From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Expat regression fix for master branch Date: Mon, 12 Sep 2016 17:35:15 -0400 Message-ID: <20160912213515.GA15911@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/WwmFnJnmDyWGHa4" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57720) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bjYt3-0001YS-44 for guix-devel@gnu.org; Mon, 12 Sep 2016 17:35:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bjYsy-0008V6-PV for guix-devel@gnu.org; Mon, 12 Sep 2016 17:35:32 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44286) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bjYsw-0008Nj-DV for guix-devel@gnu.org; Mon, 12 Sep 2016 17:35:28 -0400 Received: from localhost (c-68-81-58-201.hsd1.pa.comcast.net [68.81.58.201]) by mail.messagingengine.com (Postfix) with ESMTPA id DC397CCE8C for ; Mon, 12 Sep 2016 17:35:16 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --/WwmFnJnmDyWGHa4 Content-Type: multipart/mixed; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This patch applies an upstream patch for a regression caused by the fix=20 for CVE-2016-0718. Apparently, the bug only manifests when building with -DXML_UNICODE, which I don't think our package does. Bug report: https://sourceforge.net/p/expat/bugs/539/ Source of patch: https://sourceforge.net/p/expat/code_git/ci/af507cef2c93cb8d40062a0abe43a4f= 4e9158fb2 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-expat-Fix-regression-caused-by-fix-for-CVE-2016-.patch" Content-Transfer-Encoding: quoted-printable =46rom 14abba35d1b8c455ce597b5c0eed4bcf87499e6a Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 12 Sep 2016 16:54:45 -0400 Subject: [PATCH] gnu: expat: Fix regression caused by fix for CVE-2016-0718. * gnu/packages/xml.scm (expat)[replacement]: New field. (expat/fixed): New variable. * gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../expat-CVE-2016-0718-fix-regression.patch | 35 ++++++++++++++++++= ++++ gnu/packages/xml.scm | 12 ++++++++ 3 files changed, 48 insertions(+) create mode 100644 gnu/packages/patches/expat-CVE-2016-0718-fix-regression= =2Epatch diff --git a/gnu/local.mk b/gnu/local.mk index 5714009..6e1c97c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -501,6 +501,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch \ %D%/packages/patches/expat-CVE-2015-1283-refix.patch \ %D%/packages/patches/expat-CVE-2016-0718.patch \ + %D%/packages/patches/expat-CVE-2016-0718-fix-regression.patch \ %D%/packages/patches/fastcap-mulGlobal.patch \ %D%/packages/patches/fastcap-mulSetup.patch \ %D%/packages/patches/fasthenry-spAllocate.patch \ diff --git a/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch = b/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch new file mode 100644 index 0000000..b489401 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch @@ -0,0 +1,35 @@ +Fix regression caused by fix for CVE-2016-0718 when building with -DXML_UN= ICODE. + +Discussion: + +https://sourceforge.net/p/expat/bugs/539/ + +Patch copied from upstream source repository: + +https://sourceforge.net/p/expat/code_git/ci/af507cef2c93cb8d40062a0abe43a4= f4e9158fb2/ + +From af507cef2c93cb8d40062a0abe43a4f4e9158fb2 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 17 Jul 2016 20:22:29 +0200 +Subject: [PATCH 1/2] Fix regression bug #539 (needs -DXML_UNICODE) + +Thanks to Andy Wang and Karl Waclawek! +--- + expat/lib/xmlparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index b308e67..0d5dd7b 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2468,7 +2468,7 @@ doContent(XML_Parser parser, + &fromPtr, rawNameEnd, + (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1); + convLen =3D (int)(toPtr - (XML_Char *)tag->buf); +- if ((convert_res =3D=3D XML_CONVERT_COMPLETED) || (convert_re= s =3D=3D XML_CONVERT_INPUT_INCOMPLETE)) { ++ if ((fromPtr >=3D rawNameEnd) || (convert_res =3D=3D XML_CONV= ERT_INPUT_INCOMPLETE)) { + tag->name.strLen =3D convLen; + break; + } +--=20 +2.10.0 diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 8e0fe01..9dcedee 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -50,6 +50,7 @@ (define-public expat (package (name "expat") + (replacement expat/fixed) (version "2.1.1") (source (origin (method url-fetch) @@ -70,6 +71,17 @@ stream-oriented parser in which an application registers= handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) =20 +(define expat/fixed + (package + (inherit expat) + (source (origin + (inherit (package-source expat)) + (patches (search-patches + "expat-CVE-2012-6702-and-CVE-2016-5300.patch" + "expat-CVE-2015-1283-refix.patch" + "expat-CVE-2016-0718.patch" + "expat-CVE-2016-0718-fix-regression.patch")))))) + (define-public libxml2 (package (name "libxml2") --=20 2.10.0 --J2SCkAp4GZ/dPZZf-- --/WwmFnJnmDyWGHa4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX1x+PAAoJECZG+jC6yn8Ii/UP/2Mab3RM3UpY6mUbsqdYb3JV 6bskZ0SxRGKS23zh19L2fjaS8hv6+HdY4Y5dJUiAt3k4IhcO6bHfDeZ4DJGi3GHT EyUZwsy2pWB+PvvFX98767iwB4JVVGe12q8M5RQAzN/IUdTI5FtGnPVqbsZusIZg XRXeKJN1Ck/rYOW0H4TMkDptAQcr2t8fAHf5DaDWpwRrKDUXl94/GHlAufRFjR7h mZgQkJdjBE12fYbHZXg3+OU2HRwptH+05hNf/k4Tiaz22KzOjNpA7l3wEwiv+Pvl phC4Wlh92Thvc3fzTX7AlBpYWqj4jZHMSpgmPRtD4ItJ8xjwX3GcAejvImqaT4FK VBg4AMWO9K2acOJguIbWuFOZEXEeIYZqtTw+fRPZ3YTVqDhOa2bWZcyVoR9/sgOV m3DSWN2FpPV/v2nKBIJyeG85BIyodPfhdX5IOY8glr2uFfcQUuTJ+frCVV4u+iwO DCHe4TU5K4PmjNqz3nRg8arB3r1rH1QxM+Gib570zCb1pGjWQLdtFr8bbEw5OixM Mw3ga9K3gLMs1EeAVxBCgb1TrIrAxdjTuUY0yVHnOLa7qCWgpu2MjdPng8a85cUH vPaMuZ/DPMEIoHo8KAsKek+RNuLEK7/unXC5sc90kDDtT/QNFraNA7Xf2KiObohf EKcTCkGpbHw/wVBGmiH7 =2lwV -----END PGP SIGNATURE----- --/WwmFnJnmDyWGHa4--