From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 05 18:54:14 2019 Received: (at 36424) by debbugs.gnu.org; 5 Jul 2019 22:54:14 +0000 Received: from localhost ([127.0.0.1]:53935 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjX5l-00066d-DJ for submit@debbugs.gnu.org; Fri, 05 Jul 2019 18:54:14 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41717) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjX5c-00065o-9r for 36424@debbugs.gnu.org; Fri, 05 Jul 2019 18:54:08 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 1E63F208A4; Fri, 5 Jul 2019 18:53:55 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Fri, 05 Jul 2019 18:53:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm3; bh=zYZF+RAsrWaRtPDLIJgyWdwlzq +AEtIN02Erf1g00vU=; b=eLrfQHgjcnNIe8DYvxQir7jGRMy6oPoQIoQJu1YZ+d zDyk4xSIWXC5f6ovJM5a1HwpVTYy6wQbJZWuqHauap9TEgoVEPy84o5ceCZrYnhn 4EbHunlZlBJL0RVWM9RBqifcAxUOtTGQFD0gDSkdvxBpxiMdQq80ziiXW/ukLSiA +IAk/S2b2KUe7VJyPGCcC5laUiI8Q3egvj8+LIrIfTJ+K3YARrNpxa9VJTp8S5qb /EwwzWY/H3ZZuBNKBjLkfzpGs0Nxr/77o7xXQk/fle4r3C4JyUb1iO7AvCqLwLDF KCg2wmWN0MZ2ZkeowYZpTcehIls9NMEom3n2LmNMd7iQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=zYZF+R AsrWaRtPDLIJgyWdwlzq+AEtIN02Erf1g00vU=; b=rLtcd17UMHg2MPKUFe5w4X qXRbUA8xCSgfJBkw4EwmEG70Q97N4JB5oPIvWtrT7VihNPZPRgLIJCtZtOoqHatF yYa/SuwPk/pxLRwggi9262GLl7qQTzmScOzz1Y9JtklHczGj9/+96G4U5KDRiJu4 S3+QKztGUz2rmK783IYUsZkUUMnHGOGfZqToudBc+E1OhUCKhlbrDeDdtrAPiGr8 TMNuJmh/JBLXNZfP8YGbcmwNcJDyc9qa/PiUh+s9KN2I+L36wX2rfXX2gbV8IaEL kQjmUxh5HE3WL5RQ4K6TQdBvtMEJ/nuRgOpG1G9UX+g2qBYTORJGwIp/glxsdI0Q == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrfeehgdduiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenog fuuhhsphgvtghtffhomhgrihhnucdlgeelmdenucfjughrpefhvffujghffgffkfggtges ghdtreertdertdenucfhrhhomhepofgrrhhiuhhsuceurghkkhgvuceomhgsrghkkhgvse hfrghsthhmrghilhdrtghomheqnecuffhomhgrihhnpehmihhtrhgvrdhorhhgpdhgihht hhhusgdrihhopdhgihhthhhusgdrtghomhenucfkphepiedvrdduiedrvddviedrudegtd enucfrrghrrghmpehmrghilhhfrhhomhepmhgsrghkkhgvsehfrghsthhmrghilhdrtgho mhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 324568005B; Fri, 5 Jul 2019 18:53:54 -0400 (EDT) From: Marius Bakke To: Jack Hill Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: References: <87o92fv0u1.fsf@devup.no> User-Agent: Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) Date: Sat, 06 Jul 2019 00:53:52 +0200 Message-ID: <87wogwqein.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Jack Hill writes: > On Tue, 2 Jul 2019, Jack Hill wrote: > >>> Apparently these symbols were never supposed to be exported: >>> . However, there could >>> be packages "in the wild" that uses these symbols and would silently >>> break with the grafted Expat. >>>=20 >>> IIUC the fix for CVE-2018-20843 is this commit: >>> . >>>=20 >>> I think it's better to graft a variant with only this patch to be on the >>> safe side. Can you try that? >> >> Good idea. I didn't think to check. Yes, I can try to do that. >> >>> Could you also submit a second patch that adds GitHub as an additional >>> download location for the regular Expat package? :-) >> >> I'll try that as well. > > I've prepared the two attached patches that I believe implement Marius's= =20 > proposed solution. Thanks! One minor problem... the expat patch does not actually apply on our copy of expat! Can you look into it? > From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001 > From: Jack Hill > Date: Thu, 4 Jul 2019 17:00:27 -0400 > Subject: [PATCH 1/2] gnu: expat: Add additional source URI > > The expat sourceforge page announces that the project is in the process of > moving to GitHub. > > * gnu/packages/xml.scm (expat)[source]: Add GitHub URI. > --- > gnu/packages/xml.scm | 39 +++++++++++++++++++++++---------------- > 1 file changed, 23 insertions(+), 16 deletions(-) [...] =20=20 > (define-public expat > - (package > - (name "expat") > - (version "2.2.6") > - (source (origin > - (method url-fetch) > - (uri (string-append "mirror://sourceforge/expat/expat/" > - version "/expat-" version ".tar.bz2")) > - (sha256 > - (base32 > - "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))) > - (build-system gnu-build-system) > - (home-page "https://libexpat.github.io/") > - (synopsis "Stream-oriented XML parser library written in C") > - (description > - "Expat is an XML parser library written in C. It is a > + (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) > + (package > + (name "expat") > + (version "2.2.6") > + (source (origin > + (method url-fetch) > + (uri (list (string-append > + "mirror://sourceforge/expat/expat/" > + version "/expat-" version ".tar.bz2") > + (string-append > + "https://github.com/libexpat/libexpat/rele= ases/download/R_" > + (string-map dot->underscore version) > + "/expat-" version ".tar.bz2"))) > + (sha256 > + (base32 > + "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0= p")))) > + (build-system gnu-build-system) > + (home-page "https://libexpat.github.io/") > + (synopsis "Stream-oriented XML parser library written in C") > + (description > + "Expat is an XML parser library written in C. It is a Can you move this let binding inside the (source ...) field? That way we don't have to reindent the whole thing. > From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001 > From: Jack Hill > Date: Thu, 4 Jul 2019 19:41:30 -0400 > Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843. > > * gnu/packages/xml.scm (expat)[replacement]: New field. > (expat/fixed): New variable. > * gnu/packages/patches/expat-CVE-2018-20843.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add patch file. > --- > gnu/local.mk | 7 ++++--- > gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++ > gnu/packages/xml.scm | 9 +++++++++ > 3 files changed, 29 insertions(+), 3 deletions(-) > create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 6e90d88689..bcf47d7378 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -764,20 +764,21 @@ dist_patch_DATA =3D \ > %D%/packages/patches/einstein-build.patch \ > %D%/packages/patches/emacs-exec-path.patch \ > %D%/packages/patches/emacs-fix-scheme-indent-function.patch \ > - %D%/packages/patches/emacs-json-reformat-fix-tests.patch \ > %D%/packages/patches/emacs-highlight-stages-add-gexp.patch \ > + %D%/packages/patches/emacs-json-reformat-fix-tests.patch \ > %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch \ > %D%/packages/patches/emacs-source-date-epoch.patch \ > - %D%/packages/patches/emacs-unpackaged-req.patch \ > %D%/packages/patches/emacs-undohist-ignored.patch \ > + %D%/packages/patches/emacs-unpackaged-req.patch \ > %D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch \ > %D%/packages/patches/emacs-zones-called-interactively.patch \ > %D%/packages/patches/enlightenment-fix-setuid-path.patch \ > %D%/packages/patches/erlang-man-path.patch \ > %D%/packages/patches/eudev-rules-directory.patch \ > %D%/packages/patches/evilwm-lost-focus-bug.patch \ > - %D%/packages/patches/exiv2-CVE-2017-14860.patch \ > %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ > + %D%/packages/patches/exiv2-CVE-2017-14860.patch \ > + %D%/packages/patches/expat-CVE-2018-20843.patch \ You addressed this in another email, and I do think we should try to avoid needless moving around of these lines. There are enough merge conflicts on this file as-is, no need to introduce artificial ones. :-) > %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ > %D%/packages/patches/fastcap-mulGlobal.patch \ > %D%/packages/patches/fastcap-mulSetup.patch \ > diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packag= es/patches/expat-CVE-2018-20843.patch > new file mode 100644 > index 0000000000..dd64b91965 > --- /dev/null > +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch > @@ -0,0 +1,16 @@ > +Fix extraction of namespace prefix from XML name. > +Fixes CVE-2018-20843 > + > +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c > +index 30d55c5..737d7cd 100644 > +--- a/expat/lib/xmlparse.c > ++++ b/expat/lib/xmlparse.c ^^^^^^ It looks like this has to be removed from the patch file. Could you also add a link to the upstream commit for reference? It's also good practice to provide an URL to the MITRE CVE page: . Thanks for working on this! :-) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0f1QAACgkQoqBt8qM6 VPokxgf/ZxWLCSKT7mZBETM3yxCw634v/XEY/JumAEXmP7pxHEbvI3CWi4KpWUph svfg7zqUcuIOj9nwla1tIRXESltTDbnuAd8VLRxFEUZbPBh3yN50JFkdIS1v7qcD 2gCT06D+qmiTB0tbxFLyyDysh5sjx7bV3DlDw5Lei6v7i+LxC0oRbvQ1qi30IUZx 5T/9CXuaZr4iN5bE0y2fk7cVrXnOgIVJ0hK8yy3492e4o0b3aRrtCV4uZo5DdNTX hVeTQmWE8fS0SnyjthU3fAWKoJOsiEyxgwc/PlyAyg8HOFtQ9gNyWR4BICqf8h9N lJyEa6Ugn98aBB9swAEMOmqXt8Os4g== =TjuK -----END PGP SIGNATURE----- --=-=-=--