From debbugs-submit-bounces@debbugs.gnu.org Sun Jun 30 06:12:36 2019 Received: (at 36424) by debbugs.gnu.org; 30 Jun 2019 10:12:36 +0000 Received: from localhost ([127.0.0.1]:45397 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hhWoy-0004Vh-Lj for submit@debbugs.gnu.org; Sun, 30 Jun 2019 06:12:36 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43135) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hhWow-0004VQ-A6 for 36424@debbugs.gnu.org; Sun, 30 Jun 2019 06:12:30 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id A86F421B2C; Sun, 30 Jun 2019 06:12:24 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 30 Jun 2019 06:12:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm3; bh=Lvwf+mcl1RMIswraOs3dJE6tIJ 3Y6poD3hcVdWbywnk=; b=BUvYgxJWS18Kik7snSBPErcmoHfGdA4zhkRVrSGv9A WleqAEPbqNH/NN6W+eN42e5dH7I5HGyeoiVwAgMXEmt4vLVRzy688RbP/gBED3yH Hzv3YF9sBWtOwCfaKwgzBYuPThR3NOXFAanNzJxorGxhYhxYIQyAjIc8Uff4RCvz GO92LVcOqsgRSyKdXmVVZPQthFxEBwXF4ghWgCH0TdOYPmTC4ZrLII48SBwO2icC OH1i6EMXzb1YKBd+buDfToLwqcxUcs5ndN6RWFOZTVdMaZ3V3wbobahnIsOtpaAt jf58oqHadTV20nXSkuCBnSpg9XWfp/gQ3wsZ6A+q6Zxg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=Lvwf+m cl1RMIswraOs3dJE6tIJ3Y6poD3hcVdWbywnk=; b=ZLeIM4J707KjSlXUVr5XjO oDS6TbOvxhqGuKFpDjdNq93hH7oO5NbQFaYTaRLIQr6mzSXlD3VSn+/3qFpC9eLR I0lR6smImRlbRufeoXnDdsQn8ugK39hUfHQkmzT35zqN216yRnXN8u7/HENaomaU +4VF8BX/2LnktHK5DE42Ie/jPoSC5Xv4yBkGHOsdnSKwKjK6XjYV3tfJxEz4cDmR 0jD6QV3hfQxlPo0K1522Kg1xiDplHjDe3j4qMuSkqczdUjMUDvNBZsON6IACeVG2 fh/DzQYBDg/Urkvlmq7N72j01o0fXsFzFJsC6xPjSR9wJwN7pVUyLVjp8Z/8qIKg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrvdeggddvhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvffujghffgffkfggtgesghdtreertdertdenucfhrhhomhepofgrrhhiuhhs uceurghkkhgvuceomhgsrghkkhgvsehfrghsthhmrghilhdrtghomheqnecuffhomhgrih hnpehmihhtrhgvrdhorhhgpdhlihgsvgigphgrthdrshhopdhgihhthhhusgdrtghomhen ucfkphepiedvrdduiedrvddviedrudegtdenucfrrghrrghmpehmrghilhhfrhhomhepmh gsrghkkhgvsehfrghsthhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 0DE26380075; Sun, 30 Jun 2019 06:12:23 -0400 (EDT) From: Marius Bakke To: Jack Hill , 36424@debbugs.gnu.org Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: References: User-Agent: Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) Date: Sun, 30 Jun 2019 12:12:22 +0200 Message-ID: <87o92fv0u1.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 36424 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Jack, Jack Hill writes: > Hi Guix, > > Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which=20 > fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a=20 > replacement for expat with expat-2.2.7. I also changed the origin to use= =20 > the GitHub hosted tarball as upstream is moving in that direction. > > [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-20843 Thank you very much for this patch! It did not apply cleanly on my end, perhaps it got mangled by your mail user agent? I tried running `abidiff` (from libabigail) on the new and old Expat: $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libex= pat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat= .so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 15 Removed, 0 Added function symbols not = referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not re= ferenced by debug info 15 Removed function symbols not referenced by debug info: XmlGetUtf16InternalEncoding XmlGetUtf16InternalEncodingNS XmlGetUtf8InternalEncoding XmlGetUtf8InternalEncodingNS XmlInitEncoding XmlInitEncodingNS XmlInitUnknownEncoding XmlInitUnknownEncodingNS XmlParseXmlDecl XmlParseXmlDeclNS XmlPrologStateInit XmlPrologStateInitExternalEntity XmlSizeOfUnknownEncoding XmlUtf16Encode XmlUtf8Encode Apparently these symbols were never supposed to be exported: . However, there could be packages "in the wild" that uses these symbols and would silently break with the grafted Expat. IIUC the fix for CVE-2018-20843 is this commit: . I think it's better to graft a variant with only this patch to be on the safe side. Can you try that? Could you also submit a second patch that adds GitHub as an additional download location for the regular Expat package? :-) Thanks in advance, Marius --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0YiwYACgkQoqBt8qM6 VPooDAf+I0S7p4d76MiWIJeWCKLhIxCuu0hbxJbwq8GrfrYYmpVwBcB8BgyXhlQX sJ4GSZEUX1h8hKbRHhSBeVsLIXrUaiNVYK1nNjdL4s5FCxzdhWpVuHypuUiBPOk5 rHkebNNF6/bnKEmaiUzE0gE86aJTs00nBDbz0bPIBENPbgBNy01SA2aM/c17LgsF O/panqcs4lD0F23HBDJ9sc3cwvIIXVC8QHjR+Y+aOAbbwQrhcKX7ozTVRTwAQ7/v azmtw8fNq9YfFiVM9aLq85whX113UxnCPqq21YbI2IiJ/R4NdlVpy1mJxHeQBXQ5 g2sexaRXdKqOLREjNSYKxpje3IP7jw== =ZWs1 -----END PGP SIGNATURE----- --=-=-=--