Bug 147334

Summary: Impact of deleting ant-apache-log4j-1.10.9.jar from the server
Product: LibreOffice Reporter: Ghazi Triki <ghazi.nocturne>
Component: LibreOfficeAssignee: Not Assigned <libreoffice-bugs>
Status: UNCONFIRMED ---    
Severity: normal CC: sberg.fun, serval2412
Priority: medium    
Version: 7.2.5.2 release   
Hardware: All   
OS: All   
Whiteboard:
Crash report or crash signature: Regression By:

Description Ghazi Triki 2022-02-10 06:12:14 UTC 
Hello,

LibreOffice is still using the following dependency

https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.9

that has some known vulnerability issues from its dependencies, so no direct issues.

If I remove it, will LibreOffice continue to work properly? Should remove its dependencies too? Is there any way to use another logger like logback?

Thanks
Comment 1 Julien Nabet 2022-02-10 17:16:13 UTC 
Stephan: taking a look at configure.ac, I noticed "NEED_ANT" var which takes the value TRUE to build Hsqldb, Jfreereport or Rhino if they're not provided by system.

I also noticed ant_minver=1.6.0 (line 13599) but even we force the use of last known version 1.10.12, there are still CVEs, see https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.12

Any thoughts here?
Comment 2 Stephan Bergmann 2022-02-11 09:58:21 UTC 
(In reply to Ghazi Triki from comment #0)
> LibreOffice is still using the following dependency
> 
> https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.9

I wouldn't know how LibreOffice would be using that, neither at build nor at run time.  Can you be more specific?  (And whatever "the server" is that you would want to delete something from.)

As Julien explains, LibreOffice may need an externally-provided ant, of some minimum version, at build time.  Everything else is beyond what LibreOffice does or should care about.