Issue 127069 - bundled expat version 2.1.0 has two vulnerabilities
Summary: bundled expat version 2.1.0 has two vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Build Tools
Classification: Code
Component: external prerequisites (show other issues)
Version: 4.2.0-dev
Hardware: All All
: P5 (lowest) Normal (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-05 22:39 UTC by Don Lewis
Modified: 2017-07-04 21:32 UTC (History)
3 users (show)

See Also:
Issue Type: PATCH
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
patch to upgrade bundled expat to version 2.2.0 (8.59 KB, patch)
2016-08-05 22:39 UTC, Don Lewis 		no flags Details | Diff
patch to upgrade bundled expat to version 2.2.0 (--show-copies-as-adds) (10.66 KB, patch)
2016-08-08 03:24 UTC, Don Lewis 		no flags Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Don Lewis 2016-08-05 22:39:57 UTC 
Created attachment 85634 [details]
patch to upgrade bundled expat to version 2.2.0

The version of expat (2.1.0) bundled with OpenOffice has two vulnerabilities that are fixed in version 2.2.0:
    CVE-2016-5300
    CVE-2012-6702

It is not known whether these can be exploited when expat is used as part of OpenOffice.

The attached patch upgrades the bundled version of expat to 2.2.0.  One patch is needed to the expat source, without which saxparser crashes during the build.  It has been submitted upstream, see <https://sourceforge.net/p/expat/bugs/539/>.  It is only triggered when building expat with -DXML_UNICODE which is not the default, but this flag is used when building the bundled expat.

This version of expat has been used with the FreeBSD port that uses --with-system-expat.  This patch has been build tested on FreeBSD in bundled mode.  This patch has also been build and run tested on Windows 7.
Comment 1 Andrea Pescetti 2016-08-07 13:24:07 UTC 
Is the patch supposed to be applied to trunk? It seems it is relying on an existing main/expat/expat-2.2.0.patch file to be there, which is not there currently at http://svn.apache.org/viewvc/openoffice/trunk/main/expat/
Comment 2 Don Lewis 2016-08-08 02:54:45 UTC 
(In reply to Andrea Pescetti from comment #1)
> Is the patch supposed to be applied to trunk? It seems it is relying on an
> existing main/expat/expat-2.2.0.patch file to be there, which is not there
> currently at http://svn.apache.org/viewvc/openoffice/trunk/main/expat/

Yes, it should be applied to trunk.  In order to preserve history, I did:
  svn cp main/expat/expat-2.1.0 main/expat/expat-2.2.0
before making the necessary changes to the latter.

It seems that the patch that I then created with svn diff assumes that the
svn cp has already been done.  If you do that, then the patch should apply properly.  Seems kind of bogus to me, though ...

BTW, I was able to finally build and run test this on CentOS 7 and Ubuntu 12.
Comment 3 Don Lewis 2016-08-08 03:24:57 UTC 
Created attachment 85635 [details]
patch to upgrade bundled expat to version 2.2.0 (--show-copies-as-adds)

Regenerate patch with --show-copies-as-adds.
Comment 4 Andrea Pescetti 2016-08-09 17:35:21 UTC 
Built fine on Linux64 (current trunk + latest version of patch, with the file copy included).
Comment 5 Kay 2016-08-10 20:18:23 UTC 
Good for me as well on Linux-32. So fine to commit at this point.
Comment 6 SVN Robot 2016-08-10 21:29:49 UTC 
"truckman" committed SVN revision 1755873 into trunk:
#i127069#: bundled expat version 2.1.0 has two vulnerabilities
Comment 7 Don Lewis 2016-08-10 21:31:30 UTC 
Patch committed.
Comment 8 Andrea Pescetti 2017-07-04 21:32:53 UTC 
For the record: trunk is now updated to 2.2.1, see https://bz.apache.org/ooo/show_bug.cgi?id=127461 and a request to upgrade to 2.2.1 in the AOO414 branch for OpenOffice 4.1.4 has been sent to the dev list.