From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:45817) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hhWpX-0000G2-TU for guix-patches@gnu.org; Sun, 30 Jun 2019 06:13:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hhWpV-0005wf-U1 for guix-patches@gnu.org; Sun, 30 Jun 2019 06:13:07 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60086) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hhWpS-0005qv-PP for guix-patches@gnu.org; Sun, 30 Jun 2019 06:13:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hhWpS-0004WS-FM for guix-patches@gnu.org; Sun, 30 Jun 2019 06:13:02 -0400 Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843 Resent-Message-ID: From: Marius Bakke In-Reply-To: References: Date: Sun, 30 Jun 2019 12:12:22 +0200 Message-ID: <87o92fv0u1.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Jack Hill , 36424@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Jack, Jack Hill writes: > Hi Guix, > > Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which=20 > fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a=20 > replacement for expat with expat-2.2.7. I also changed the origin to use= =20 > the GitHub hosted tarball as upstream is moving in that direction. > > [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-20843 Thank you very much for this patch! It did not apply cleanly on my end, perhaps it got mangled by your mail user agent? I tried running `abidiff` (from libabigail) on the new and old Expat: $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libex= pat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat= .so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 15 Removed, 0 Added function symbols not = referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not re= ferenced by debug info 15 Removed function symbols not referenced by debug info: XmlGetUtf16InternalEncoding XmlGetUtf16InternalEncodingNS XmlGetUtf8InternalEncoding XmlGetUtf8InternalEncodingNS XmlInitEncoding XmlInitEncodingNS XmlInitUnknownEncoding XmlInitUnknownEncodingNS XmlParseXmlDecl XmlParseXmlDeclNS XmlPrologStateInit XmlPrologStateInitExternalEntity XmlSizeOfUnknownEncoding XmlUtf16Encode XmlUtf8Encode Apparently these symbols were never supposed to be exported: . However, there could be packages "in the wild" that uses these symbols and would silently break with the grafted Expat. IIUC the fix for CVE-2018-20843 is this commit: . I think it's better to graft a variant with only this patch to be on the safe side. Can you try that? Could you also submit a second patch that adds GitHub as an additional download location for the regular Expat package? :-) Thanks in advance, Marius --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0YiwYACgkQoqBt8qM6 VPooDAf+I0S7p4d76MiWIJeWCKLhIxCuu0hbxJbwq8GrfrYYmpVwBcB8BgyXhlQX sJ4GSZEUX1h8hKbRHhSBeVsLIXrUaiNVYK1nNjdL4s5FCxzdhWpVuHypuUiBPOk5 rHkebNNF6/bnKEmaiUzE0gE86aJTs00nBDbz0bPIBENPbgBNy01SA2aM/c17LgsF O/panqcs4lD0F23HBDJ9sc3cwvIIXVC8QHjR+Y+aOAbbwQrhcKX7ozTVRTwAQ7/v azmtw8fNq9YfFiVM9aLq85whX113UxnCPqq21YbI2IiJ/R4NdlVpy1mJxHeQBXQ5 g2sexaRXdKqOLREjNSYKxpje3IP7jw== =ZWs1 -----END PGP SIGNATURE----- --=-=-=--