openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Officially releasing a patch for CVE-2016-1513
Date Sat, 30 Jul 2016 17:37:48 GMT


> -----Original Message-----
> From: Andrea Pescetti [mailto:pescetti@apache.org]
> Sent: Saturday, July 30, 2016 05:54
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
> 
> On 30/07/2016 Dennis E. Hamilton wrote:
> >> -----Original Message-----
> >> From: Andrea Pescetti
> >> So I can supply a full source package or I can give my +1 to a
> "patch"
> >> package that others prepare. ...
> > [orcmid] I can provide the patch source package on Monday.
> 
> Since I can only work on it today, I've uploaded to
> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/source/
> a set of files not meant for voting now.
> 
> There is a full source release (the three files with r1754535 in their
> name) and also an initial "patch-only" package named
> apache-openoffice-4.1.2-patch1.zip. We will probably want to approve
> just the latter; the former set is a backup solution, just in case.
[orcmid] 

I see the following, each with their .asc, .md5, and .sha256 signatures.

  apache-openoffice-4.1.2-patch1.zip (28kb with expected content)

Then there are the following which are not patches but apparently the entire AOO4121 source
tree:

   apache-openoffice-4.1.2-patch1-r1754535-src.tar.bz2 (215MB)
   apache-openoffice-4.1.2-patch1-r1754535-src.tar.gz (284MB)
   apache-openoffice-4.1.2-patch1-r1754535-src.zip) (334MB)

This seems like overkill, especially since I don't think we want or need those in dist/release/openoffice/4.1.2-patch1/source/

Since the 4.1.2 source archives are readily available, and applying the patch or replacing
the .cxx file seems pretty easy for anyone who can use the source, I would like to remove
those three.

I have reviewed apache-openoffice-4.1.2-patch1.zip and the content seems just fine.  I have
verified the .asc signature.  I have verified the md5 and sha256 hashes.  SVN determines that
the poly2.cxx in that .zip when extracted on Windows is indistinguishable from the same file
in the fully-updated working folder from branch AOO410.

I think this is good enough to go with.  

 - Dennis

PS: I suggested r1753426 because it is the revision that applied the cxx patch to trunk. r1754535
is the revision where Kay merged the fix to poly2.cxx onto AOO410.  I think that identifier
could still be on the patch-only version.  I am not wedded to the idea [;<).



 
> Dennis (and others): feel free to adapt and modify my initial
> "patch-only" package as you see fit, feel free to replace my digital
> signature with yours and start the vote when appropriate.
> 
> Regards,
>    Andrea.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message