[PATCH 0/3] Expat and libxslt changes for core-updates

[PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

It was not that simple to make these changes for core-updates, so I'm
sending the patches for review.

For expat, I "re-fix" a bug that was fixed on master already. This
bug-fix is actually reachable from the HEAD of core-updates, but for
some reason doesn't exist at HEAD. According to MITRE the bug does
affect all currently released versions of expat:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718

I noticed a "left-over" patch for a bug that is apparently fixed in the
version of expat on core-updates (2.1.1), so it is deleted:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283

For libxslt, I update to the latest version and remove patches that are
no longer needed. The timestamp issue was addressed upstream [0] and the
bug has been fixed in this version. These patches were strangely no
longer listed in 'gnu/local.mk'.

[0]
https://git.gnome.org/browse/libxslt/commit/?id=e57df303eca25a2a3f9e0625c29f4b20177858cc

Leo Famulari (3):
  gnu: expat: Fix CVE-2016-0718.
  gnu: Remove unused patch.
  gnu: libxslt: Update to 1.1.29.

 gnu/local.mk                                       |  1 -
 .../patches/expat-CVE-2015-1283-refix.patch        | 42 --------------
 gnu/packages/patches/libxslt-CVE-2015-7995.patch   | 29 ----------
 .../patches/libxslt-remove-date-timestamps.patch   | 66 ----------------------
 gnu/packages/xml.scm                               |  9 ++-
 5 files changed, 4 insertions(+), 143 deletions(-)
 delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch
 delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch
 delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.patch

-- 
2.8.3

[PATCH 1/3] gnu: expat: Fix CVE-2016-0718.

[Leo Famulari]

This "cherry-picks" part of 119b83989dd9edd1e8ba6cd379d159d024cbc61d
from the master branch to core-updates.

* gnu/packages/xml.scm (expat)[source]: Use patch.
---
 gnu/packages/xml.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index a860f98..9400930 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -51,6 +51,7 @@
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
                                  version "/expat-" version ".tar.bz2"))
+             (patches (search-patches "expat-CVE-2016-0718.patch"))
              (sha256
               (base32
                "0ryyjgvy7jq0qb7a9mhc1giy3bzn56aiwrs8dpydqngplbjq9xdg"))))
-- 
2.8.3

[PATCH 2/3] gnu: Remove unused patch.

[Leo Famulari]

* gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                       |  1 -
 .../patches/expat-CVE-2015-1283-refix.patch        | 42 ----------------------
 2 files changed, 43 deletions(-)
 delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ef7b4df..fe91bc3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -480,7 +480,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/emacs-source-date-epoch.patch		\
   %D%/packages/patches/eudev-rules-directory.patch		\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
-  %D%/packages/patches/expat-CVE-2015-1283-refix.patch		\
   %D%/packages/patches/expat-CVE-2016-0718.patch		\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
   %D%/packages/patches/fastcap-mulSetup.patch			\
diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
deleted file mode 100644
index af5e3bc..0000000
--- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Update previous fix for CVE-2015-1283 to not rely on undefined behavior.
-
-Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2.
-
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/
-
-From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
-From: Pascal Cuoq <cuoq@trust-in-soft.com>
-Date: Sun, 15 May 2016 09:05:46 +0200
-Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix.
-
----
- expat/lib/xmlparse.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 13e080d..cdb12ef 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1695,7 +1695,8 @@ XML_GetBuffer(XML_Parser parser, int len
-   }
- 
-   if (len > bufferLim - bufferEnd) {
--    int neededSize = len + (int)(bufferEnd - bufferPtr);
-+    /* Do not invoke signed arithmetic overflow: */
-+    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
- /* BEGIN MOZILLA CHANGE (sanity check neededSize) */
-     if (neededSize < 0) {
-       errorCode = XML_ERROR_NO_MEMORY;
-@@ -1729,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len
-       if (bufferSize == 0)
-         bufferSize = INIT_BUFFER_SIZE;
-       do {
--        bufferSize *= 2;
-+        /* Do not invoke signed arithmetic overflow: */
-+        bufferSize = (int) (2U * (unsigned) bufferSize);
- /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
-       } while (bufferSize < neededSize && bufferSize > 0);
- /* END MOZILLA CHANGE */
--- 
-2.8.2
-
-- 
2.8.3

[PATCH 3/3] gnu: libxslt: Update to 1.1.29.

[Leo Famulari]

* gnu/packages/patches/libxslt-CVE-2015-7995.patch,
gnu/packages/patches/libxslt-remove-date-timestamps.patch: Delete files.
* gnu/packages/xml.scm: Update to 1.1.29.
[source]: Remove patches.
---
 gnu/packages/patches/libxslt-CVE-2015-7995.patch   | 29 ----------
 .../patches/libxslt-remove-date-timestamps.patch   | 66 ----------------------
 gnu/packages/xml.scm                               |  8 +--
 3 files changed, 3 insertions(+), 100 deletions(-)
 delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch
 delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.patch

diff --git a/gnu/packages/patches/libxslt-CVE-2015-7995.patch b/gnu/packages/patches/libxslt-CVE-2015-7995.patch
deleted file mode 100644
index f291d5b..0000000
--- a/gnu/packages/patches/libxslt-CVE-2015-7995.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Thu, 29 Oct 2015 19:33:23 +0800
-Subject: [PATCH] Fix for type confusion in preprocessing attributes
-
-CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
-We need to check that the parent node is an element before dereferencing
-its namespace
----
- libxslt/preproc.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/preproc.c b/libxslt/preproc.c
-index 0eb80a0..7f69325 100644
---- a/libxslt/preproc.c
-+++ b/libxslt/preproc.c
-@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
- 	} else if (IS_XSLT_NAME(inst, "attribute")) {
- 	    xmlNodePtr parent = inst->parent;
- 
--	    if ((parent == NULL) || (parent->ns == NULL) ||
-+	    if ((parent == NULL) ||
-+	        (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
- 		((parent->ns != inst->ns) &&
- 		 (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
- 		(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/libxslt-remove-date-timestamps.patch b/gnu/packages/patches/libxslt-remove-date-timestamps.patch
deleted file mode 100644
index 51470d0..0000000
--- a/gnu/packages/patches/libxslt-remove-date-timestamps.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Use deterministic SOURCE_DATE_EPOCH for embedded timestamps in generated documentation.
-
-Written by Eduard Sanou.
-
-https://bugzilla.gnome.org/show_bug.cgi?id=758148
-
---- libxslt-1.1.28.orig/libexslt/date.c
-+++ libxslt-1.1.28/libexslt/date.c
-@@ -46,6 +46,7 @@
- #include "exslt.h"
- 
- #include <string.h>
-+#include <errno.h>
- 
- #ifdef HAVE_MATH_H
- #include <math.h>
-@@ -747,21 +748,46 @@ static exsltDateValPtr
- exsltDateCurrent (void)
- {
-     struct tm localTm, gmTm;
-+    struct tm *tb = NULL;
-     time_t secs;
-     int local_s, gm_s;
-     exsltDateValPtr ret;
-+    char *source_date_epoch;
- 
-     ret = exsltDateCreateDate(XS_DATETIME);
-     if (ret == NULL)
-         return NULL;
- 
--    /* get current time */
-     secs    = time(NULL);
-+    /*
-+     * Allow the date and time to be set externally by an exported
-+     * environment variable to enable reproducible builds.
-+     */
-+    source_date_epoch = getenv("SOURCE_DATE_EPOCH");
-+    if (source_date_epoch) {
-+	errno = 0;
-+	secs = (time_t) strtol (source_date_epoch, NULL, 10);
-+	if (errno == 0) {
-+	    tb = gmtime(&secs);
-+	    if (tb == NULL) {
-+	    /* SOURCE_DATE_EPOCH is not a valid date */
-+		return NULL;
-+	    } else {
-+		localTm = *tb;
-+	    }
-+	} else {
-+	    /* SOURCE_DATE_EPOCH is not a valid number */
-+	    return NULL;
-+	}
-+    } else {
-+	/* get current time */
- #if HAVE_LOCALTIME_R
--    localtime_r(&secs, &localTm);
-+	localtime_r(&secs, &localTm);
- #else
--    localTm = *localtime(&secs);
-+	localTm = *localtime(&secs);
- #endif
-+    }
-+
- 
-     /* get real year, not years since 1900 */
-     ret->value.date.year = localTm.tm_year + 1900;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 9400930..a486d19 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -127,17 +127,15 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
   (package
     (name "libxslt")
-    (version "1.1.28")
+    (version "1.1.29")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "13029baw9kkyjgr7q3jccw2mz38amq7mmpr5p3bh775qawd1bisz"))
-             (patches (search-patches "libxslt-generated-ids.patch"
-                                      "libxslt-remove-date-timestamps.patch"
-                                      "libxslt-CVE-2015-7995.patch"))))
+               "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
+             (patches (search-patches "libxslt-generated-ids.patch"))))
     (build-system gnu-build-system)
     (home-page "http://xmlsoft.org/XSLT/index.html")
     (synopsis "C library for applying XSLT stylesheets to XML documents")
-- 
2.8.3

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 2321 bytes --]

On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> It was not that simple to make these changes for core-updates, so I'm
> sending the patches for review.
> 
> For expat, I "re-fix" a bug that was fixed on master already. This
> bug-fix is actually reachable from the HEAD of core-updates, but for
> some reason doesn't exist at HEAD. According to MITRE the bug does
> affect all currently released versions of expat:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
> 
> I noticed a "left-over" patch for a bug that is apparently fixed in the
> version of expat on core-updates (2.1.1), so it is deleted:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
> 
> For libxslt, I update to the latest version and remove patches that are
> no longer needed. The timestamp issue was addressed upstream [0] and the
> bug has been fixed in this version. These patches were strangely no
> longer listed in 'gnu/local.mk'.
> 
> [0]
> https://git.gnome.org/browse/libxslt/commit/?id=e57df303eca25a2a3f9e0625c29f4b20177858cc
> 
> Leo Famulari (3):
>   gnu: expat: Fix CVE-2016-0718.
>   gnu: Remove unused patch.
>   gnu: libxslt: Update to 1.1.29.
> 
>  gnu/local.mk                                       |  1 -
>  .../patches/expat-CVE-2015-1283-refix.patch        | 42 --------------
>  gnu/packages/patches/libxslt-CVE-2015-7995.patch   | 29 ----------
>  .../patches/libxslt-remove-date-timestamps.patch   | 66 ----------------------
>  gnu/packages/xml.scm                               |  9 ++-
>  5 files changed, 4 insertions(+), 143 deletions(-)
>  delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch
>  delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch
>  delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.patch
> 
> -- 
> 2.8.3
> 

FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
there's 2 new cves, cve-2012-6702 and cve-2016-5300
https://www.debian.org/security/2016/dsa-3597
https://sources.debian.net/src/expat/2.1.1-3/debian/patches/

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> > Leo Famulari (3):
> >   gnu: expat: Fix CVE-2016-0718.
> >   gnu: Remove unused patch.
> >   gnu: libxslt: Update to 1.1.29.
> 
> FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
> there's 2 new cves, cve-2012-6702 and cve-2016-5300
> https://www.debian.org/security/2016/dsa-3597
> https://sources.debian.net/src/expat/2.1.1-3/debian/patches/

Thanks for the review!

Okay, later today I'll revise this patchset, and also try patching the
master branch's expat against the newly disclosed bugs.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

On Wed, Jun 08, 2016 at 07:50:25AM -0400, Leo Famulari wrote:
> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> > On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> > > Leo Famulari (3):
> > >   gnu: expat: Fix CVE-2016-0718.
> > >   gnu: Remove unused patch.
> > >   gnu: libxslt: Update to 1.1.29.
> > 
> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
> > there's 2 new cves, cve-2012-6702 and cve-2016-5300
> > https://www.debian.org/security/2016/dsa-3597
> > https://sources.debian.net/src/expat/2.1.1-3/debian/patches/
> 
> Thanks for the review!
> 
> Okay, later today I'll revise this patchset, and also try patching the
> master branch's expat against the newly disclosed bugs.

As always, if somebody wants to handle patching expat on the master
branch sooner than I can, I won't mind :)

Re: [PATCH 1/3] gnu: expat: Fix CVE-2016-0718.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> This "cherry-picks" part of 119b83989dd9edd1e8ba6cd379d159d024cbc61d
> from the master branch to core-updates.
>
> * gnu/packages/xml.scm (expat)[source]: Use patch.

LGTM, but is expat-CVE-2016-0718.patch still in core-updates?

Did I mess things up when I merged master into core-updates yesterday?

Thank you for paying attention.  :-)

Ludo’.

Re: [PATCH 2/3] gnu: Remove unused patch.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.

OK!

Re: [PATCH 3/3] gnu: libxslt: Update to 1.1.29.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/libxslt-CVE-2015-7995.patch,
> gnu/packages/patches/libxslt-remove-date-timestamps.patch: Delete files.
> * gnu/packages/xml.scm: Update to 1.1.29.
> [source]: Remove patches.

LGTM, thanks!

Ludo'.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Ludovic Courtès]

Efraim Flashner <efraim@flashner.co.il> skribis:

> FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
> there's 2 new cves, cve-2012-6702 and cve-2016-5300
> https://www.debian.org/security/2016/dsa-3597
> https://sources.debian.net/src/expat/2.1.1-3/debian/patches/

Oh, good catch.

Ludo’.

Re: [PATCH 1/3] gnu: expat: Fix CVE-2016-0718.

[Leo Famulari]

On Wed, Jun 08, 2016 at 03:25:39PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > This "cherry-picks" part of 119b83989dd9edd1e8ba6cd379d159d024cbc61d
> > from the master branch to core-updates.
> >
> > * gnu/packages/xml.scm (expat)[source]: Use patch.
> 
> LGTM, but is expat-CVE-2016-0718.patch still in core-updates?

Yes and...

> Did I mess things up when I merged master into core-updates yesterday?

... I've only merged master into core-updates once, but when I did I
noticed some strange behavior re: patches and spent a lot of time making
sure the merge did the "right thing".

Next time I will take notes on the surprising things and send them to
the list. If I am inspired, I might go back in time and re-do the merge
I did before and take notes on that.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> >   gnu: expat: Fix CVE-2016-0718.
> >   gnu: Remove unused patch.
> >   gnu: libxslt: Update to 1.1.29.
> 
> FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
> there's 2 new cves, cve-2012-6702 and cve-2016-5300
> https://www.debian.org/security/2016/dsa-3597
> https://sources.debian.net/src/expat/2.1.1-3/debian/patches/

Thank you for reviewing my patches! I will look into this.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.

I looked at the expat Git repo and the original fix for CVE-2015-1283
was part of 2.1.1. The improvement to the fix must be backported. I will
take the upstream commit that applies the improvement.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1200 bytes --]

On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote:
> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.
> 
> I looked at the expat Git repo and the original fix for CVE-2015-1283
> was part of 2.1.1. The improvement to the fix must be backported. I will
> take the upstream commit that applies the improvement.

We adopt Debian's patch for CVE-2012-6702 and CVE-2016-5300 (already
sent for review for the master branch).

We also adapt the CVE-2015-1283 "re-fix" patch to apply to upstream's
fix for CVE-2015-1283. The Debian "re-fix" patch had some context
(comments) that did not exist in the upstream 2.1.1 release.

And as before, we patch for CVE-2016-0718.

It's not possible for me test this on core-updates (too much to build).
On master, I made a new expat-2.1.1 package that inherited from expat
and built that with the patches.

The merge will probably be messy...

Off-topic: A regular package and a grafted package on master, and an
updated version of the package on core-updates... this is getting very
complicated and we should try our best to avoid such tangled situations
in the future.

[-- Attachment #2: 0001-gnu-expat-Fix-CVE-2012-6702-CVE-2016-0718-and-CVE-20.patch --]
[-- Type: text/x-diff, Size: 9682 bytes --]

From a4a3a09b40c5f98b2c2a3d15458ab086ce867c3d Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 7 Jun 2016 20:26:41 -0400
Subject: [v2 1/2] gnu: expat: Fix CVE-2012-6702, CVE-2016-0718, and
 CVE-2016-5300.

* gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Adapt to upstream
changes.
* gnu/packages/xml.scm (expat)[source]: Use patches.
---
 gnu/local.mk                                       |   1 +
 .../expat-CVE-2012-6702-and-CVE-2016-5300.patch    | 142 +++++++++++++++++++++
 .../patches/expat-CVE-2015-1283-refix.patch        |  27 ++--
 gnu/packages/xml.scm                               |   4 +
 4 files changed, 159 insertions(+), 15 deletions(-)
 create mode 100644 gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ef7b4df..4ace667 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -480,6 +480,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/emacs-source-date-epoch.patch		\
   %D%/packages/patches/eudev-rules-directory.patch		\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
+  %D%/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch	\
   %D%/packages/patches/expat-CVE-2015-1283-refix.patch		\
   %D%/packages/patches/expat-CVE-2016-0718.patch		\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
diff --git a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
new file mode 100644
index 0000000..edc43f8
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
@@ -0,0 +1,142 @@
+Fix CVE-2012-6702 and CVE-2016-5300.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
+
+Patch copied from:
+https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u3/debian/patches/cve-2012-6702-plus-cve-2016-5300-v1.patch/
+
+From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 16 Mar 2016 15:30:12 +0100
+Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0)
+
+Squashed backport against vanilla Expat 2.1.1, addressing:
+* CVE-2012-6702 -- unanticipated internal calls to srand
+* CVE-2016-5300 -- use of too little entropy
+
+Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d
+(released with Expat 2.1.0) Expat called srand by itself
+from inside generate_hash_secret_salt for an instance
+of XML_Parser if XML_SetHashSalt was either (a) not called
+for that instance or if (b) salt 0 was passed to XML_SetHashSalt
+prior to parsing.  That call to srand passed (rather litle)
+entropy extracted from the current time as a seed for srand.
+
+That call to srand (1) broke repeatability for code calling
+srand with a non-random seed prior to parsing with Expat,
+and (2) resulted in a rather small set of hashing salts in
+Expat in total.
+
+For a short- to mid-term fix, the new approach avoids calling
+srand altogether, extracts more entropy out of the clock and
+other sources, too.
+
+For a long term fix, we may want to read sizeof(long) bytes
+from a source like getrandom(..) on Linux, and from similar
+sources on other supported architectures.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1197087
+---
+ CMakeLists.txt |  3 +++
+ lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 44 insertions(+), 7 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 353627e..524d514 100755
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -41,6 +41,9 @@ include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib)
+ if(MSVC)
+     add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996)
+ endif(MSVC)
++if(WIN32)
++    add_definitions(-DCOMPILED_FROM_DSP)
++endif(WIN32)
+ 
+ set(expat_SRCS
+     lib/xmlparse.c
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e308c79..c5f942f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6,7 +6,14 @@
+ #include <string.h>                     /* memset(), memcpy() */
+ #include <assert.h>
+ #include <limits.h>                     /* UINT_MAX */
+-#include <time.h>                       /* time() */
++
++#ifdef COMPILED_FROM_DSP
++#define getpid GetCurrentProcessId
++#else
++#include <sys/time.h>                   /* gettimeofday() */
++#include <sys/types.h>                  /* getpid() */
++#include <unistd.h>                     /* getpid() */
++#endif
+ 
+ #define XML_BUILDING_EXPAT 1
+ 
+@@ -432,7 +439,7 @@ static ELEMENT_TYPE *
+ getElementType(XML_Parser parser, const ENCODING *enc,
+                const char *ptr, const char *end);
+ 
+-static unsigned long generate_hash_secret_salt(void);
++static unsigned long generate_hash_secret_salt(XML_Parser parser);
+ static XML_Bool startParsing(XML_Parser parser);
+ 
+ static XML_Parser
+@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = {
+ };
+ 
+ static unsigned long
+-generate_hash_secret_salt(void)
++gather_time_entropy(void)
+ {
+-  unsigned int seed = time(NULL) % UINT_MAX;
+-  srand(seed);
+-  return rand();
++#ifdef COMPILED_FROM_DSP
++  FILETIME ft;
++  GetSystemTimeAsFileTime(&ft); /* never fails */
++  return ft.dwHighDateTime ^ ft.dwLowDateTime;
++#else
++  struct timeval tv;
++  int gettimeofday_res;
++
++  gettimeofday_res = gettimeofday(&tv, NULL);
++  assert (gettimeofday_res == 0);
++
++  /* Microseconds time is <20 bits entropy */
++  return tv.tv_usec;
++#endif
++}
++
++static unsigned long
++generate_hash_secret_salt(XML_Parser parser)
++{
++  /* Process ID is 0 bits entropy if attacker has local access
++   * XML_Parser address is few bits of entropy if attacker has local access */
++  const unsigned long entropy =
++      gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
++
++  /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
++  if (sizeof(unsigned long) == 4) {
++    return entropy * 2147483647;
++  } else {
++    return entropy * 2305843009213693951;
++  }
+ }
+ 
+ static XML_Bool  /* only valid for root parser */
+@@ -703,7 +737,7 @@ startParsing(XML_Parser parser)
+ {
+     /* hash functions must be initialized before setContext() is called */
+     if (hash_secret_salt == 0)
+-      hash_secret_salt = generate_hash_secret_salt();
++      hash_secret_salt = generate_hash_secret_salt(parser);
+     if (ns) {
+       /* implicit context only set for root parser, since child
+          parsers (i.e. external entity parsers) will inherit it
+-- 
+2.8.2
+
diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
index af5e3bc..fc8d629 100644
--- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
+++ b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
@@ -1,42 +1,39 @@
-Update previous fix for CVE-2015-1283 to not rely on undefined behavior.
+Follow-up upstream fix for CVE-2015-1283 to not rely on undefined
+behavior.
 
-Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2.
+Adapted from a patch from Debian (found in Debian package version
+2.1.0-6+deb8u2) to apply to upstream code:
 
 https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/
 
-From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
-From: Pascal Cuoq <cuoq@trust-in-soft.com>
-Date: Sun, 15 May 2016 09:05:46 +0200
-Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix.
-
 ---
- expat/lib/xmlparse.c | 6 ++++--
+ lib/xmlparse.c | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 13e080d..cdb12ef 100644
+index 0f6f4cd..5c70c17 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -1695,7 +1695,8 @@ XML_GetBuffer(XML_Parser parser, int len
+@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len)
    }
  
    if (len > bufferLim - bufferEnd) {
 -    int neededSize = len + (int)(bufferEnd - bufferPtr);
 +    /* Do not invoke signed arithmetic overflow: */
 +    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
- /* BEGIN MOZILLA CHANGE (sanity check neededSize) */
      if (neededSize < 0) {
        errorCode = XML_ERROR_NO_MEMORY;
-@@ -1729,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len
+       return NULL;
+@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len)
        if (bufferSize == 0)
          bufferSize = INIT_BUFFER_SIZE;
        do {
 -        bufferSize *= 2;
 +        /* Do not invoke signed arithmetic overflow: */
 +        bufferSize = (int) (2U * (unsigned) bufferSize);
- /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
        } while (bufferSize < neededSize && bufferSize > 0);
- /* END MOZILLA CHANGE */
+       if (bufferSize <= 0) {
+         errorCode = XML_ERROR_NO_MEMORY;
 -- 
-2.8.2
+2.8.3
 
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index a860f98..f3bb7d8 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -51,6 +51,10 @@
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
                                  version "/expat-" version ".tar.bz2"))
+             (patches (search-patches
+                        "expat-CVE-2012-6702-and-CVE-2016-5300.patch"
+                        "expat-CVE-2015-1283-refix.patch"
+                        "expat-CVE-2016-0718.patch"))
              (sha256
               (base32
                "0ryyjgvy7jq0qb7a9mhc1giy3bzn56aiwrs8dpydqngplbjq9xdg"))))
-- 
2.8.3

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote:
>> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
>> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.
>> 
>> I looked at the expat Git repo and the original fix for CVE-2015-1283
>> was part of 2.1.1. The improvement to the fix must be backported. I will
>> take the upstream commit that applies the improvement.
>
> We adopt Debian's patch for CVE-2012-6702 and CVE-2016-5300 (already
> sent for review for the master branch).
>
> We also adapt the CVE-2015-1283 "re-fix" patch to apply to upstream's
> fix for CVE-2015-1283. The Debian "re-fix" patch had some context
> (comments) that did not exist in the upstream 2.1.1 release.
>
> And as before, we patch for CVE-2016-0718.
>
> It's not possible for me test this on core-updates (too much to build).
> On master, I made a new expat-2.1.1 package that inherited from expat
> and built that with the patches.
>
> The merge will probably be messy...

We should leave it to you, to minimize breakage.

> Off-topic: A regular package and a grafted package on master, and an
> updated version of the package on core-updates... this is getting very
> complicated and we should try our best to avoid such tangled situations
> in the future.

Do you think it would help to delay such upgrades in ‘core-updates’
until the time where ‘core-updates’ is getting ready for merge?

> From a4a3a09b40c5f98b2c2a3d15458ab086ce867c3d Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Tue, 7 Jun 2016 20:26:41 -0400
> Subject: [v2 1/2] gnu: expat: Fix CVE-2012-6702, CVE-2016-0718, and
>  CVE-2016-5300.
>
> * gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Adapt to upstream
> changes.
> * gnu/packages/xml.scm (expat)[source]: Use patches.

LGTM, thank you!

Ludo’.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

On Fri, Jun 10, 2016 at 02:59:49PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > The merge will probably be messy...
> 
> We should leave it to you, to minimize breakage.

Okay, should I do it today or is core-updates frozen?

> > Off-topic: A regular package and a grafted package on master, and an
> > updated version of the package on core-updates... this is getting very
> > complicated and we should try our best to avoid such tangled situations
> > in the future.
> 
> Do you think it would help to delay such upgrades in ‘core-updates’
> until the time where ‘core-updates’ is getting ready for merge?

I don't know if there is a great solution; I think this is a really
perverse case.

I think of core-updates as the place to put these sorts of changes. If
we were to decide to delay the changes, we'd all have our own private
core-updates forks, and then we'd probably duplicate work and forget
about things. What do you think?

If anybody else feels burdened by this as I do, your ideas are very
welcome :)

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Jun 10, 2016 at 02:59:49PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> > The merge will probably be messy...
>> 
>> We should leave it to you, to minimize breakage.
>
> Okay, should I do it today or is core-updates frozen?

It’s OK if you do it today.  :-)

The branch is being built but it’s just the beginning.

>> > Off-topic: A regular package and a grafted package on master, and an
>> > updated version of the package on core-updates... this is getting very
>> > complicated and we should try our best to avoid such tangled situations
>> > in the future.
>> 
>> Do you think it would help to delay such upgrades in ‘core-updates’
>> until the time where ‘core-updates’ is getting ready for merge?
>
> I don't know if there is a great solution; I think this is a really
> perverse case.
>
> I think of core-updates as the place to put these sorts of changes. If
> we were to decide to delay the changes, we'd all have our own private
> core-updates forks, and then we'd probably duplicate work and forget
> about things. What do you think?

Sorry, I explained myself poorly.  Here, we (1) grafted Expat in master,
(2) upgraded Expat in core-updates, and (3) only after that did we merge
master in core-updates, making the merge more troublesome, right?

My question was whether we should swap (2) and (3).

Thoughts?

Ludo’.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Leo Famulari]

On Sun, Jun 12, 2016 at 10:26:53PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Fri, Jun 10, 2016 at 02:59:49PM +0200, Ludovic Courtès wrote:
> >> Leo Famulari <leo@famulari.name> skribis:
> >> > The merge will probably be messy...
> >> 
> >> We should leave it to you, to minimize breakage.
> >
> > Okay, should I do it today or is core-updates frozen?
> 
> It’s OK if you do it today.  :-)
> 
> The branch is being built but it’s just the beginning.

Okay, I've done it. I spent so much time thinking about this merge that
I am confident it's correct, but I'm nervous because I can't feasibly
build it as a test.

`make` succeeded.

> Sorry, I explained myself poorly.  Here, we (1) grafted Expat in master,
> (2) upgraded Expat in core-updates, and (3) only after that did we merge
> master in core-updates, making the merge more troublesome, right?
> 
> My question was whether we should swap (2) and (3).

Yes, I think we should do (3) before (2), if we notice (1).

Although (2) preceded (1) chronologically, in this case.

(2) happened circa Mar 25 and (1) happened circa May 18, according to
the dates on the commits.

So, swapping (2) and (3) wouldn't have helped this case.

Re: [PATCH 0/3] Expat and libxslt changes for core-updates

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Sun, Jun 12, 2016 at 10:26:53PM +0200, Ludovic Courtès wrote:

[...]

>> Sorry, I explained myself poorly.  Here, we (1) grafted Expat in master,
>> (2) upgraded Expat in core-updates, and (3) only after that did we merge
>> master in core-updates, making the merge more troublesome, right?
>> 
>> My question was whether we should swap (2) and (3).
>
> Yes, I think we should do (3) before (2), if we notice (1).
>
> Although (2) preceded (1) chronologically, in this case.
>
> (2) happened circa Mar 25 and (1) happened circa May 18, according to
> the dates on the commits.
>
> So, swapping (2) and (3) wouldn't have helped this case.

OK.  In an ideal world, ‘core-updates’ cycles would be shorter, so we
wouldn’t have had to worry about (3) in the first place.

Ludo’.