openSUSE Security Update: Security update for LibreOffice and related libraries ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:0588-1 Rating: moderate References: #679938 #829430 #889755 #897903 #900186 #900214 #900218 #907636 #910805 #910806 #915996 #916181 #926375 #929793 #934423 #936188 #936190 #939996 #940838 #943075 #945047 #945692 #951579 #954345 Cross-References: CVE-2014-3693 CVE-2014-8146 CVE-2014-8147 CVE-2014-9093 CVE-2015-4551 CVE-2015-45513 CVE-2015-5212 CVE-2015-5213 CVE-2015-5214 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 15 fixes is now available. Description: This update for LibreOffice and some library dependencies (cmis-client, libetonyek, libmwaw, libodfgen, libpagemaker, libreoffice-share-linker, mdds, libwps) fixes the following issues: Changes in libreoffice: - Provide l10n-pt from pt-PT - boo#945047 - LO-L3: LO is duplicating master pages, extended fix - boo#951579 - LO-L3: [LibreOffice] Calc 5.0 fails to open ods files * deleted RPATH prevented loading of bundled 3rd party RDF handler libs - Version update to 5.0.4.2: * Final of the 5.0.4 series - boo#945047 - LO-L3: LO is duplicating master pages - Version update to 5.0.4.1: * rc1 of 5.0.4 with various regression fixes - boo#954345 - LO-L3: Insert-->Image-->Insert as Link hangs writer - Version update to 5.0.3.2: * Final tag of 5.0.3 release - Fix boo#939996 - LO-L3: Some bits from DOCX file are not imported - Fix boo#889755 - LO-L3: PPTX: chart axis number format incorrect - boo#679938 - LO-L3: saving to doc file the chapter name in the header does not change with chapters - Version update to 5.0.3RC1 as it should fix i586 test failure - Update text2number extension to 1.5.0 - obsolete libreoffice-mono - pentaho-flow-reporting require is conditional on system_libs - Update icon theme dependencies * https://lists.debian.org/debian-openoffice/2015/09/msg00343.html - Version bump to 5.0.2 final fate#318856 fate#319071 boo#943075 boo#945692: * Small tweaks compared to rc1 - For sake of completion this release also contains security fixes for boo#910806 CVE-2014-8147, boo#907636 CVE-2014-9093, boo#934423 CVE-2015-4551, boo#910805 CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190 CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423 CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805 CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190 CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423 CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805 CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190 CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423 CVE-2015-4551 - Use gcc48 to build on sle11sp4 - Make debuginfo's smaller on IBS. - Fix chrpath call after the libs got -lo suffixing - Add patch to fix qt4 features detection: * kde4filepicker.patch - Split out gtk3 UI to separate subpkg that requires gnome subpkg * This is to allow people to test gtk3 while it not being default - Version update to 5.0.2 rc1: * Various small tweaks and integration of our SLE11 patchsets - Update constraints to 30 GB on disk - Version bump to 5.0.1 rc2: * breeze icons extension * Credits update * Various small fixes - Version bump to 5.0.1 rc1: * Various small fixes * Has some commits around screen rendering -> could fix kde bugs - Kill branding-openSUSE, stick to TDF branding. - Version bump to 5.0 rc5: * Bunch of final touchups here and there - Remove some upstreamed patches: * old-cairo.patch - Add explicit requires over libmysqlclient_r18, should cover boo#829430 - Add patch to build with old cairo (sle11). - Version bump to 5.0 rc3: * Various more fixes closing on the 5.0 release - Update to 5.0 rc2: * Few small fixes and updates in internal libraries - Version bump to 5.0 rc1, remove obsolete patches: * 0001-Fix-could-not-convert-.-const-char-to-const-rtl-OUSt.patch * 0001-writerperfect-fix-gcc-4.7-build.patch - More chrpat love for sle11 - Add python-importlib to build/requirements on py2 distros - Provide/obsolete crystal icons so they are purged and not left over - Fix breeze icons handling, drop crystal icons. - Version bump to 5.0.0.beta3: * Drop merged patch 0001-Make-cpp-poppler-version.h-header-optional.patch * Update some internal tarballs so we keep building - based on these bumps update the buildrequires too - Generate python cache files wrt boo#929793 - Update %post scriptlets to work on sle11 again - Split out the share -> lib linker to hopefully allow sle11 build - One more fix for help handling boo#915996 - Version bump to 4.4.3 release: * Various small fixes all around - Disable verbose build to pass check on maximal size of log - We need pre/post for libreoffice in langpkgs - Use old java for detection and old commons-lang/codec to pass brp check on java from sle11 * 0001-Make-HAVE_JAVA6-be-always-false.patch - Revert last changeset, it is caused by something else this time: * 0001-Set-source-and-target-params-for-java.patch - Set source/target for javac when building to work on SLE11: * 0001-Set-source-and-target-params-for-java.patch - Try to deal with rpath on bundled libs - Fix python3_sitelib not being around for py2 - Add internal make for too old system - One more stab on poppler switch: * 0001-Make-cpp-poppler-version.h-header-optional.patch - Update the old-poppler patch to work correctly: * 0001-Make-cpp-poppler-version.h-header-optional.patch - Sort out more external tarballs for the no-system-libs approach - Add basic external tarballs needed for without-system-libraries - Add patch to check for poppler more nicely to work on older distros: * 0001-Make-cpp-poppler-version.h-header-optional.patch - Try to pass configure without system libs - Allow switch between py2 and py3 - Move external dependencies in conditional thus allow build on SLE11 - Add conditional for noarch subpackages - Add switch in configure to detect more of internal/external stuff - Add conditional for appdatastore thing and redo it to impact the spec less - Add systemlibs switch to be used in attempt to build sle11 build - Silence more scarry messages by boo#900186 * Fixes autocorr symlinking * Cleans UNO cache in more pretty way - Clean up the uno cache removal to not display scarry message boo#900186 - Remove patch to look for help in /usr/share, we symlink it back to lib, so there is no actual need to search for it directly, migth fix boo#915996: * officecfg-help-in-usr-share.diff - --disable-collada * reportedly it does not work in LibreOffice 4.4 - added version numbers to some BuildRequires lines - Require flow engine too on base - Fix build on SLE12 and 13.1 by adding conditional for appdata install - Fixup the installed appdata.xml files: they reference a .desktop file that are not installed by libreoffice (boo#926375). - Version bump to 4.4.2: * 2nd bugfix update for the 4.4 series - BuildRequires: libodfgen-devel >= 0.1 - added version numbers to some BuildRequires lines - build does not require python3-lxml - build requires librevenge-devel >= 0.0.1 - vlc media backend is broken, don't use it. Only gstreamer should be used. - Install the .appdata.xml files shipped by upstream: allow LO to be shown in AppStream based software centers. - Move pretrans to pre - Version bump to 4.4.1 first bugfix release of the series - Reduce bit the compilation preparations as we prepped most of the things by _constraints and it is no longer needed - %pre is not enough the script needs to be rewritten in lua - Move removal of obsolete dirs from %pretrans to %pre boo#916181 - Version bump to 4.4.0 final: * First in the 4.4 series * First release to have the new UI elements without old hardcoded sizes * Various improvements all around. - Version bump to 4.4.0rc2: * Various bugfixes, just bumping to see if we still build fine. - That verbose switch for configure was really really bad idea - generic images.zip for galaxy icons seem gone so remove - Do not supplement kde3 stuff, it is way beyond obsolete - Remove vlc conditional - korea.xcd is no more so remove - Really use mergelib - Disable telepathy, it really is experimental like hell - Version bump to 4.4.0rc1: * New 4.4 branch release with additional features - Enable collada: * New bundled collada2gltf tarball: 4b87018f7fff1d054939d19920b751a0-collada2gltf-master-cb1d97788a.tar.bz2 - Remove errorous self-obsolete in lang pkgs. - Version bump to 4.3.3.2: * Various bugfixes from maintenance branch to copy openSUSE. * Also contains fix for boo#900214 and boo#900218 CVE-2014-3693 - fix regression in bullets (boo#897903). - Add masterpage_style_parent.odp as new file for regression test for bullets. Changes in cmis-client: - Update to version 0.5.0 + Completely removed the dependency on InMemory server for unit tests + Minimized the number of HTTP requests sent by SessionFactory::createSession + Added Session::getBaseTypes() - Bump soname to 0_5-5 - Bump incname to 0.5 Changes in libetonyek: - Version bump to 0.1.3: * Various small fixes * More imported now imported * Now use mdds to help with some hashing - Version bump to 0.1.2: * Initial support for pages and numbers * Ditch libetonyek-0.1.1-constants.patch as we do not require us to build for older boost Changes in libmwaw: - Version bump to 0.3.6: - Added a minimal parser for ApplePict v1.v2, ie. no clipping, does not take in account the copy mode: srcCopy, srcOr, ... - Extended the --with-docs configure option to allow to build doc only for the API classes: --with-docs=no|api|full . - Added a parser for MacDraft v4-v5 documents. - RagTime v5-v6 parser: try to retrieve the main layouts and the picture/shape/textbox, ie. now, it generates result but it is still very imcomplete... - MWAW{Graphic,Presentation,Text}Listener: corrected a problem in openGroup which may create to incorrect document. - Created an MWAWEmbeddedObject class to store a picture with various representations. - MWAW*Listener: renamed insertPicture to insertShape, added a function to insert a texbox in a MWAWGraphicShape (which only insert a basic textbox). - Fixed many crashes and hangs when importing broken files, found with the help of american-fuzzy-lop. - And several other minor fixes and improvements. - Version bump to 0.3.5 * Various small fixes on 0.3 series, nothing big woth mention Changes in libodfgen: - Version bump to 0.1.4: - drawing interface: do no forget to call startDocument/endDocument when writing in the manifest - metadata: added handler for 'template' metadata, unknown metadata are written in a meta:user-defined elements, - defineSheetNumberingStyle: can now define styles for the whole document (and not only for the actual sheet) - update doxygen configuration file + add a make astyle command - Allow writing meta:creation-date metadata element for drawings and presentations too. - Improve handling of headings. Most importantly, write valid ODF. - Write meta:generator metadata element. - Add initial support for embedded fonts. It is currently limited to Flat ODF output. - Upgrade to version 0.1.2 * Use text:h element for headings. Any paragraph with text:outline-level property is recognized as a heading. * Handle layers. * Improve handling of styles. Particularly, do not emit duplicate styles. * Slightly improve documentation. * Handle master pages. * Do not expect that integer properties are always in inches. * Fix misspelled style:paragraph-properties element in presentation notes. * Only export public symbols on Linux. * Fix bogus XML-escaping of metadata values. * And many other improvements and fixes. Changes in libpagemaker: - Initial package based on upstream libpagemaker 0.0.2 Changes in libreoffice-share-linker: - Initial commit, split out from main libreoffice package to workaround issues on SLE11 build Changes in mdds: - Update to version 0.12.1: * Various small fixes on 0.12 series * Just move define up and comment why we redefine docdir * more types are possible in segment_tree data structures (previously only pointers were possible) * added sorted_string_map * multi_type_vector bugfixes Changes in libwps: - Update to version 0.4.1: + QuattroPro: correct a mistake when reading negative cell's position. + Fix some Windows build problems. + Fix more than 10 hangs when reading damaged files, found with the help of american-fuzzy-lop. + Performance: improve the sheet's output generation. + add support for unknown encoding files (ie. DOS file) + add potential support for converting Lotus, ... documents, + accept to convert all Lotus Wk1 files and Symphony Wk1 files, + add support for Lotus Wk3 and Wk4 documents, + add support for Quattro Pro Wq1 and Wq2 documents, + only in debug mode, add pre-support for Lotus Wk5..., must allow to retrieve the main sheets content's with no formatting, + add potential support for asking the document's password ( but do nothing ) + correct some compiler warnings when compiling in debug mode. + Fix parsing of floating-point numbers in specific cases. + Fix several minor issues reported by Coverity and Clang. + Check arguments of public functions. Passing NULL no longer causes a crash. + Use symbol visibility on Linux. The library only exports the public functions now. + Import @TERM and @CTERM functions (fdo#86241). + Handle LICS character encoding in spreadsheets (fdo#87222). + Fix a crash when reading a broken file, found with the help of american-fuzzy-lop. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-273=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): cmis-client-0.5.0-4.3.2 cmis-client-debuginfo-0.5.0-4.3.2 cmis-client-debugsource-0.5.0-4.3.2 libcmis-0_5-5-0.5.0-4.3.2 libcmis-0_5-5-debuginfo-0.5.0-4.3.2 libcmis-c-0_5-5-0.5.0-4.3.2 libcmis-c-0_5-5-debuginfo-0.5.0-4.3.2 libcmis-c-devel-0.5.0-4.3.2 libcmis-devel-0.5.0-4.3.2 libetonyek-0_1-1-0.1.3-2.3.2 libetonyek-0_1-1-debuginfo-0.1.3-2.3.2 libetonyek-debugsource-0.1.3-2.3.2 libetonyek-devel-0.1.3-2.3.2 libetonyek-tools-0.1.3-2.3.2 libetonyek-tools-debuginfo-0.1.3-2.3.2 libmwaw-0_3-3-0.3.6-2.7.2 libmwaw-0_3-3-debuginfo-0.3.6-2.7.2 libmwaw-debugsource-0.3.6-2.7.2 libmwaw-devel-0.3.6-2.7.2 libmwaw-tools-0.3.6-2.7.2 libmwaw-tools-debuginfo-0.3.6-2.7.2 libodfgen-0_1-1-0.1.4-2.3.2 libodfgen-0_1-1-debuginfo-0.1.4-2.3.2 libodfgen-debugsource-0.1.4-2.3.2 libodfgen-devel-0.1.4-2.3.2 libpagemaker-0_0-0-0.0.2-2.2 libpagemaker-0_0-0-debuginfo-0.0.2-2.2 libpagemaker-debugsource-0.0.2-2.2 libpagemaker-devel-0.0.2-2.2 libpagemaker-tools-0.0.2-2.2 libpagemaker-tools-debuginfo-0.0.2-2.2 libreoffice-5.0.4.2-28.1 libreoffice-base-5.0.4.2-28.1 libreoffice-base-debuginfo-5.0.4.2-28.1 libreoffice-base-drivers-mysql-5.0.4.2-28.1 libreoffice-base-drivers-mysql-debuginfo-5.0.4.2-28.1 libreoffice-base-drivers-postgresql-5.0.4.2-28.1 libreoffice-base-drivers-postgresql-debuginfo-5.0.4.2-28.1 libreoffice-calc-5.0.4.2-28.1 libreoffice-calc-debuginfo-5.0.4.2-28.1 libreoffice-calc-extensions-5.0.4.2-28.1 libreoffice-debuginfo-5.0.4.2-28.1 libreoffice-debugsource-5.0.4.2-28.1 libreoffice-draw-5.0.4.2-28.1 libreoffice-draw-debuginfo-5.0.4.2-28.1 libreoffice-filters-optional-5.0.4.2-28.1 libreoffice-gnome-5.0.4.2-28.1 libreoffice-gnome-debuginfo-5.0.4.2-28.1 libreoffice-gtk3-5.0.4.2-28.1 libreoffice-gtk3-debuginfo-5.0.4.2-28.1 libreoffice-impress-5.0.4.2-28.1 libreoffice-impress-debuginfo-5.0.4.2-28.1 libreoffice-kde4-5.0.4.2-28.1 libreoffice-kde4-debuginfo-5.0.4.2-28.1 libreoffice-mailmerge-5.0.4.2-28.1 libreoffice-math-5.0.4.2-28.1 libreoffice-math-debuginfo-5.0.4.2-28.1 libreoffice-officebean-5.0.4.2-28.1 libreoffice-officebean-debuginfo-5.0.4.2-28.1 libreoffice-pyuno-5.0.4.2-28.1 libreoffice-pyuno-debuginfo-5.0.4.2-28.1 libreoffice-sdk-5.0.4.2-28.1 libreoffice-sdk-debuginfo-5.0.4.2-28.1 libreoffice-sdk-doc-5.0.4.2-28.1 libreoffice-writer-5.0.4.2-28.1 libreoffice-writer-debuginfo-5.0.4.2-28.1 libreoffice-writer-extensions-5.0.4.2-28.1 libwps-0_4-4-0.4.1-2.4.2 libwps-0_4-4-debuginfo-0.4.1-2.4.2 libwps-debugsource-0.4.1-2.4.2 libwps-devel-0.4.1-2.4.2 libwps-tools-0.4.1-2.4.2 libwps-tools-debuginfo-0.4.1-2.4.2 - openSUSE 13.2 (noarch): libetonyek-devel-doc-0.1.3-2.3.2 libmwaw-devel-doc-0.3.6-2.7.2 libodfgen-devel-doc-0.1.4-2.3.2 libpagemaker-devel-doc-0.0.2-2.2 libreoffice-branding-upstream-5.0.4.2-28.1 libreoffice-icon-theme-breeze-5.0.4.2-28.1 libreoffice-icon-theme-galaxy-5.0.4.2-28.1 libreoffice-icon-theme-hicontrast-5.0.4.2-28.1 libreoffice-icon-theme-oxygen-5.0.4.2-28.1 libreoffice-icon-theme-sifr-5.0.4.2-28.1 libreoffice-icon-theme-tango-5.0.4.2-28.1 libreoffice-l10n-af-5.0.4.2-28.1 libreoffice-l10n-ar-5.0.4.2-28.1 libreoffice-l10n-as-5.0.4.2-28.1 libreoffice-l10n-bg-5.0.4.2-28.1 libreoffice-l10n-bn-5.0.4.2-28.1 libreoffice-l10n-br-5.0.4.2-28.1 libreoffice-l10n-ca-5.0.4.2-28.1 libreoffice-l10n-cs-5.0.4.2-28.1 libreoffice-l10n-cy-5.0.4.2-28.1 libreoffice-l10n-da-5.0.4.2-28.1 libreoffice-l10n-de-5.0.4.2-28.1 libreoffice-l10n-dz-5.0.4.2-28.1 libreoffice-l10n-el-5.0.4.2-28.1 libreoffice-l10n-en-5.0.4.2-28.1 libreoffice-l10n-es-5.0.4.2-28.1 libreoffice-l10n-et-5.0.4.2-28.1 libreoffice-l10n-eu-5.0.4.2-28.1 libreoffice-l10n-fa-5.0.4.2-28.1 libreoffice-l10n-fi-5.0.4.2-28.1 libreoffice-l10n-fr-5.0.4.2-28.1 libreoffice-l10n-ga-5.0.4.2-28.1 libreoffice-l10n-gl-5.0.4.2-28.1 libreoffice-l10n-gu-5.0.4.2-28.1 libreoffice-l10n-he-5.0.4.2-28.1 libreoffice-l10n-hi-5.0.4.2-28.1 libreoffice-l10n-hr-5.0.4.2-28.1 libreoffice-l10n-hu-5.0.4.2-28.1 libreoffice-l10n-it-5.0.4.2-28.1 libreoffice-l10n-ja-5.0.4.2-28.1 libreoffice-l10n-kk-5.0.4.2-28.1 libreoffice-l10n-kn-5.0.4.2-28.1 libreoffice-l10n-ko-5.0.4.2-28.1 libreoffice-l10n-lt-5.0.4.2-28.1 libreoffice-l10n-lv-5.0.4.2-28.1 libreoffice-l10n-mai-5.0.4.2-28.1 libreoffice-l10n-ml-5.0.4.2-28.1 libreoffice-l10n-mr-5.0.4.2-28.1 libreoffice-l10n-nb-5.0.4.2-28.1 libreoffice-l10n-nl-5.0.4.2-28.1 libreoffice-l10n-nn-5.0.4.2-28.1 libreoffice-l10n-nr-5.0.4.2-28.1 libreoffice-l10n-nso-5.0.4.2-28.1 libreoffice-l10n-or-5.0.4.2-28.1 libreoffice-l10n-pa-5.0.4.2-28.1 libreoffice-l10n-pl-5.0.4.2-28.1 libreoffice-l10n-pt-BR-5.0.4.2-28.1 libreoffice-l10n-pt-PT-5.0.4.2-28.1 libreoffice-l10n-ro-5.0.4.2-28.1 libreoffice-l10n-ru-5.0.4.2-28.1 libreoffice-l10n-si-5.0.4.2-28.1 libreoffice-l10n-sk-5.0.4.2-28.1 libreoffice-l10n-sl-5.0.4.2-28.1 libreoffice-l10n-sr-5.0.4.2-28.1 libreoffice-l10n-ss-5.0.4.2-28.1 libreoffice-l10n-st-5.0.4.2-28.1 libreoffice-l10n-sv-5.0.4.2-28.1 libreoffice-l10n-ta-5.0.4.2-28.1 libreoffice-l10n-te-5.0.4.2-28.1 libreoffice-l10n-th-5.0.4.2-28.1 libreoffice-l10n-tn-5.0.4.2-28.1 libreoffice-l10n-tr-5.0.4.2-28.1 libreoffice-l10n-ts-5.0.4.2-28.1 libreoffice-l10n-uk-5.0.4.2-28.1 libreoffice-l10n-ve-5.0.4.2-28.1 libreoffice-l10n-xh-5.0.4.2-28.1 libreoffice-l10n-zh-Hans-5.0.4.2-28.1 libreoffice-l10n-zh-Hant-5.0.4.2-28.1 libreoffice-l10n-zu-5.0.4.2-28.1 libreoffice-share-linker-1-2.2 mdds-devel-0.12.1-2.4.2 References: https://www.suse.com/security/cve/CVE-2014-3693.html https://www.suse.com/security/cve/CVE-2014-8146.html https://www.suse.com/security/cve/CVE-2014-8147.html https://www.suse.com/security/cve/CVE-2014-9093.html https://www.suse.com/security/cve/CVE-2015-4551.html https://www.suse.com/security/cve/CVE-2015-45513.html https://www.suse.com/security/cve/CVE-2015-5212.html https://www.suse.com/security/cve/CVE-2015-5213.html https://www.suse.com/security/cve/CVE-2015-5214.html https://bugzilla.suse.com/679938 https://bugzilla.suse.com/829430 https://bugzilla.suse.com/889755 https://bugzilla.suse.com/897903 https://bugzilla.suse.com/900186 https://bugzilla.suse.com/900214 https://bugzilla.suse.com/900218 https://bugzilla.suse.com/907636 https://bugzilla.suse.com/910805 https://bugzilla.suse.com/910806 https://bugzilla.suse.com/915996 https://bugzilla.suse.com/916181 https://bugzilla.suse.com/926375 https://bugzilla.suse.com/929793 https://bugzilla.suse.com/934423 https://bugzilla.suse.com/936188 https://bugzilla.suse.com/936190 https://bugzilla.suse.com/939996 https://bugzilla.suse.com/940838 https://bugzilla.suse.com/943075 https://bugzilla.suse.com/945047 https://bugzilla.suse.com/945692 https://bugzilla.suse.com/951579 https://bugzilla.suse.com/954345