On 2022-06-04 15:47, Julien Lepiller wrote: > Le Sat, 04 Jun 2022 12:25:21 +0200, > Remco van 't Veer a écrit : > >> I did some digging and found this regression is caused by commit: >> >> 6068b83b82475566acd4162467bcf54270f338f9 >> "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]." >> >> Apparently the fix for this issue causes jdom to be very strict; >> >> > java.io.IOException: Invalid input descriptor for merge: >> > /tmp/plexus-metadata3957336728290309540xml --> >> > http://xml.org/sax/features/external-general-entities feature >> > http://xml.org/sax/features/external-general-entities not supported >> > for SAX driver org.codehaus.plexus.metadata.merge.Driver >> >> Which sound familiar when looking at that CVE >> (https://github.com/advisories/GHSA-2363-cqg2-863c): >> >> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to >> > cause a denial of service via a crafted HTTP request. At this time >> > there is not released fixed version of JDOM. As a workaround, to >> > avoid external entities being expanded, one can call >> > builder.setExpandEntities(false) and they won't be expanded. >> >> I dunno how to fix this though, I'm just a curious guixer. Easiest >> path seems to be to make a new java-jdom-2.0.6 var and use that as a >> native-input for maven. Would that be an acceptable solution? >> >> Cheers, >> Remco >> > > Like you say, the issue is with the new jdom. Believe it or not, but > between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of > changes, too)! > > So I figured I could fix java-plexus-component-metadata that we use to > generate some xml files during the build of maven. jdom is one of its > inputs. Adding another jdom to the native inputs would probably not fix > the issue. > > What I did instead is, since jdom wants to set more features than > supported in the driver, to add dummy support for all these additional > features by just not throwing the exception. It's not very satisfying, > but it works and we don't keep a vulnerable jdom around. With the > attached patch, I built up to maven. > From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001 > From: Julien Lepiller > Date: Sat, 4 Jun 2022 15:41:41 +0200 > Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package. > > * gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for > newer jdom. > --- > gnu/packages/java.scm | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm > index 336e84e3e5..f475f7c270 100644 > --- a/gnu/packages/java.scm > +++ b/gnu/packages/java.scm > @@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7 > (copy-recursively "src/main/resources" > "build/classes/") > #t)) > + (add-before 'build 'fix-jdom > + (lambda _ > + ;; The newer version of jdom now sets multiple features by default > + ;; that are not supported. > + ;; Skip these features > + (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java" > + (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);") > + "// skip")))) > (add-before 'check 'fix-test-location > (lambda _ > (substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java" Work for me as well. Probably can be merged to master? -- Best regards, Andrew Tropin