expat-2.2.7 for CVE-2018-20843

Done

Details

3 participants

Jack Hill
Ludovic Courtès
Marius Bakke

Owner: unassigned

Submitted by: Jack Hill

Severity: normal

Jack Hill wrote on 28 Jun 2019 21:56

Recipients:(address . guix-patches@gnu.org)

Message-ID:alpine.DEB.2.20.1906281553100.17508@marsh.hcoop.net

Hi Guix,

Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which

fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a

replacement for expat with expat-2.2.7. I also changed the origin to use

the GitHub hosted tarball as upstream is moving in that direction.

[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Best,

Jack

Jack Hill wrote on 28 Jun 2019 21:57

gnu: expat: Replace with 2.2.7 [security fixes]

Recipients:(address . 36424@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.1906281557130.17508@marsh.hcoop.net

From 6db23c61704686016a57fb9557240dd83a79bea6 Mon Sep 17 00:00:00 2001

This fixes CVE-2018-20843.

* gnu/packages/xml.scm (expat)[replacement]: New field.

(expat-2.2.7): New public variable.

---

gnu/packages/xml.scm | 17 +++++++++++++++++

1 file changed, 17 insertions(+)

Toggle diff (44 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..1be2a58d2e 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
  ;;; Copyright ï¿œ 2017 Petter <petter@mykolab.ch>
  ;;; Copyright ï¿œ 2017 Stefan Reichï¿œr <stefan@xsteve.at>
  ;;; Copyright ï¿œ 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright ï¿œ 2019 Jack Hill <jackhill@jackhill.us>
  ;;;
  ;;; This file is part of GNU Guix.
  ;;;
@@ -65,6 +66,7 @@
  (define-public expat
    (package
      (name "expat")
+    (replacement expat-2.2.7)
      (version "2.2.6")
      (source (origin
               (method url-fetch)
@@ -82,6 +84,21 @@ stream-oriented parser in which an application registers handlers for
  things the parser might find in the XML document (like start tags).")
      (license license:expat)))

+(define-public expat-2.2.7
+  (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+    (package
+      (inherit expat)
+      (version "2.2.7")
+      (source
+       (origin
+         (method url-fetch)
+         (uri (string-append "https://github.com/libexpat/libexpat/releases/download/R_"
+                             (string-map dot->underscore version)
+                             "/expat-" version ".tar.xz"))
+         (sha256
+          (base32
+           "1y5yax6bq8p9xk49zqkd62pxk8bq266wrgbrqgaxp3wsrw5g9qrh")))))))
+
  (define-public libebml
    (package
      (name "libebml")
-- 
2.22.0

Marius Bakke wrote on 30 Jun 2019 12:12

Re: [bug#36424] expat-2.2.7 for CVE-2018-20843

Recipients:

Message-ID:87o92fv0u1.fsf@devup.no

Hi Jack,

Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (9 lines)

> Hi Guix,

> Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which

> fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a

> replacement for expat with expat-2.2.7. I also changed the origin to use

> the GitHub hosted tarball as upstream is moving in that direction.

> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Thank you very much for this patch! It did not apply cleanly on my end,

perhaps it got mangled by your mail user agent?

I tried running `abidiff` (from libabigail) on the new and old Expat:

$ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so

Functions changes summary: 0 Removed, 0 Changed, 0 Added function

Variables changes summary: 0 Removed, 0 Changed, 0 Added variable

Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info

Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

15 Removed function symbols not referenced by debug info:

XmlGetUtf16InternalEncoding

XmlGetUtf16InternalEncodingNS

XmlGetUtf8InternalEncoding

XmlGetUtf8InternalEncodingNS

XmlInitEncoding

XmlInitEncodingNS

XmlInitUnknownEncoding

XmlInitUnknownEncodingNS

XmlParseXmlDecl

XmlParseXmlDeclNS

XmlPrologStateInit

XmlPrologStateInitExternalEntity

XmlSizeOfUnknownEncoding

XmlUtf16Encode

XmlUtf8Encode

Apparently these symbols were never supposed to be exported:

https://github.com/libexpat/libexpat/pull/197. However, there could

be packages "in the wild" that uses these symbols and would silently

break with the grafted Expat.

IIUC the fix for CVE-2018-20843 is this commit:

https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6.

I think it's better to graft a variant with only this patch to be on the

safe side. Can you try that?

Could you also submit a second patch that adds GitHub as an additional

download location for the regular Expat package? :-)

Thanks in advance,

Marius

Jack Hill wrote on 2 Jul 2019 22:49

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.1907021647200.17508@marsh.hcoop.net

Marius,

Thanks for looking at this.

On Sun, 30 Jun 2019, Marius Bakke wrote:

Toggle quote (37 lines)> I tried running `abidiff` (from libabigail) on the new and old Expat:
>
> $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info
> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>
> 15 Removed function symbols not referenced by debug info:
>
>  XmlGetUtf16InternalEncoding
>  XmlGetUtf16InternalEncodingNS
>  XmlGetUtf8InternalEncoding
>  XmlGetUtf8InternalEncodingNS
>  XmlInitEncoding
>  XmlInitEncodingNS
>  XmlInitUnknownEncoding
>  XmlInitUnknownEncodingNS
>  XmlParseXmlDecl
>  XmlParseXmlDeclNS
>  XmlPrologStateInit
>  XmlPrologStateInitExternalEntity
>  XmlSizeOfUnknownEncoding
>  XmlUtf16Encode
>  XmlUtf8Encode
>
> Apparently these symbols were never supposed to be exported:
> <https://github.com/libexpat/libexpat/pull/197>.  However, there could
> be packages "in the wild" that uses these symbols and would silently
> break with the grafted Expat.
>
> IIUC the fix for CVE-2018-20843 is this commit:
> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>
> I think it's better to graft a variant with only this patch to be on the
> safe side.  Can you try that?

Good idea. I didn't think to check. Yes, I can try to do that.

Toggle quote (3 lines)

> Could you also submit a second patch that adds GitHub as an additional

> download location for the regular Expat package? :-)

I'll try that as well.

I'll also try to not let my mail client mangle them :)

Best,

Jack

Ludovic Courtès wrote on 3 Jul 2019 00:34

control message for bug #36424

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87imsk3w25.fsf@gnu.org

tags 36424 + security

quit

Jack Hill wrote on 5 Jul 2019 01:49

Re: [bug#36424] expat-2.2.7 for CVE-2018-20843

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.1907041947340.17508@marsh.hcoop.net

On Tue, 2 Jul 2019, Jack Hill wrote:

Toggle quote (18 lines)>> Apparently these symbols were never supposed to be exported:
>> <https://github.com/libexpat/libexpat/pull/197>.  However, there could
>> be packages "in the wild" that uses these symbols and would silently
>> break with the grafted Expat.
>> 
>> IIUC the fix for CVE-2018-20843 is this commit:
>> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>> 
>> I think it's better to graft a variant with only this patch to be on the
>> safe side.  Can you try that?
>
> Good idea. I didn't think to check. Yes, I can try to do that.
>
>> Could you also submit a second patch that adds GitHub as an additional
>> download location for the regular Expat package?  :-)
>
> I'll try that as well.

I've prepared the two attached patches that I believe implement Marius's

proposed solution.

Thanks,

Jack

From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Thu, 4 Jul 2019 17:00:27 -0400
Subject: [PATCH 1/2] gnu: expat: Add additional source URI

The expat sourceforge page announces that the project is in the process of
moving to GitHub.

* gnu/packages/xml.scm (expat)[source]: Add GitHub URI.
---
 gnu/packages/xml.scm | 39 +++++++++++++++++++++++----------------
 1 file changed, 23 insertions(+), 16 deletions(-)

Toggle diff (61 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..dab6597690 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
 ;;; Copyright © 2017 Petter <petter@mykolab.ch>
 ;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
 ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2019 Jack Hill <jackhill@jackhill.us>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -63,24 +64,30 @@
   #:use-module (gnu packages pkg-config))
 
 (define-public expat
-  (package
-    (name "expat")
-    (version "2.2.6")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://sourceforge/expat/expat/"
-                                 version "/expat-" version ".tar.bz2"))
-             (sha256
-              (base32
-               "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
-    (build-system gnu-build-system)
-    (home-page "https://libexpat.github.io/")
-    (synopsis "Stream-oriented XML parser library written in C")
-    (description
-     "Expat is an XML parser library written in C.  It is a
+  (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+      (package
+        (name "expat")
+        (version "2.2.6")
+        (source (origin
+                  (method url-fetch)
+                  (uri (list (string-append
+                              "mirror://sourceforge/expat/expat/"
+                              version "/expat-" version ".tar.bz2")
+                             (string-append
+                              "https://github.com/libexpat/libexpat/releases/download/R_"
+                              (string-map dot->underscore version)
+                              "/expat-" version ".tar.bz2")))
+                  (sha256
+                   (base32
+                    "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
+        (build-system gnu-build-system)
+        (home-page "https://libexpat.github.io/")
+        (synopsis "Stream-oriented XML parser library written in C")
+        (description
+         "Expat is an XML parser library written in C.  It is a
 stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
-    (license license:expat)))
+        (license license:expat))))
 
 (define-public libebml
   (package
-- 
2.22.0

From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Thu, 4 Jul 2019 19:41:30 -0400
Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843.

* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat/fixed): New variable.
* gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patch file.
---
 gnu/local.mk                                    |  7 ++++---
 gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++
 gnu/packages/xml.scm                            |  9 +++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch

Toggle diff (80 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 6e90d88689..bcf47d7378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -764,20 +764,21 @@ dist_patch_DATA =						\
   %D%/packages/patches/einstein-build.patch			\
   %D%/packages/patches/emacs-exec-path.patch			\
   %D%/packages/patches/emacs-fix-scheme-indent-function.patch	\
-  %D%/packages/patches/emacs-json-reformat-fix-tests.patch	\
   %D%/packages/patches/emacs-highlight-stages-add-gexp.patch	\
+  %D%/packages/patches/emacs-json-reformat-fix-tests.patch	\
   %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch	\
   %D%/packages/patches/emacs-source-date-epoch.patch		\
-  %D%/packages/patches/emacs-unpackaged-req.patch		\
   %D%/packages/patches/emacs-undohist-ignored.patch	\
+  %D%/packages/patches/emacs-unpackaged-req.patch		\
   %D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch	\
   %D%/packages/patches/emacs-zones-called-interactively.patch	\
   %D%/packages/patches/enlightenment-fix-setuid-path.patch	\
   %D%/packages/patches/erlang-man-path.patch			\
   %D%/packages/patches/eudev-rules-directory.patch		\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
-  %D%/packages/patches/exiv2-CVE-2017-14860.patch		\
   %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch	\
+  %D%/packages/patches/exiv2-CVE-2017-14860.patch		\
+  %D%/packages/patches/expat-CVE-2018-20843.patch		\
   %D%/packages/patches/extundelete-e2fsprogs-1.44.patch		\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
   %D%/packages/patches/fastcap-mulSetup.patch			\
diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
new file mode 100644
index 0000000000..dd64b91965
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
@@ -0,0 +1,16 @@
+Fix extraction of namespace prefix from XML name.
+Fixes CVE-2018-20843
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5..737d7cd 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index dab6597690..8c289c5cbe 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -67,6 +67,7 @@
   (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
       (package
         (name "expat")
+        (replacement expat/fixed)
         (version "2.2.6")
         (source (origin
                   (method url-fetch)
@@ -89,6 +90,14 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
         (license license:expat))))
 
+(define expat/fixed
+  (package
+    (inherit expat)
+    (source
+     (origin
+       (inherit (package-source expat))
+       (patches (search-patches "expat-CVE-2018-20843.patch"))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.22.0

Jack Hill wrote on 5 Jul 2019 01:57

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.1907041955400.17508@marsh.hcoop.net

Woops, looks like I still mangled the patches (by adding carriage-returns),

but hopefully in a way that they still apply without infecting the code

with that problem.

I guess Alpine has let me down. At any rate, hopefully they're still

useful and fix the problem. Let me know if you'd like me to try again.

Best,

Jack

Jack Hill wrote on 5 Jul 2019 02:02

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.1907041959080.17508@marsh.hcoop.net

Also, sorry for the extra noise in gnu/local.mk. I had inserted my patch

in the wrong place and alphabetized a number of lines using my

en_us.UTF-8 locale to fix it. Let me know if I should re-submit without

the extraneous changes.

Today hasn't been the best day for computer use for me I'm afraid.

Best,

Jack

Marius Bakke wrote on 6 Jul 2019 00:53

Recipients:(name . Jack Hill)(address . jackhill@jackhill.us)(address . 36424@debbugs.gnu.org)

Message-ID:87wogwqein.fsf@devup.no

Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (23 lines)> On Tue, 2 Jul 2019, Jack Hill wrote:
>
>>> Apparently these symbols were never supposed to be exported:
>>> <https://github.com/libexpat/libexpat/pull/197>.  However, there could
>>> be packages "in the wild" that uses these symbols and would silently
>>> break with the grafted Expat.
>>> 
>>> IIUC the fix for CVE-2018-20843 is this commit:
>>> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>>> 
>>> I think it's better to graft a variant with only this patch to be on the
>>> safe side.  Can you try that?
>>
>> Good idea. I didn't think to check. Yes, I can try to do that.
>>
>>> Could you also submit a second patch that adds GitHub as an additional
>>> download location for the regular Expat package?  :-)
>>
>> I'll try that as well.
>
> I've prepared the two attached patches that I believe implement Marius's 
> proposed solution.

Thanks!

One minor problem... the expat patch does not actually apply on our copy

of expat! Can you look into it?

Toggle quote (13 lines)> From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001
> From: Jack Hill <jackhill@jackhill.us>
> Date: Thu, 4 Jul 2019 17:00:27 -0400
> Subject: [PATCH 1/2] gnu: expat: Add additional source URI
>
> The expat sourceforge page announces that the project is in the process of
> moving to GitHub.
>
> * gnu/packages/xml.scm (expat)[source]: Add GitHub URI.
> ---
>  gnu/packages/xml.scm | 39 +++++++++++++++++++++++----------------
>  1 file changed, 23 insertions(+), 16 deletions(-)

[...]

Toggle quote (38 lines)>  (define-public expat
> -  (package
> -    (name "expat")
> -    (version "2.2.6")
> -    (source (origin
> -             (method url-fetch)
> -             (uri (string-append "mirror://sourceforge/expat/expat/"
> -                                 version "/expat-" version ".tar.bz2"))
> -             (sha256
> -              (base32
> -               "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
> -    (build-system gnu-build-system)
> -    (home-page "https://libexpat.github.io/")
> -    (synopsis "Stream-oriented XML parser library written in C")
> -    (description
> -     "Expat is an XML parser library written in C.  It is a
> +  (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
> +      (package
> +        (name "expat")
> +        (version "2.2.6")
> +        (source (origin
> +                  (method url-fetch)
> +                  (uri (list (string-append
> +                              "mirror://sourceforge/expat/expat/"
> +                              version "/expat-" version ".tar.bz2")
> +                             (string-append
> +                              "https://github.com/libexpat/libexpat/releases/download/R_"
> +                              (string-map dot->underscore version)
> +                              "/expat-" version ".tar.bz2")))
> +                  (sha256
> +                   (base32
> +                    "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
> +        (build-system gnu-build-system)
> +        (home-page "https://libexpat.github.io/")
> +        (synopsis "Stream-oriented XML parser library written in C")
> +        (description
> +         "Expat is an XML parser library written in C.  It is a

Can you move this let binding inside the (source ...) field? That way

we don't have to reindent the whole thing.

Toggle quote (43 lines)> From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001
> From: Jack Hill <jackhill@jackhill.us>
> Date: Thu, 4 Jul 2019 19:41:30 -0400
> Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843.
>
> * gnu/packages/xml.scm (expat)[replacement]: New field.
> (expat/fixed): New variable.
> * gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add patch file.
> ---
>  gnu/local.mk                                    |  7 ++++---
>  gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++
>  gnu/packages/xml.scm                            |  9 +++++++++
>  3 files changed, 29 insertions(+), 3 deletions(-)
>  create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 6e90d88689..bcf47d7378 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -764,20 +764,21 @@ dist_patch_DATA =						\
>    %D%/packages/patches/einstein-build.patch			\
>    %D%/packages/patches/emacs-exec-path.patch			\
>    %D%/packages/patches/emacs-fix-scheme-indent-function.patch	\
> -  %D%/packages/patches/emacs-json-reformat-fix-tests.patch	\
>    %D%/packages/patches/emacs-highlight-stages-add-gexp.patch	\
> +  %D%/packages/patches/emacs-json-reformat-fix-tests.patch	\
>    %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch	\
>    %D%/packages/patches/emacs-source-date-epoch.patch		\
> -  %D%/packages/patches/emacs-unpackaged-req.patch		\
>    %D%/packages/patches/emacs-undohist-ignored.patch	\
> +  %D%/packages/patches/emacs-unpackaged-req.patch		\
>    %D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch	\
>    %D%/packages/patches/emacs-zones-called-interactively.patch	\
>    %D%/packages/patches/enlightenment-fix-setuid-path.patch	\
>    %D%/packages/patches/erlang-man-path.patch			\
>    %D%/packages/patches/eudev-rules-directory.patch		\
>    %D%/packages/patches/evilwm-lost-focus-bug.patch		\
> -  %D%/packages/patches/exiv2-CVE-2017-14860.patch		\
>    %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch	\
> +  %D%/packages/patches/exiv2-CVE-2017-14860.patch		\
> +  %D%/packages/patches/expat-CVE-2018-20843.patch		\

You addressed this in another email, and I do think we should try to

avoid needless moving around of these lines. There are enough merge

conflicts on this file as-is, no need to introduce artificial ones. :-)

Toggle quote (16 lines)>    %D%/packages/patches/extundelete-e2fsprogs-1.44.patch		\
>    %D%/packages/patches/fastcap-mulGlobal.patch			\
>    %D%/packages/patches/fastcap-mulSetup.patch			\
> diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
> new file mode 100644
> index 0000000000..dd64b91965
> --- /dev/null
> +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
> @@ -0,0 +1,16 @@
> +Fix extraction of namespace prefix from XML name.
> +Fixes CVE-2018-20843
> +
> +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
> +index 30d55c5..737d7cd 100644
> +--- a/expat/lib/xmlparse.c
> ++++ b/expat/lib/xmlparse.c

^^^^^^

It looks like this has to be removed from the patch file. Could you

also add a link to the upstream commit for reference?

It's also good practice to provide an URL to the MITRE CVE page:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843.

Thanks for working on this! :-)

Jack Hill wrote on 10 Jul 2019 22:54

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net

Please find updated patch files attached, that I think take into account

Marius's suggestions (thanks Marius!)

Best,

Jack

P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns

in the attachments.

From 0e1394e7e410ec192b6c883b567ce414864cdbb1 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Wed, 10 Jul 2019 16:03:19 -0400
Subject: [PATCH 1/2] gnu: expat: Add additional source URI

The expat sourceforge page announces that the project is in the process of
moving to GitHub.

* gnu/packages/xml.scm (expat)[source]: Add GitHub URI.
---
 gnu/packages/xml.scm | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

Toggle diff (40 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..b6a376a405 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
 ;;; Copyright © 2017 Petter <petter@mykolab.ch>
 ;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
 ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2018 Jack Hill <jackhill@jackhill.us>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -66,13 +67,18 @@
   (package
     (name "expat")
     (version "2.2.6")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://sourceforge/expat/expat/"
-                                 version "/expat-" version ".tar.bz2"))
-             (sha256
-              (base32
-               "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
+    (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.bz2")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.bz2")))
+                (sha256
+                 (base32
+                  "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))))
     (build-system gnu-build-system)
     (home-page "https://libexpat.github.io/")
     (synopsis "Stream-oriented XML parser library written in C")
-- 
2.22.0

From c79efd83ecaa0b541de050da035ef67d972ac458 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Wed, 10 Jul 2019 16:23:03 -0400
Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843

* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat/fixed): New variable.
* gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patch file.
---
 gnu/local.mk                                  |  1 +
 .../patches/expat-CVE-2018-20843.patch        | 21 +++++++++++++++++++
 gnu/packages/xml.scm                          |  9 ++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch

Toggle diff (68 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 9a70d73759..054aa93fd5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -785,6 +785,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
   %D%/packages/patches/exiv2-CVE-2017-14860.patch		\
   %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch	\
+  %D%/packages/patches/expat-CVE-2018-20843.patch		\
   %D%/packages/patches/extundelete-e2fsprogs-1.44.patch		\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
   %D%/packages/patches/fastcap-mulSetup.patch			\
diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
new file mode 100644
index 0000000000..216fbe9667
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
@@ -0,0 +1,21 @@
+Fix extraction of namespace prefix from XML name.
+Fixes CVE-2018-20843
+
+This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5..737d7cd 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index b6a376a405..fbd0ff284b 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -66,6 +66,7 @@
 (define-public expat
   (package
     (name "expat")
+    (replacement expat/fixed)
     (version "2.2.6")
     (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
               (origin
@@ -88,6 +89,14 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+(define expat/fixed
+  (package
+    (inherit expat)
+    (source
+     (origin
+       (inherit (package-source expat))
+       (patches (search-patches "expat-CVE-2018-20843.patch"))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.22.0

Marius Bakke wrote on 12 Jul 2019 01:00

Recipients:(name . Jack Hill)(address . jackhill@jackhill.us)(address . 36424-done@debbugs.gnu.org)

Message-ID:87ftncmb1r.fsf@devup.no

Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (3 lines)

> Please find updated patch files attached, that I think take into account

> Marius's suggestions (thanks Marius!)

Thank you! I made a tiny tweak to use char=? instead of equal=? for the

character comparison.

Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.

Closed

Jack Hill wrote on 12 Jul 2019 01:09

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.1907111907530.17508@marsh.hcoop.net

On Fri, 12 Jul 2019, Marius Bakke wrote:

Toggle quote (3 lines)

> Thank you! I made a tiny tweak to use char=? instead of equal=? for the

> character comparison.

Cool, now I know about char=? ?

Toggle quote (2 lines)

> Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.

Thanks, and thanks for being patient with me working through the issues.

Best,

Jack

Your comment

This issue is archived.

To comment on this conversation send an email to 36424@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 36424

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date