Apache OpenOffice (AOO) Bugzilla – Issue 127069
bundled expat version 2.1.0 has two vulnerabilities
Last modified: 2017-07-04 21:32:53 UTC
Created attachment 85634 [details] patch to upgrade bundled expat to version 2.2.0 The version of expat (2.1.0) bundled with OpenOffice has two vulnerabilities that are fixed in version 2.2.0: CVE-2016-5300 CVE-2012-6702 It is not known whether these can be exploited when expat is used as part of OpenOffice. The attached patch upgrades the bundled version of expat to 2.2.0. One patch is needed to the expat source, without which saxparser crashes during the build. It has been submitted upstream, see <https://sourceforge.net/p/expat/bugs/539/>. It is only triggered when building expat with -DXML_UNICODE which is not the default, but this flag is used when building the bundled expat. This version of expat has been used with the FreeBSD port that uses --with-system-expat. This patch has been build tested on FreeBSD in bundled mode. This patch has also been build and run tested on Windows 7.
Is the patch supposed to be applied to trunk? It seems it is relying on an existing main/expat/expat-2.2.0.patch file to be there, which is not there currently at http://svn.apache.org/viewvc/openoffice/trunk/main/expat/
(In reply to Andrea Pescetti from comment #1) > Is the patch supposed to be applied to trunk? It seems it is relying on an > existing main/expat/expat-2.2.0.patch file to be there, which is not there > currently at http://svn.apache.org/viewvc/openoffice/trunk/main/expat/ Yes, it should be applied to trunk. In order to preserve history, I did: svn cp main/expat/expat-2.1.0 main/expat/expat-2.2.0 before making the necessary changes to the latter. It seems that the patch that I then created with svn diff assumes that the svn cp has already been done. If you do that, then the patch should apply properly. Seems kind of bogus to me, though ... BTW, I was able to finally build and run test this on CentOS 7 and Ubuntu 12.
Created attachment 85635 [details] patch to upgrade bundled expat to version 2.2.0 (--show-copies-as-adds) Regenerate patch with --show-copies-as-adds.
Built fine on Linux64 (current trunk + latest version of patch, with the file copy included).
Good for me as well on Linux-32. So fine to commit at this point.
"truckman" committed SVN revision 1755873 into trunk: #i127069#: bundled expat version 2.1.0 has two vulnerabilities
Patch committed.
For the record: trunk is now updated to 2.2.1, see https://bz.apache.org/ooo/show_bug.cgi?id=127461 and a request to upgrade to 2.2.1 in the AOO414 branch for OpenOffice 4.1.4 has been sent to the dev list.