From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:36148)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hiPj4-00036o-Ap
 for guix-patches@gnu.org; Tue, 02 Jul 2019 16:50:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hiPj1-0007QN-Uk
 for guix-patches@gnu.org; Tue, 02 Jul 2019 16:50:06 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:39240)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1hiPj0-0007Of-5f
 for guix-patches@gnu.org; Tue, 02 Jul 2019 16:50:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hiPj0-0002HH-0F
 for guix-patches@gnu.org; Tue, 02 Jul 2019 16:50:02 -0400
Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843
Resent-Message-ID: <handler.36424.B36424.15621005808721@debbugs.gnu.org>
Date: Tue, 2 Jul 2019 16:49:30 -0400 (EDT)
From: Jack Hill <jackhill@jackhill.us>
In-Reply-To: <87o92fv0u1.fsf@devup.no>
Message-ID: <alpine.DEB.2.20.1907021647200.17508@marsh.hcoop.net>
References: <alpine.DEB.2.20.1906281553100.17508@marsh.hcoop.net>
 <87o92fv0u1.fsf@devup.no>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: 36424@debbugs.gnu.org

Marius,

Thanks for looking at this.

On Sun, 30 Jun 2019, Marius Bakke wrote:

> I tried running `abidiff` (from libabigail) on the new and old Expat:
>
> $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info
> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>
> 15 Removed function symbols not referenced by debug info:
>
>  XmlGetUtf16InternalEncoding
>  XmlGetUtf16InternalEncodingNS
>  XmlGetUtf8InternalEncoding
>  XmlGetUtf8InternalEncodingNS
>  XmlInitEncoding
>  XmlInitEncodingNS
>  XmlInitUnknownEncoding
>  XmlInitUnknownEncodingNS
>  XmlParseXmlDecl
>  XmlParseXmlDeclNS
>  XmlPrologStateInit
>  XmlPrologStateInitExternalEntity
>  XmlSizeOfUnknownEncoding
>  XmlUtf16Encode
>  XmlUtf8Encode
>
> Apparently these symbols were never supposed to be exported:
> <https://github.com/libexpat/libexpat/pull/197>.  However, there could
> be packages "in the wild" that uses these symbols and would silently
> break with the grafted Expat.
>
> IIUC the fix for CVE-2018-20843 is this commit:
> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>
> I think it's better to graft a variant with only this patch to be on the
> safe side.  Can you try that?

Good idea. I didn't think to check. Yes, I can try to do that.

> Could you also submit a second patch that adds GitHub as an additional
> download location for the regular Expat package?  :-)

I'll try that as well.

I'll also try to not let my mail client mangle them :)

Best,
Jack