopher
--disable-imap \
--disable-ldap --disable-ldaps --disable-manual
--disable-pop3 \
--disable-rtsp --disable-smb --disable-smtp
--disable-telnet \
diff --git a/external/curl/curl-7.26.0_win-proxy.patch
b/external/curl/curl-7.26.0_win-proxy.patch
index 5361433a917b..5bb98fa04741 100644
--- a/external/curl/curl-7.26.0_win-proxy.patch
+++ b/external/curl/curl-7.26.0_win-proxy.patch
@@ -114,7 +114,7 @@
@@ -4663,6 +4739,7 @@
}
if(proxy)
- infof(conn->data, "Uses proxy env variable %s == '%s'\n", envp, proxy);
+ infof(data, "Uses proxy env variable %s == '%s'", envp, proxy);
+#endif /* WIN32 */
return proxy;
diff --git a/external/curl/curl-msvc-disable-protocols.patch.1
b/external/curl/curl-msvc-disable-protocols.patch.1
index c8747a5fcc1d..a6d06c69b004 100644
--- a/external/curl/curl-msvc-disable-protocols.patch.1
+++ b/external/curl/curl-msvc-disable-protocols.patch.1
@@ -2,18 +2,19 @@ disable protocols nobody needs in MSVC build
--- curl/lib/config-win32.h.orig 2017-08-09 16:43:29.464000000 +0200
+++ curl/lib/config-win32.h 2017-08-09 16:47:38.549200000 +0200
-@@ -733,4 +733,19 @@
+@@ -733,4 +733,20 @@
# define ENABLE_IPV6 1
#endif
+#define CURL_DISABLE_DICT 1
+#define CURL_DISABLE_FILE 1
-+//#undef CURL_DISABLE_FTP
++#undef CURL_DISABLE_FTP
+#define CURL_DISABLE_GOPHER 1
-+//#undef CURL_DISABLE_HTTP
++#undef CURL_DISABLE_HTTP
+#define CURL_DISABLE_IMAP 1
+#define CURL_DISABLE_LDAP 1
+#define CURL_DISABLE_LDAPS 1
++#define CURL_DISABLE_MQTT 1
+#define CURL_DISABLE_POP3 1
+#define CURL_DISABLE_RTSP 1
+#define CURL_DISABLE_SMB 1
diff --git a/external/curl/zlib.patch.0 b/external/curl/zlib.patch.0
index 189e820d1afa..f4a0ad4b152f 100644
--- a/external/curl/zlib.patch.0
+++ b/external/curl/zlib.patch.0
@@ -54,8 +54,8 @@
clean_LIBS=$LIBS
-ZLIB_LIBS=""
AC_ARG_WITH(zlib,
- AC_HELP_STRING([--with-zlib=PATH],[search for zlib in PATH])
- AC_HELP_STRING([--without-zlib],[disable use of zlib]),
+ AS_HELP_STRING([--with-zlib=PATH],[search for zlib in PATH])
+ AS_HELP_STRING([--without-zlib],[disable use of zlib]),
[OPT_ZLIB="$withval"])
if test "$OPT_ZLIB" = "no" ; then
commit 381b44d6b48e5d2c87d5193700985a5dff597586
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue May 25 10:44:13 2021 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 11:08:30 2021 +0200
upgrade to Expat 2.4.1
drop ubsan patch in favour of fix applied as
https://github.com/libexpat/libexpat/pull/398
Change-Id: I59eb9e24206b9a4cf323b7f7d48d8df0792a1c46
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/116102
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 740d12d8a8294d4bfd28e6c3e4cf1e0ed560b198)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119426
Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
diff --git a/download.lst b/download.lst
index d9a675fabe21..6e5b355beabc 100644
--- a/download.lst
+++ b/download.lst
@@ -42,8 +42,8 @@ export EPUBGEN_TARBALL := libepubgen-0.1.1.tar.xz
export ETONYEK_SHA256SUM :=
9dc92347aee0cc9ed57b175a3e21f9d96ebe55d30fecb10e841d1050794ed82d
export ETONYEK_VERSION_MICRO := 8
export ETONYEK_TARBALL := libetonyek-0.1.$(ETONYEK_VERSION_MICRO).tar.xz
-export EXPAT_SHA256SUM :=
9a130948b05a82da34e4171d5f5ae5d321d9630277af02c8fa51e431f6475102
-export EXPAT_TARBALL := expat-2.2.8.tar.bz2
+export EXPAT_SHA256SUM :=
2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40
+export EXPAT_TARBALL := expat-2.4.1.tar.bz2
export FIREBIRD_SHA256SUM :=
6994be3555e23226630c587444be19d309b25b0fcf1f87df3b4e3f88943e5860
export FIREBIRD_TARBALL := Firebird-3.0.0.32483-0.tar.bz2
export FONTCONFIG_SHA256SUM :=
cf0c30807d08f6a28ab46c61b8dbd55c97d2f292cf88f3a07d3384687f31f017
diff --git a/external/expat/expat-winapi.patch
b/external/expat/expat-winapi.patch
index b33c12b83b4c..bd4da1472fc8 100644
--- a/external/expat/expat-winapi.patch
+++ b/external/expat/expat-winapi.patch
@@ -11,3 +11,17 @@
# endif
#endif /* not defined XML_STATIC */
+--- misc/expat-2.1.0/lib/xmlparse.c 2021-05-23 16:56:25.000000000 +0100
++++ misc/build/expat-2.1.0/lib/xmlparse.c 2021-05-25 12:42:11.997173600
+0100
+@@ -92,6 +92,11 @@
+
+ #include <expat_config.h>
+
++#ifdef _WIN32
++# undef HAVE_GETRANDOM
++# undef HAVE_SYSCALL_GETRANDOM
++#endif
++
+ #include "ascii.h"
+ #include "expat.h"
+ #include "siphash.h"
commit 5c610837cba7589600c9fe817ccaf4e6bab9374e
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri May 21 13:33:26 2021 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 11:08:15 2021 +0200
libxml2: upgrade to release 2.9.12
Fixes:
CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3537 CVE-2021-3541
* external/libxml2/ubsan.patch.0: remove, fixed upstream
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/115913
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit bf0c6a98ae38cd2188d7f7e94f1563e5ce6a8ce4)
Change-Id: I347dc854b862e78bde87d3e57cf5fdb584ca5673
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/115935
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/download.lst b/download.lst
index 175d1400c8ef..d9a675fabe21 100644
--- a/download.lst
+++ b/download.lst
@@ -154,8 +154,8 @@ export LIBTOMMATH_SHA256SUM :=
083daa92d8ee6f4af96a6143b12d7fc8fe1a547e14f862304
export LIBTOMMATH_TARBALL := ltm-1.0.zip
export XMLSEC_SHA256SUM :=
967ca83edf25ccb5b48a3c4a09ad3405a63365576503bf34290a42de1b92fcd2
export XMLSEC_TARBALL := xmlsec1-1.2.25.tar.gz
-export LIBXML_SHA256SUM :=
aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f
-export LIBXML_VERSION_MICRO := 10
+export LIBXML_SHA256SUM :=
c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92
+export LIBXML_VERSION_MICRO := 12
export LIBXML_TARBALL := libxml2-2.9.$(LIBXML_VERSION_MICRO).tar.gz
export LIBXSLT_SHA256SUM :=
98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f
export LIBXSLT_VERSION_MICRO := 34
diff --git a/external/libxml2/libxml2-config.patch.1
b/external/libxml2/libxml2-config.patch.1
index 8c28fb6a7806..5a2ef1485e92 100644
--- a/external/libxml2/libxml2-config.patch.1
+++ b/external/libxml2/libxml2-config.patch.1
@@ -18,9 +18,9 @@ Hack the xml2-config to return paths into WORKDIR.
+exec_prefix=${WORKDIR}/UnpackedTarball/libxml2
+includedir=${WORKDIR}/UnpackedTarball/libxml2/include
+libdir=${WORKDIR}/UnpackedTarball/libxml2/.libs
+ cflags=
+ libs=
- usage()
- {
@@ -67,7 +72,8 @@
;;
diff --git a/external/libxml2/libxml2-global-symbols.patch
b/external/libxml2/libxml2-global-symbols.patch
index 49ee73731562..cfec9c530281 100644
--- a/external/libxml2/libxml2-global-symbols.patch
+++ b/external/libxml2/libxml2-global-symbols.patch
@@ -14,8 +14,8 @@
LIBXML2_2.6.32 {
@@ -2231,3 +2231,43 @@
- xmlHashDefaultDeallocator;
- } LIBXML2_2.9.1;
+ xmlPopOutputCallbacks;
+ } LIBXML2_2.9.8;
+# HACK: export global variable accessor functions (globals.h)
+LIBXML2_GLOBAL_VARIABLES {
