bug#55776: maven-core fails to build

[Andrew Tropin <andrew@trop.in>]

[-- Attachment #1: Type: text/plain, Size: 3700 bytes --]

On 2022-06-04 15:47, Julien Lepiller wrote:

> Le Sat, 04 Jun 2022 12:25:21 +0200,
> Remco van 't Veer <remco@remworks.net> a écrit :
>
>> I did some digging and found this regression is caused by commit:
>> 
>>  6068b83b82475566acd4162467bcf54270f338f9
>>  "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
>> 
>> Apparently the fix for this issue causes jdom to be very strict;
>> 
>> > java.io.IOException: Invalid input descriptor for merge:
>> > /tmp/plexus-metadata3957336728290309540xml -->
>> > http://xml.org/sax/features/external-general-entities feature
>> > http://xml.org/sax/features/external-general-entities not supported
>> > for SAX driver org.codehaus.plexus.metadata.merge.Driver  
>> 
>> Which sound familiar when looking at that CVE
>> (https://github.com/advisories/GHSA-2363-cqg2-863c):
>> 
>> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
>> > cause a denial of service via a crafted HTTP request. At this time
>> > there is not released fixed version of JDOM. As a workaround, to
>> > avoid external entities being expanded, one can call
>> > builder.setExpandEntities(false) and they won't be expanded.  
>> 
>> I dunno how to fix this though, I'm just a curious guixer.  Easiest
>> path seems to be to make a new java-jdom-2.0.6 var and use that as a
>> native-input for maven.  Would that be an acceptable solution?
>> 
>> Cheers,
>> Remco
>> 
>
> Like you say, the issue is with the new jdom. Believe it or not, but
> between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
> changes, too)!
>
> So I figured I could fix java-plexus-component-metadata that we use to
> generate some xml files during the build of maven. jdom is one of its
> inputs. Adding another jdom to the native inputs would probably not fix
> the issue.
>
> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.
> From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Sat, 4 Jun 2022 15:41:41 +0200
> Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package.
>
> * gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for
>   newer jdom.
> ---
>  gnu/packages/java.scm | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
> index 336e84e3e5..f475f7c270 100644
> --- a/gnu/packages/java.scm
> +++ b/gnu/packages/java.scm
> @@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7
>               (copy-recursively "src/main/resources"
>                                 "build/classes/")
>               #t))
> +         (add-before 'build 'fix-jdom
> +           (lambda _
> +             ;; The newer version of jdom now sets multiple features by default
> +             ;; that are not supported.
> +             ;; Skip these features
> +             (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java"
> +               (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);")
> +                "// skip"))))
>           (add-before 'check 'fix-test-location
>             (lambda _
>               (substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java"

Work for me as well.  Probably can be merged to master?

-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]