| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fixes CVE-2019-5435. It looks like this is not a problem on 32-bit
Windows because fortunately we don't use /LARGEADDRESSAWARE flag
to set IMAGE_FILE_LARGE_ADDRESS_AWARE... but on 32-bit Linux
the user-space VM is 3GB so an exploit might be possible.
Apparently there's no code in LO that uses the CURLU_URLENCODE flag.
The other one, CVE-2019-5436, doesn't matter because we disable tftp.
Change-Id: I0d4f087befa5a3c4fb21ec36761dad68932425d9
Reviewed-on: https://gerrit.libreoffice.org/72732
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Change-Id: Ie4c42943445813c7c50bf06cb710cedf2a61f3a9
Reviewed-on: https://gerrit.libreoffice.org/72619
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
https://github.com/anholt/libepoxy/issues/180 sounds very similar and
1.5.3 apparently fixes that
Change-Id: I009f5bc82f9e8326a7028ed29d86733cce649d15
Reviewed-on: https://gerrit.libreoffice.org/71733
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
|
|
Fixes CVE-2019-7317.
Change-Id: I3374f5cbd6552e2c1569d63ee680d0c1d9389621
Reviewed-on: https://gerrit.libreoffice.org/71663
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Meant to fix the build problems reported in the mail thread starting at
<https://lists.freedesktop.org/archives/libreoffice/2019-March/082340.html>
"Build failure with latest ICU 64.1".
Change-Id: I006b92f4737f5e56e50527dd954e8c0d339e75dc
Reviewed-on: https://gerrit.libreoffice.org/71143
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
Change-Id: I496204ead6c495c4fee2cee18a5b9d0fd22eb8c0
Reviewed-on: https://gerrit.libreoffice.org/70951
Tested-by: Jenkins
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
Change-Id: I4713b15061e831e1dfeccf8d59e46c0aa2ac4a18
Reviewed-on: https://gerrit.libreoffice.org/70351
Reviewed-by: Eike Rathke <erack@redhat.com>
Tested-by: Jenkins
|
|
Fixes CVE-2019-9636 CVE-2019-5010 CVE-2018-14647
Change-Id: If0a115960aed1ee90b63e6716c844669f0ec91e5
Reviewed-on: https://gerrit.libreoffice.org/70182
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Change-Id: Iaaac797812b2addd1e5693dbb4338fc1c506a26d
Reviewed-on: https://gerrit.libreoffice.org/69134
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
Fixes CVE-2019-7310.
Add patch to fix CVE-2019-9200 too.
CVE-2018-20662 looks irrelevant because we don't build pdfunite tool.
Change-Id: I5e7ddabbb341f6bfefb376d552b50c4006f41906
Reviewed-on: https://gerrit.libreoffice.org/69094
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
As a side-effect, this gets rid of some Clang
-fsanitize=implicit-signed-integer-truncation warnings.
The various external/harfbuzz/*.patch no longer applied and appear not to be
necessary any more. (But a new external/harfbuzz/msvc.patch became necessary.)
<https://dev-www.libreoffice.org/src/harfbuzz-2.3.1.tar.bz2> was downloaded from
<https://www.freedesktop.org/software/harfbuzz/release/harfbuzz-2.3.1.tar.bz2>,
and HARFBUZZ_SHA256SUM in download.lst matches <https://www.freedesktop.org/
software/harfbuzz/release/harfbuzz-2.3.1.tar.bz2.sha256>.
Change-Id: Ic85acd14b4f488b3d88ce1bafc93be271928006e
Reviewed-on: https://gerrit.libreoffice.org/68731
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
|
Fixes CVE-2019-1559, plus a couple low-severity CVEs.
Change-Id: Icb6849ca5f33cb1169ce303505b2e32636e3b25b
Reviewed-on: https://gerrit.libreoffice.org/68430
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Apple can't afford the costly GPG licenses to sign releases apparently,
but the sha256 matches some OpenWRT and FreshPorts repos...
Fixes CVE-2015-7988.
Removing windows build patches, fixed upstream (except for the last hunk
of the SOCKET patch, but that is in code that is only used on MacOSX).
Change-Id: I9fdba5929badb75f995c66da0850d188780e7beb
Reviewed-on: https://gerrit.libreoffice.org/68092
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Fixes CVE-2017-15232, which looks rather minor.
Change-Id: Icffb0c5160bef79577431a02eb10ed9492e01d11
Reviewed-on: https://gerrit.libreoffice.org/68091
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
This fixes some minor CVEs.
Not including the fix for CVE-2018-18064, which does not affect LO
because we use the default implementation of FT_Memory which uses
free/malloc.
Change-Id: Ic047ed52cff3fdeba068f1b8d303c6c96c69addd
Reviewed-on: https://gerrit.libreoffice.org/68088
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Fixes CVE-2018-6942.
Remove freetype-msvc-disable-sse2.patch.1 (doesn't apply and freetype is
only used on Android).
Change-Id: Ia89329f758a077c1493cdea45f99e5f58d1ef265
Reviewed-on: https://gerrit.libreoffice.org/68087
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
Tested-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
fixes CVE-2018-16890 and CVE-2019-3822
Change-Id: I4c0021a5002590659cbfbdf642a7704a05309bf2
Reviewed-on: https://gerrit.libreoffice.org/67444
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
...from <https://github.com/ivmai/libatomic_ops/wiki/Download>. (The md5sum
given there is 99128f05e3e3f4e0cd39aa23f23bbe0c.)
The old version of external/libatomic_ops failed to build at least when building
a Flatpak for aarch64, see
<https://flathub.org/builds/#/builders/39/builds/702/steps/5/logs/stdio>:
[...]
> Making all in src
> Making all in atomic_ops
> Making all in sysdeps
> In file included from atomic_ops_stack.h:32,
> from atomic_ops_malloc.c:20:
> atomic_ops.h:343:4: error: #error Cannot implement AO_compare_and_swap_full on this architecture.
> # error Cannot implement AO_compare_and_swap_full on this architecture.
> ^~~~~
> atomic_ops.c:97:1: error: unknown type name ‘AO_TS_t’; did you mean ‘AO_TS_T’?
> AO_TS_t AO_locks[AO_HASH_SIZE] = {
> ^~~~~~~
> AO_TS_T
[...]
(cf. <https://github.com/flathub/org.libreoffice.LibreOffice/pull/67/commits/
48b22dbabc06f1822df74f755096cf0ea5ba2499> "Upgrade libatomic_ops to latest
libatomic_ops-7.6.8.tar.gz")
Change-Id: Icc040cc47f45f71577995a2ff9c63df97150bdea
Reviewed-on: https://gerrit.libreoffice.org/66983
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
|
Change-Id: I6cdfc50b2385c426e20ce0e9b216b18c763249b8
Reviewed-on: https://gerrit.libreoffice.org/66506
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
|
|
... at least, that's the plan - this is harder than it appears, as the
upstream maintainer appears to have released version 2.9 at least 3
times:
- Fedora has a file evidently downloaded before Nov. 17 with SHA512 of e30ad5a9a1ab9e7aaace9431434caa19a5ff6143db46644aba971a5ee37a265b26bf738e886d766405a7eb45a9d620d67c7ab3684ace86a107cf5a76642c04a5
- Gentoo has a file evidently downloaded before Nov. 19 with SHA256 of d4ad6f8718f7f9dc8b2a3276c9f237aa3f5eccdcf98b86dedc4262d8a1e7f009
- Debian has a file evidently downloaded before Dec. 17 with SHA256 of 48c6fdf98396fa245ed86e622028caf49b96fa22f3e5734f853f806fbc8e7d20
The lcms2-2.9.tar.gz available from sourceforge currently matches the
one Debian has, so let's use it.
* 0017-Upgrade-Visual-studio-2017-15.8.patch added (fixing CVE-2018-16435)
* 0001-Added-an-extra-check-to-MLU-bounds.patch.1 removed (fixed upstream)
Change-Id: Iab8dada8f6d77d5b2da8560993380b3332bc02f6
Reviewed-on: https://gerrit.libreoffice.org/66400
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Change-Id: Ie4f0cc8f06432e182ce7ffcae5269075d12658ef
Reviewed-on: https://gerrit.libreoffice.org/66408
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
fixes CVE-2018-16840
Change-Id: Ica995a28a71eb5d5277d045d57fee9ba0f88883f
Reviewed-on: https://gerrit.libreoffice.org/66328
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Change-Id: Ifc64dae74df341e107857e43223ead04b9c1061e
Reviewed-on: https://gerrit.libreoffice.org/66309
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
* fixes CVE-2018-14404
* drop one hunk from libxml2-android.patch that was added in commit
6a17d2f2ba7acfec277314b97b50e41532d6b44d; presumably nan() exists now
given that other code is calling it.
Change-Id: I696cc4e1da55536ea1c89a6e0446ce5bc8398ba4
Reviewed-on: https://gerrit.libreoffice.org/66308
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
Change-Id: If20998f8565b5534a96b3f29ccec572273edca1d
Reviewed-on: https://gerrit.libreoffice.org/66306
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
|
|
<https://dev-www.libreoffice.org/src/boost_1_69_0.tar.bz2> is a copy of
<https://dl.bintray.com/boostorg/release/1.69.0/source/boost_1_69_0.tar.bz2>,
SHA256 hash as given at <https://www.boost.org/users/download/>.
* removed from external/boost/include/boost/ those files that are no longer
present in workdir/UnpackedTarball/boost/boost/
* the shrunk external/boost/rtti.patch.0 can probably be removed completely in a
follow-up commit
* the patch to libs/filesystem/src/operations.cpp in
external/boost/boost-android-unified.patch.1 no longer applied, and appears to
be no longer necessary anyway (seeing a working build without it of
--with-distro=LibreOfficeAndroid and NDK r16b); but with the non-standard
Clang 5.0.300080 from NDK r16b, the build now caused failures like
> workdir/UnpackedTarball/boost/boost/type_traits/detail/is_function_cxx_11.hpp:36:11: error: class template partial specialization contains a template parameter that cannot be deduced; this partial specialization will never be used [-Wunusable-partial-specialization]
> struct is_function<Ret BOOST_TT_DEF_CALL(Args...)BOOST_TT_NOEXCEPT_DECL> : public true_type {};
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> workdir/UnpackedTarball/boost/boost/type_traits/detail/is_function_cxx_11.hpp:35:38: note: non-deducible template parameter 'NE'
> template <class Ret, class...Args BOOST_TT_NOEXCEPT_PARAM>
> ^
> workdir/UnpackedTarball/boost/boost/type_traits/detail/is_function_cxx_11.hpp:22:40: note: expanded from macro 'BOOST_TT_NOEXCEPT_PARAM'
> #define BOOST_TT_NOEXCEPT_PARAM , bool NE
> ^
showing that that version of Clang has the same problem handling noexcept(b)
as a deduced template parameter as MSVC has, as already supported by the code
* new external/boost/sse.patch.0 needed on Windows x86 to silence errors like
> C:\cygwin\home\tdf\lode\jenkins\workspace\gerrit_windows\workdir\UnpackedTarball\boost\boost/type_traits/detail/is_function_cxx_11.hpp(111): error C2215: '__vectorcall' cannot be used with '/arch:SSE'
(<https://ci.libreoffice.org/job/gerrit_windows/26117/>); according to
<https://docs.microsoft.com/en-us/cpp/preprocessor/predefined-macros
?view=vs-2017>: "_M_IX86_FP Defined as an integer literal value that indicates
the /arch compiler option that was set, or the default. This macro is always
defined when the compilation target is an x86 processor. Otherwise, undefined.
When defined, the value is: [...] 1 if the /arch:SSE compiler option was set."
and we specify /arch:SSE explicitly for Windows x86 since
8bd6bf93b7711a7ac7c5cbd7c3bb980481570ebd "fdo#82430: configure: MSVC build:
avoid using SSE2 instructions"
* boost::logic::tribool conversion operator to bool is explicit now
Change-Id: Iea49560d734f545539f062dce46740fbf812dd84
Reviewed-on: https://gerrit.libreoffice.org/66189
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Tested-by: Stephan Bergmann <sbergman@redhat.com>
|
|
Change-Id: Iac2c3f75eda07b7381e57dba389c9836ab26502f
Reviewed-on: https://gerrit.libreoffice.org/65781
Tested-by: Jenkins
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
Change-Id: Idda6c0ce0c087a3be2e7fe31999a7d5a6fde4835
Reviewed-on: https://gerrit.libreoffice.org/65725
Tested-by: Jenkins
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
Change-Id: I01454cc35baf96743bd19e64dd3a7269c58621bf
Reviewed-on: https://gerrit.libreoffice.org/65715
Tested-by: Jenkins
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
Change-Id: I68e3791f50b95956bfe6aae743978994a5f232b4
Reviewed-on: https://gerrit.libreoffice.org/65714
Tested-by: Jenkins
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
Change-Id: Ib29e1a622e25731731512a695443ac2c530d30c2
Reviewed-on: https://gerrit.libreoffice.org/65701
Tested-by: Jenkins
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
Change-Id: I0a7e888af770a332e2fec057507eecebf83621c4
Reviewed-on: https://gerrit.libreoffice.org/65646
Tested-by: Jenkins
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
Change-Id: I6ceb5b2d6834de5760d7fedd52801f042f827a85
Reviewed-on: https://gerrit.libreoffice.org/65472
Tested-by: Jenkins
Reviewed-by: Martin Hosken <martin_hosken@sil.org>
|
|
Liberation updated from 2.00.1 to 2.00.4 and
Liberation-Narrow from 1.07.4 to 1.07.6
Change-Id: I295f82d5b8230cdf8b3347491dd71c8689636d94
Reviewed-on: https://gerrit.libreoffice.org/65273
Tested-by: Jenkins
Reviewed-by: Heiko Tietze <tietze.heiko@gmail.com>
|
|
Martin Hosken thinks all patches are redundant now, so drop them.
Change-Id: I062168416a1289b7f4dd42d8ae58b7df56a37712
Reviewed-on: https://gerrit.libreoffice.org/65074
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
...which is the latest 9.2.x currently listed at
<https://www.postgresql.org/ftp/source/>. 9.2.1 doesn't build against
OpenSSL 1.1 which dropped SSL_library_init (cf. <https://wiki.openssl.org/
index.php/Library_Initialization#libssl_Initialization>), and 9.2.24 apparently
has that covered. (Ran into this when trying to upgrade the LibreOffice flatpak
build to org.freedesktop.Sdk//18.08, which has OpenSSL 1.1.)
On Windows, the new tarball as-is fails with
> ..\..\port\chklocale.c(214): error C2037: left of 'lc_codepage' specifies undefined struct/union '__crt_locale_data'
because at least in Windows Kits/10/Include/10.0.17763.0/ucrt/corecrt.h
(included from Windows Kits/10/Include/10.0.17763.0/ucrt/locale.h), the relevant
definitions are now
> typedef struct __crt_locale_data_public
> {
> unsigned short const* _locale_pctype;
> _Field_range_(1, 2) int _locale_mb_cur_max;
> unsigned int _locale_lc_codepage;
> } __crt_locale_data_public;
>
> typedef struct __crt_locale_pointers
> {
> struct __crt_locale_data* locinfo;
> struct __crt_multibyte_data* mbcinfo;
> } __crt_locale_pointers;
>
> typedef __crt_locale_pointers* _locale_t;
which presumably has changed from a past state where that lc_codepage member was
directly publicly accessible.
<https://dev-www.libreoffice.org/src/postgresql-9.2.24.tar.bz2> is a copy of
<https://ftp.postgresql.org/pub/source/v9.2.24/postgresql-9.2.24.tar.bz2>;
`sha256sum postgresql-9.2.24.tar.bz2` reports the same
a754c02f7051c2f21e52f8669a421b50485afcde9a581674d6106326b189d126 as recorded in
<https://ftp.postgresql.org/pub/source/v9.2.24/postgresql-9.2.24.tar.bz2.sha256>
Change-Id: I196dd93aa03471042efba57ea639e1bb6655de98
Reviewed-on: https://gerrit.libreoffice.org/64730
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
|
|
Change-Id: I99bd67f45796eb85635543a5e4563bb7477cf63e
Reviewed-on: https://gerrit.libreoffice.org/63547
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Tested-by: Jenkins
|
|
Change-Id: Ia8d1f4831e651b3a8d5115f78e5a5239b56c71c4
Reviewed-on: https://gerrit.libreoffice.org/63015
Tested-by: Jenkins
Reviewed-by: László Németh <nemeth@numbertext.org>
|
|
Change-Id: I26f06c230533ed72c2b60ce5c9230bbd0a0db2e4
Reviewed-on: https://gerrit.libreoffice.org/62679
Tested-by: Jenkins
Reviewed-by: Kohei Yoshida <libreoffice@kohei.us>
|
|
Allows dropping 3 upstreamed patches.
Change-Id: I0dd739817b507eb5993ad18e8c4a128e0be7254a
Reviewed-on: https://gerrit.libreoffice.org/62526
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Change-Id: I3b73fca39f51809f608dd78865c2566357a7b8a1
Reviewed-on: https://gerrit.libreoffice.org/62034
Tested-by: Jenkins
Reviewed-by: Eike Rathke <erack@redhat.com>
|
|
with Estonian support and language fixes. Extend offapi also with
the missing Albanian, Galician, Norwegian, (Bokmål, Nynorsk) and
Ukrainian.
Change-Id: Icf471ade0b9d3f3989469bb33cfb323dcc474106
Reviewed-on: https://gerrit.libreoffice.org/61590
Tested-by: Jenkins
Reviewed-by: László Németh <nemeth@numbertext.org>
|
|
Change-Id: I345d2655c1999ab319b92c6e8719c0eb9572000b
Reviewed-on: https://gerrit.libreoffice.org/60731
Tested-by: Jenkins
Reviewed-by: Kohei Yoshida <libreoffice@kohei.us>
|
|
Allows dropping all the backports, so only one custom API patch remains.
Change-Id: I13dc4f62be86d0859862cbd95bb14e07bbcf53d6
Reviewed-on: https://gerrit.libreoffice.org/60697
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
|
|
Change-Id: I68da1496a6fbbea7cde24c35d97db6c3bde2c118
Reviewed-on: https://gerrit.libreoffice.org/60652
Tested-by: Jenkins
Reviewed-by: Kohei Yoshida <libreoffice@kohei.us>
|
|
Change-Id: I4590f5f705dd08c63a1532ce5afa94a3af953f24
Reviewed-on: https://gerrit.libreoffice.org/60042
Tested-by: Jenkins
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
|
|
Change-Id: Ifacf5dce39d830838b3cf57df760a04df97ade4b
Reviewed-on: https://gerrit.libreoffice.org/59926
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
|
|
Change-Id: Iaaa83fc4146c2b91b1d1f1942882ab1e664f998b
Reviewed-on: https://gerrit.libreoffice.org/59925
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
|
|
Source Serif added
Change-Id: Ibbdbd2556852e7c4e19357d332990646aec7a43d
Reviewed-on: https://gerrit.libreoffice.org/59498
Tested-by: Jenkins
Reviewed-by: Heiko Tietze <tietze.heiko@gmail.com>
|
|
And make all necessary adjustments for the new version of orcus.
Change-Id: I0dc207162a3ddfaad6da198a3d13b65f530757d5
Reviewed-on: https://gerrit.libreoffice.org/59884
Tested-by: Jenkins
Reviewed-by: Kohei Yoshida <libreoffice@kohei.us>
|
