expat-2.2.7 for CVE-2018-20843

DoneSubmitted by Jack Hill.
Details
3 participants
  • Jack Hill
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Severity
normal
J
J
Jack Hill wrote on 28 Jun 2019 21:56
(address . guix-patches@gnu.org)
alpine.DEB.2.20.1906281553100.17508@marsh.hcoop.net
Hi Guix,
Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a replacement for expat with expat-2.2.7. I also changed the origin to use the GitHub hosted tarball as upstream is moving in that direction.
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
Best,Jack
J
J
Jack Hill wrote on 28 Jun 2019 21:57
gnu: expat: Replace with 2.2.7 [security fixes]
(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1906281557130.17508@marsh.hcoop.net
From 6db23c61704686016a57fb9557240dd83a79bea6 Mon Sep 17 00:00:00 2001From: Jack Hill <jackhill@jackhill.us>Date: Fri, 28 Jun 2019 15:47:35 -0400
This fixes CVE-2018-20843.
* gnu/packages/xml.scm (expat)[replacement]: New field.(expat-2.2.7): New public variable.--- gnu/packages/xml.scm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
Toggle diff (44 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scmindex fc60758724..1be2a58d2e 100644--- a/gnu/packages/xml.scm+++ b/gnu/packages/xml.scm@@ -20,6 +20,7 @@ ;;; Copyright ᅵ 2017 Petter <petter@mykolab.ch> ;;; Copyright ᅵ 2017 Stefan Reichᅵr <stefan@xsteve.at> ;;; Copyright ᅵ 2018 Pierre Neidhardt <mail@ambrevar.xyz>+;;; Copyright ᅵ 2019 Jack Hill <jackhill@jackhill.us> ;;; ;;; This file is part of GNU Guix. ;;;@@ -65,6 +66,7 @@ (define-public expat (package (name "expat")+ (replacement expat-2.2.7) (version "2.2.6") (source (origin (method url-fetch)@@ -82,6 +84,21 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat)))
+(define-public expat-2.2.7+ (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))+ (package+ (inherit expat)+ (version "2.2.7")+ (source+ (origin+ (method url-fetch)+ (uri (string-append "https://github.com/libexpat/libexpat/releases/download/R_"+ (string-map dot->underscore version)+ "/expat-" version ".tar.xz"))+ (sha256+ (base32+ "1y5yax6bq8p9xk49zqkd62pxk8bq266wrgbrqgaxp3wsrw5g9qrh")))))))+ (define-public libebml (package (name "libebml")-- 2.22.0
M
M
Marius Bakke wrote on 30 Jun 2019 12:12
Re: [bug#36424] expat-2.2.7 for CVE-2018-20843
87o92fv0u1.fsf@devup.no
Hi Jack,
Jack Hill <jackhill@jackhill.us> writes:
Toggle quote (9 lines)> Hi Guix,>> Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which > fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a > replacement for expat with expat-2.2.7. I also changed the origin to use > the GitHub hosted tarball as upstream is moving in that direction.>> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
Thank you very much for this patch! It did not apply cleanly on my end,perhaps it got mangled by your mail user agent?
I tried running `abidiff` (from libabigail) on the new and old Expat:
$ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.soFunctions changes summary: 0 Removed, 0 Changed, 0 Added functionVariables changes summary: 0 Removed, 0 Changed, 0 Added variableFunction symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug infoVariable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
15 Removed function symbols not referenced by debug info:
XmlGetUtf16InternalEncoding XmlGetUtf16InternalEncodingNS XmlGetUtf8InternalEncoding XmlGetUtf8InternalEncodingNS XmlInitEncoding XmlInitEncodingNS XmlInitUnknownEncoding XmlInitUnknownEncodingNS XmlParseXmlDecl XmlParseXmlDeclNS XmlPrologStateInit XmlPrologStateInitExternalEntity XmlSizeOfUnknownEncoding XmlUtf16Encode XmlUtf8Encode
Apparently these symbols were never supposed to be exported:https://github.com/libexpat/libexpat/pull/197. However, there couldbe packages "in the wild" that uses these symbols and would silentlybreak with the grafted Expat.
IIUC the fix for CVE-2018-20843 is this commit:https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6.
I think it's better to graft a variant with only this patch to be on thesafe side. Can you try that?
Could you also submit a second patch that adds GitHub as an additionaldownload location for the regular Expat package? :-)
Thanks in advance,Marius
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0YiwYACgkQoqBt8qM6VPooDAf+I0S7p4d76MiWIJeWCKLhIxCuu0hbxJbwq8GrfrYYmpVwBcB8BgyXhlQXsJ4GSZEUX1h8hKbRHhSBeVsLIXrUaiNVYK1nNjdL4s5FCxzdhWpVuHypuUiBPOk5rHkebNNF6/bnKEmaiUzE0gE86aJTs00nBDbz0bPIBENPbgBNy01SA2aM/c17LgsFO/panqcs4lD0F23HBDJ9sc3cwvIIXVC8QHjR+Y+aOAbbwQrhcKX7ozTVRTwAQ7/vazmtw8fNq9YfFiVM9aLq85whX113UxnCPqq21YbI2IiJ/R4NdlVpy1mJxHeQBXQ5g2sexaRXdKqOLREjNSYKxpje3IP7jw===ZWs1-----END PGP SIGNATURE-----
J
J
Jack Hill wrote on 2 Jul 2019 22:49
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907021647200.17508@marsh.hcoop.net
Marius,
Thanks for looking at this.
On Sun, 30 Jun 2019, Marius Bakke wrote:
Toggle quote (37 lines)> I tried running `abidiff` (from libabigail) on the new and old Expat:>> $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so> Functions changes summary: 0 Removed, 0 Changed, 0 Added function> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable> Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info>> 15 Removed function symbols not referenced by debug info:>> XmlGetUtf16InternalEncoding> XmlGetUtf16InternalEncodingNS> XmlGetUtf8InternalEncoding> XmlGetUtf8InternalEncodingNS> XmlInitEncoding> XmlInitEncodingNS> XmlInitUnknownEncoding> XmlInitUnknownEncodingNS> XmlParseXmlDecl> XmlParseXmlDeclNS> XmlPrologStateInit> XmlPrologStateInitExternalEntity> XmlSizeOfUnknownEncoding> XmlUtf16Encode> XmlUtf8Encode>> Apparently these symbols were never supposed to be exported:> <https://github.com/libexpat/libexpat/pull/197>. However, there could> be packages "in the wild" that uses these symbols and would silently> break with the grafted Expat.>> IIUC the fix for CVE-2018-20843 is this commit:> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.>> I think it's better to graft a variant with only this patch to be on the> safe side. Can you try that?
Good idea. I didn't think to check. Yes, I can try to do that.
Toggle quote (3 lines)> Could you also submit a second patch that adds GitHub as an additional> download location for the regular Expat package? :-)
I'll try that as well.
I'll also try to not let my mail client mangle them :)
Best,Jack
L
L
Ludovic Courtès wrote on 3 Jul 2019 00:34
control message for bug #36424
(address . control@debbugs.gnu.org)
87imsk3w25.fsf@gnu.org
tags 36424 + securityquit
J
J
Jack Hill wrote on 5 Jul 2019 01:49
Re: [bug#36424] expat-2.2.7 for CVE-2018-20843
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907041947340.17508@marsh.hcoop.net
On Tue, 2 Jul 2019, Jack Hill wrote:
Toggle quote (18 lines)>> Apparently these symbols were never supposed to be exported:>> <https://github.com/libexpat/libexpat/pull/197>. However, there could>> be packages "in the wild" that uses these symbols and would silently>> break with the grafted Expat.>> >> IIUC the fix for CVE-2018-20843 is this commit:>> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.>> >> I think it's better to graft a variant with only this patch to be on the>> safe side. Can you try that?>> Good idea. I didn't think to check. Yes, I can try to do that.>>> Could you also submit a second patch that adds GitHub as an additional>> download location for the regular Expat package? :-)>> I'll try that as well.
I've prepared the two attached patches that I believe implement Marius's proposed solution.
Thanks,Jack
From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001 From: Jack Hill <jackhill@jackhill.us> Date: Thu, 4 Jul 2019 17:00:27 -0400 Subject: [PATCH 1/2] gnu: expat: Add additional source URI The expat sourceforge page announces that the project is in the process of moving to GitHub. * gnu/packages/xml.scm (expat)[source]: Add GitHub URI. --- gnu/packages/xml.scm | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-)
Toggle diff (61 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index fc60758724..dab6597690 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -20,6 +20,7 @@ ;;; Copyright © 2017 Petter <petter@mykolab.ch> ;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at> ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz> +;;; Copyright © 2019 Jack Hill <jackhill@jackhill.us> ;;; ;;; This file is part of GNU Guix. ;;; @@ -63,24 +64,30 @@ #:use-module (gnu packages pkg-config)) (define-public expat - (package - (name "expat") - (version "2.2.6") - (source (origin - (method url-fetch) - (uri (string-append "mirror://sourceforge/expat/expat/" - version "/expat-" version ".tar.bz2")) - (sha256 - (base32 - "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))) - (build-system gnu-build-system) - (home-page "https://libexpat.github.io/") - (synopsis "Stream-oriented XML parser library written in C") - (description - "Expat is an XML parser library written in C. It is a + (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) + (package + (name "expat") + (version "2.2.6") + (source (origin + (method url-fetch) + (uri (list (string-append + "mirror://sourceforge/expat/expat/" + version "/expat-" version ".tar.bz2") + (string-append + "https://github.com/libexpat/libexpat/releases/download/R_" + (string-map dot->underscore version) + "/expat-" version ".tar.bz2"))) + (sha256 + (base32 + "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))) + (build-system gnu-build-system) + (home-page "https://libexpat.github.io/") + (synopsis "Stream-oriented XML parser library written in C") + (description + "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") - (license license:expat))) + (license license:expat)))) (define-public libebml (package -- 2.22.0
From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001 From: Jack Hill <jackhill@jackhill.us> Date: Thu, 4 Jul 2019 19:41:30 -0400 Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843. * gnu/packages/xml.scm (expat)[replacement]: New field. (expat/fixed): New variable. * gnu/packages/patches/expat-CVE-2018-20843.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patch file. --- gnu/local.mk | 7 ++++--- gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++ gnu/packages/xml.scm | 9 +++++++++ 3 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch
Toggle diff (80 lines)diff --git a/gnu/local.mk b/gnu/local.mk index 6e90d88689..bcf47d7378 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,20 +764,21 @@ dist_patch_DATA = \ %D%/packages/patches/einstein-build.patch \ %D%/packages/patches/emacs-exec-path.patch \ %D%/packages/patches/emacs-fix-scheme-indent-function.patch \ - %D%/packages/patches/emacs-json-reformat-fix-tests.patch \ %D%/packages/patches/emacs-highlight-stages-add-gexp.patch \ + %D%/packages/patches/emacs-json-reformat-fix-tests.patch \ %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch \ %D%/packages/patches/emacs-source-date-epoch.patch \ - %D%/packages/patches/emacs-unpackaged-req.patch \ %D%/packages/patches/emacs-undohist-ignored.patch \ + %D%/packages/patches/emacs-unpackaged-req.patch \ %D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch \ %D%/packages/patches/emacs-zones-called-interactively.patch \ %D%/packages/patches/enlightenment-fix-setuid-path.patch \ %D%/packages/patches/erlang-man-path.patch \ %D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ - %D%/packages/patches/exiv2-CVE-2017-14860.patch \ %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ + %D%/packages/patches/exiv2-CVE-2017-14860.patch \ + %D%/packages/patches/expat-CVE-2018-20843.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/fastcap-mulGlobal.patch \ %D%/packages/patches/fastcap-mulSetup.patch \ diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch new file mode 100644 index 0000000000..dd64b91965 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch @@ -0,0 +1,16 @@ +Fix extraction of namespace prefix from XML name. +Fixes CVE-2018-20843 + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 30d55c5..737d7cd 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType) + else + poolDiscard(&dtd->pool); + elementType->prefix = prefix; +- ++ break; + } + } + return 1; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index dab6597690..8c289c5cbe 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -67,6 +67,7 @@ (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) (package (name "expat") + (replacement expat/fixed) (version "2.2.6") (source (origin (method url-fetch) @@ -89,6 +90,14 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat)))) +(define expat/fixed + (package + (inherit expat) + (source + (origin + (inherit (package-source expat)) + (patches (search-patches "expat-CVE-2018-20843.patch")))))) + (define-public libebml (package (name "libebml") -- 2.22.0
J
J
Jack Hill wrote on 5 Jul 2019 01:57
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907041955400.17508@marsh.hcoop.net
Woops, looks like I still mangled the patches (by adding carriage-returns), but hopefully in a way that they still apply without infecting the code with that problem.
I guess Alpine has let me down. At any rate, hopefully they're still useful and fix the problem. Let me know if you'd like me to try again.
Best,Jack
J
J
Jack Hill wrote on 5 Jul 2019 02:02
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907041959080.17508@marsh.hcoop.net
Also, sorry for the extra noise in gnu/local.mk. I had inserted my patch in the wrong place and alphabetized a number of lines using my en_us.UTF-8 locale to fix it. Let me know if I should re-submit without the extraneous changes.
Today hasn't been the best day for computer use for me I'm afraid.
Best,Jack
M
M
Marius Bakke wrote on 6 Jul 2019 00:53
(name . Jack Hill)(address . jackhill@jackhill.us)(address . 36424@debbugs.gnu.org)
87wogwqein.fsf@devup.no
Jack Hill <jackhill@jackhill.us> writes:
Toggle quote (23 lines)> On Tue, 2 Jul 2019, Jack Hill wrote:>>>> Apparently these symbols were never supposed to be exported:>>> <https://github.com/libexpat/libexpat/pull/197>. However, there could>>> be packages "in the wild" that uses these symbols and would silently>>> break with the grafted Expat.>>> >>> IIUC the fix for CVE-2018-20843 is this commit:>>> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.>>> >>> I think it's better to graft a variant with only this patch to be on the>>> safe side. Can you try that?>>>> Good idea. I didn't think to check. Yes, I can try to do that.>>>>> Could you also submit a second patch that adds GitHub as an additional>>> download location for the regular Expat package? :-)>>>> I'll try that as well.>> I've prepared the two attached patches that I believe implement Marius's > proposed solution.
Thanks!
One minor problem... the expat patch does not actually apply on our copyof expat! Can you look into it?
Toggle quote (13 lines)> From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001> From: Jack Hill <jackhill@jackhill.us>> Date: Thu, 4 Jul 2019 17:00:27 -0400> Subject: [PATCH 1/2] gnu: expat: Add additional source URI>> The expat sourceforge page announces that the project is in the process of> moving to GitHub.>> * gnu/packages/xml.scm (expat)[source]: Add GitHub URI.> ---> gnu/packages/xml.scm | 39 +++++++++++++++++++++++----------------> 1 file changed, 23 insertions(+), 16 deletions(-)
[...]
Toggle quote (38 lines)> (define-public expat> - (package> - (name "expat")> - (version "2.2.6")> - (source (origin> - (method url-fetch)> - (uri (string-append "mirror://sourceforge/expat/expat/"> - version "/expat-" version ".tar.bz2"))> - (sha256> - (base32> - "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))> - (build-system gnu-build-system)> - (home-page "https://libexpat.github.io/")> - (synopsis "Stream-oriented XML parser library written in C")> - (description> - "Expat is an XML parser library written in C. It is a> + (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))> + (package> + (name "expat")> + (version "2.2.6")> + (source (origin> + (method url-fetch)> + (uri (list (string-append> + "mirror://sourceforge/expat/expat/"> + version "/expat-" version ".tar.bz2")> + (string-append> + "https://github.com/libexpat/libexpat/releases/download/R_"> + (string-map dot->underscore version)> + "/expat-" version ".tar.bz2")))> + (sha256> + (base32> + "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))> + (build-system gnu-build-system)> + (home-page "https://libexpat.github.io/")> + (synopsis "Stream-oriented XML parser library written in C")> + (description> + "Expat is an XML parser library written in C. It is a
Can you move this let binding inside the (source ...) field? That waywe don't have to reindent the whole thing.
Toggle quote (43 lines)> From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001> From: Jack Hill <jackhill@jackhill.us>> Date: Thu, 4 Jul 2019 19:41:30 -0400> Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843.>> * gnu/packages/xml.scm (expat)[replacement]: New field.> (expat/fixed): New variable.> * gnu/packages/patches/expat-CVE-2018-20843.patch: New file.> * gnu/local.mk (dist_patch_DATA): Add patch file.> ---> gnu/local.mk | 7 ++++---> gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++> gnu/packages/xml.scm | 9 +++++++++> 3 files changed, 29 insertions(+), 3 deletions(-)> create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch>> diff --git a/gnu/local.mk b/gnu/local.mk> index 6e90d88689..bcf47d7378 100644> --- a/gnu/local.mk> +++ b/gnu/local.mk> @@ -764,20 +764,21 @@ dist_patch_DATA = \> %D%/packages/patches/einstein-build.patch \> %D%/packages/patches/emacs-exec-path.patch \> %D%/packages/patches/emacs-fix-scheme-indent-function.patch \> - %D%/packages/patches/emacs-json-reformat-fix-tests.patch \> %D%/packages/patches/emacs-highlight-stages-add-gexp.patch \> + %D%/packages/patches/emacs-json-reformat-fix-tests.patch \> %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch \> %D%/packages/patches/emacs-source-date-epoch.patch \> - %D%/packages/patches/emacs-unpackaged-req.patch \> %D%/packages/patches/emacs-undohist-ignored.patch \> + %D%/packages/patches/emacs-unpackaged-req.patch \> %D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch \> %D%/packages/patches/emacs-zones-called-interactively.patch \> %D%/packages/patches/enlightenment-fix-setuid-path.patch \> %D%/packages/patches/erlang-man-path.patch \> %D%/packages/patches/eudev-rules-directory.patch \> %D%/packages/patches/evilwm-lost-focus-bug.patch \> - %D%/packages/patches/exiv2-CVE-2017-14860.patch \> %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \> + %D%/packages/patches/exiv2-CVE-2017-14860.patch \> + %D%/packages/patches/expat-CVE-2018-20843.patch \
You addressed this in another email, and I do think we should try toavoid needless moving around of these lines. There are enough mergeconflicts on this file as-is, no need to introduce artificial ones. :-)
Toggle quote (16 lines)> %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \> %D%/packages/patches/fastcap-mulGlobal.patch \> %D%/packages/patches/fastcap-mulSetup.patch \> diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch> new file mode 100644> index 0000000000..dd64b91965> --- /dev/null> +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch> @@ -0,0 +1,16 @@> +Fix extraction of namespace prefix from XML name.> +Fixes CVE-2018-20843> +> +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c> +index 30d55c5..737d7cd 100644> +--- a/expat/lib/xmlparse.c> ++++ b/expat/lib/xmlparse.c
^^^^^^It looks like this has to be removed from the patch file. Could youalso add a link to the upstream commit for reference?
It's also good practice to provide an URL to the MITRE CVE page:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843.
Thanks for working on this! :-)
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0f1QAACgkQoqBt8qM6VPokxgf/ZxWLCSKT7mZBETM3yxCw634v/XEY/JumAEXmP7pxHEbvI3CWi4KpWUphsvfg7zqUcuIOj9nwla1tIRXESltTDbnuAd8VLRxFEUZbPBh3yN50JFkdIS1v7qcD2gCT06D+qmiTB0tbxFLyyDysh5sjx7bV3DlDw5Lei6v7i+LxC0oRbvQ1qi30IUZx5T/9CXuaZr4iN5bE0y2fk7cVrXnOgIVJ0hK8yy3492e4o0b3aRrtCV4uZo5DdNTXhVeTQmWE8fS0SnyjthU3fAWKoJOsiEyxgwc/PlyAyg8HOFtQ9gNyWR4BICqf8h9NlJyEa6Ugn98aBB9swAEMOmqXt8Os4g===TjuK-----END PGP SIGNATURE-----
J
J
Jack Hill wrote on 10 Jul 2019 22:54
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net
Please find updated patch files attached, that I think take into account Marius's suggestions (thanks Marius!)
Best,Jack
P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns in the attachments.
From 0e1394e7e410ec192b6c883b567ce414864cdbb1 Mon Sep 17 00:00:00 2001 From: Jack Hill <jackhill@jackhill.us> Date: Wed, 10 Jul 2019 16:03:19 -0400 Subject: [PATCH 1/2] gnu: expat: Add additional source URI The expat sourceforge page announces that the project is in the process of moving to GitHub. * gnu/packages/xml.scm (expat)[source]: Add GitHub URI. --- gnu/packages/xml.scm | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-)
Toggle diff (40 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index fc60758724..b6a376a405 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -20,6 +20,7 @@ ;;; Copyright © 2017 Petter <petter@mykolab.ch> ;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at> ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz> +;;; Copyright © 2018 Jack Hill <jackhill@jackhill.us> ;;; ;;; This file is part of GNU Guix. ;;; @@ -66,13 +67,18 @@ (package (name "expat") (version "2.2.6") - (source (origin - (method url-fetch) - (uri (string-append "mirror://sourceforge/expat/expat/" - version "/expat-" version ".tar.bz2")) - (sha256 - (base32 - "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))) + (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) + (origin + (method url-fetch) + (uri (list (string-append "mirror://sourceforge/expat/expat/" + version "/expat-" version ".tar.bz2") + (string-append + "https://github.com/libexpat/libexpat/releases/download/R_" + (string-map dot->underscore version) + "/expat-" version ".tar.bz2"))) + (sha256 + (base32 + "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))) (build-system gnu-build-system) (home-page "https://libexpat.github.io/") (synopsis "Stream-oriented XML parser library written in C") -- 2.22.0
From c79efd83ecaa0b541de050da035ef67d972ac458 Mon Sep 17 00:00:00 2001 From: Jack Hill <jackhill@jackhill.us> Date: Wed, 10 Jul 2019 16:23:03 -0400 Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843 * gnu/packages/xml.scm (expat)[replacement]: New field. (expat/fixed): New variable. * gnu/packages/patches/expat-CVE-2018-20843.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patch file. --- gnu/local.mk | 1 + .../patches/expat-CVE-2018-20843.patch | 21 +++++++++++++++++++ gnu/packages/xml.scm | 9 ++++++++ 3 files changed, 31 insertions(+) create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch
Toggle diff (68 lines)diff --git a/gnu/local.mk b/gnu/local.mk index 9a70d73759..054aa93fd5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -785,6 +785,7 @@ dist_patch_DATA = \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ %D%/packages/patches/exiv2-CVE-2017-14860.patch \ %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ + %D%/packages/patches/expat-CVE-2018-20843.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/fastcap-mulGlobal.patch \ %D%/packages/patches/fastcap-mulSetup.patch \ diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch new file mode 100644 index 0000000000..216fbe9667 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch @@ -0,0 +1,21 @@ +Fix extraction of namespace prefix from XML name. +Fixes CVE-2018-20843 + +This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 +https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 + +CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 30d55c5..737d7cd 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType) + else + poolDiscard(&dtd->pool); + elementType->prefix = prefix; +- ++ break; + } + } + return 1; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index b6a376a405..fbd0ff284b 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -66,6 +66,7 @@ (define-public expat (package (name "expat") + (replacement expat/fixed) (version "2.2.6") (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) (origin @@ -88,6 +89,14 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +(define expat/fixed + (package + (inherit expat) + (source + (origin + (inherit (package-source expat)) + (patches (search-patches "expat-CVE-2018-20843.patch")))))) + (define-public libebml (package (name "libebml") -- 2.22.0
M
M
Marius Bakke wrote on 12 Jul 2019 01:00
(name . Jack Hill)(address . jackhill@jackhill.us)(address . 36424-done@debbugs.gnu.org)
87ftncmb1r.fsf@devup.no
Jack Hill <jackhill@jackhill.us> writes:
Toggle quote (3 lines)> Please find updated patch files attached, that I think take into account > Marius's suggestions (thanks Marius!)
Thank you! I made a tiny tweak to use char=? instead of equal=? for thecharacter comparison.
Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0nv5AACgkQoqBt8qM6VPp62Qf9GdcExbQZBZibWrWR09y++bap5ymjWFSpcFm9TYqcOKfZKlk5UwijG2M7rkYQnLfYM+1NKbvfYSxoZHLMtOryZ5ssbdP+JWYkHrxW8CEAx2ndAVDAzCP85oYH7FzQlL6AVuP94SZ4Xwo/QGPTsvZvFX5CfhcCzzOlT4NHUVjMS6VbCOuYvI7TAl/xI9+qqi5AMrbkQxmp5y52WAAZDVx9mRZm+GlXUwNQzebXkxpazEjuviPapOwLgK7vwMCILM23KkaG5YJWV7CyLcNoVIu9ThpmGVzqlZF0BnKlI8DuRZWw2dcEhmCgBcnJmHehz2UlwCn9krdV6MIV497FajmIsw===tn/b-----END PGP SIGNATURE-----
Closed
J
J
Jack Hill wrote on 12 Jul 2019 01:09
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907111907530.17508@marsh.hcoop.net
On Fri, 12 Jul 2019, Marius Bakke wrote:
Toggle quote (3 lines)> Thank you! I made a tiny tweak to use char=? instead of equal=? for the> character comparison.
Cool, now I know about char=? ☺
Toggle quote (2 lines)> Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.
Thanks, and thanks for being patient with me working through the issues.
Best,Jack
?
Your comment

This issue is archived.

To comment on this conversation send email to 36424@debbugs.gnu.org