From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id QObzDaJim2KmAQEAbAwnHQ (envelope-from ) for ; Sat, 04 Jun 2022 15:48:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id mDLdDKJim2J5OQAAG6o9tA (envelope-from ) for ; Sat, 04 Jun 2022 15:48:18 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0D8623FF0C for ; Sat, 4 Jun 2022 15:48:17 +0200 (CEST) Received: from localhost ([::1]:48776 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nxU8W-0005j8-8Z for larch@yhetil.org; Sat, 04 Jun 2022 09:48:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46060) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nxU8I-0005gf-Mp for bug-guix@gnu.org; Sat, 04 Jun 2022 09:48:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35793) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nxU8I-0007MN-EE for bug-guix@gnu.org; Sat, 04 Jun 2022 09:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nxU8I-0007xQ-Bu for bug-guix@gnu.org; Sat, 04 Jun 2022 09:48:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#55776: maven-core fails to build Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 04 Jun 2022 13:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55776 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Remco van 't Veer Cc: "Dr. Arne Babenhauserheide" , 55776@debbugs.gnu.org Received: via spool by 55776-submit@debbugs.gnu.org id=B55776.165435043630391 (code B ref 55776); Sat, 04 Jun 2022 13:48:02 +0000 Received: (at 55776) by debbugs.gnu.org; 4 Jun 2022 13:47:16 +0000 Received: from localhost ([127.0.0.1]:57923 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nxU7Y-0007u7-6w for submit@debbugs.gnu.org; Sat, 04 Jun 2022 09:47:16 -0400 Received: from lepiller.eu ([89.234.186.109]:39120) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nxU7W-0007tw-0v for 55776@debbugs.gnu.org; Sat, 04 Jun 2022 09:47:15 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 2dc41ba0; Sat, 4 Jun 2022 13:47:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type; s=dkim; bh=4pAS9u9JREczWvjtj2QjeR4bSNF035QyBuMH/l hxIJ8=; b=Xt+yxq6/LBT5rqozSPvkzROsB0DfO0/DJ3ENusTvY4044WzV/IWJ27 Wuy9/CGpCoO4uQBm8pGaMtbTmcj61e6udvHYeyFlxy602wRgnW9c0Q+z8gM5r9fM zPzZQdV1K0BN5XGc0hxTqK0A5q98mfyDOQ4ki/K4xBsqGIehdlUN+pc+7sE3hDyX 8zDQRpnr6O5pLP/fQiMTGokyEnPwl3DTEkFKAGiZFMdSJRUX9t2N9/K+npILdHMC dXcKQBTMiGgCjK+IoLEI+qDlzsldCkg5uV/yyCeBE4YfsNnQifuJGl20ZFjFaHDX WxgOQL9ij2aYS19wxaXMv+ZA/A0GQlJQ== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 2b5fea9e (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sat, 4 Jun 2022 13:47:10 +0000 (UTC) Date: Sat, 4 Jun 2022 15:47:07 +0200 From: Julien Lepiller Message-ID: <20220604154707.099a3679@sybil.lepiller.eu> In-Reply-To: <87wndwn2su.fsf@remworks.net> References: <87sfomwaa6.fsf@web.de> <87wndwn2su.fsf@remworks.net> X-Mailer: Claws Mail 4.0.0 (GTK+ 3.24.30; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/lx+e1Iwlc1.N82XsMZ/k4VF" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1654350498; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=rHPqiBiSCC+Jt2ZzbGSEf2NqUH77sKTi+RXnYdC1PbA=; b=WG+7UQhNHhnHS9t8QvJoR34CTQTaO9Rnkc5vHHAGHD8mul0h4yfG0SxGG6su1uc9EckzUE kEM8loMc1B407aMuws26pYeWZmXPqYmt1hjjyJ96bIeFPsZqbWgkXcJ1loyEP98HAVksNh Hhki5KISGqPZFUcbE2S2YjsYBdYGVcoCF8oh3YLQbqLylWg8uOB2WK2BiH4A1jQge66HME Zn0tkXeRIgIXV1bwhutsSpinkY3khcHesqUqVsHeHxjj1HJ7EiGU1ZOg5oK3eqs8kN14yH XKaO9NiQDVW9K+CGGdrtSk5HR1Ce5uRPfy229bgfJ46j/TnjIZw/OEEcZCduqw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654350498; a=rsa-sha256; cv=none; b=fcqM3GqLgDLXzmgfQoe1f2l8JgL//RDRJs8vL9PdiIAqMuHK1SIJOQ5sBrTRCETntbDRV+ GAyAK2Fo4SGqgUW+kWpGayyjlPbMlhTluYrBER8RNuKyfZLUkMj83DDy3T7nzvCU3mPWUQ 5Bg+VpD88RYylctRU3LzV2mICLjfBzuTfdbfpjuFpTfeRbL6d2TauVBYMthLhlsUtSj+FP sZDe3mGTKFDywK/jCdSJ1qgWNmAQ28r9Zsbe2u9SkrHyEZ3ORZpJSF0bsGZ7p0xNRRkAN9 ekgNEd/POw+u9jfv1DwqH7dneyftg4JSKvKbhEyk0wltmTkITwrbB9BdiNIcKg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b="Xt+yxq6/"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.98 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b="Xt+yxq6/"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 0D8623FF0C X-Spam-Score: 5.98 X-Migadu-Scanner: scn1.migadu.com X-TUID: m/ZSJSgVWR7n --MP_/lx+e1Iwlc1.N82XsMZ/k4VF Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Le Sat, 04 Jun 2022 12:25:21 +0200, Remco van 't Veer a =C3=A9crit : > I did some digging and found this regression is caused by commit: >=20 > 6068b83b82475566acd4162467bcf54270f338f9 > "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]." >=20 > Apparently the fix for this issue causes jdom to be very strict; >=20 > > java.io.IOException: Invalid input descriptor for merge: > > /tmp/plexus-metadata3957336728290309540xml --> > > http://xml.org/sax/features/external-general-entities feature > > http://xml.org/sax/features/external-general-entities not supported > > for SAX driver org.codehaus.plexus.metadata.merge.Driver =20 >=20 > Which sound familiar when looking at that CVE > (https://github.com/advisories/GHSA-2363-cqg2-863c): >=20 > > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to > > cause a denial of service via a crafted HTTP request. At this time > > there is not released fixed version of JDOM. As a workaround, to > > avoid external entities being expanded, one can call > > builder.setExpandEntities(false) and they won't be expanded. =20 >=20 > I dunno how to fix this though, I'm just a curious guixer. Easiest > path seems to be to make a new java-jdom-2.0.6 var and use that as a > native-input for maven. Would that be an acceptable solution? >=20 > Cheers, > Remco >=20 Like you say, the issue is with the new jdom. Believe it or not, but between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of changes, too)! So I figured I could fix java-plexus-component-metadata that we use to generate some xml files during the build of maven. jdom is one of its inputs. Adding another jdom to the native inputs would probably not fix the issue. What I did instead is, since jdom wants to set more features than supported in the driver, to add dummy support for all these additional features by just not throwing the exception. It's not very satisfying, but it works and we don't keep a vulnerable jdom around. With the attached patch, I built up to maven. --MP_/lx+e1Iwlc1.N82XsMZ/k4VF Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-gnu-java-plexus-component-metadata-Fix-package.patch >From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Sat, 4 Jun 2022 15:41:41 +0200 Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package. * gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for newer jdom. --- gnu/packages/java.scm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 336e84e3e5..f475f7c270 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7 (copy-recursively "src/main/resources" "build/classes/") #t)) + (add-before 'build 'fix-jdom + (lambda _ + ;; The newer version of jdom now sets multiple features by default + ;; that are not supported. + ;; Skip these features + (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java" + (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);") + "// skip")))) (add-before 'check 'fix-test-location (lambda _ (substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java" -- 2.35.1 --MP_/lx+e1Iwlc1.N82XsMZ/k4VF--