Re: Officially releasing a patch for CVE-2016-1513

On 24 Jul, Dennis E. Hamilton wrote:
> The patched DLL is shipped with an external digital signature.  I
> guess we could ask that to be installed alongside it.  That would be a
> good tell-tale.
> 
> The web site where the patch is downloadable from will have hashes for
> the archive containing the patched library and will also have an
> external signature for that.  These are on a secure AOO infrastructure
> site, the best place to retrieve hashes and signature files.  There is
> no reason not to have a hash of the library inside the downloadable
> archive for those who, for some reason, cannot check the signature but
> can verify the hash.
> 
> In the manual procedure, we will ask users to rename the existing
> shared-library before copying in the replacement.  This will provide a
> means to revert to the patched library if a regression results.
> 
> There is a difference in file-creation dates and in the size of the
> files as well.  The procedure for hotfixing with the patched library
> should provide that information to discourage attempting to patch a
> different release and also make it easier to tell the patch is there.
> 
> You're right that different builds by others who look to just extract
> the shared library will likely end up with a different binary of that
> library.  For a binary distribution from any origin that has the patch
> compiled-in, I would think something like the static string might be
> helpful.  If we do that in the AOO4121 tag, we'll have to redo the
> patched libraries we've already built.  I was hoping we could avoid
> that and stick with ones we have done some testing on already.
> 
> Is what we're planning enough?

I think that should be OK.