From: Jack Hill <jackhill@jackhill.us>
To: Marius Bakke <mbakke@fastmail.com>
Cc: 36424@debbugs.gnu.org
Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843
Date: Wed, 10 Jul 2019 16:54:12 -0400 (EDT) [thread overview]
Message-ID: <alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net> (raw)
In-Reply-To: <87tvc0qedh.fsf@devup.no>
[-- Attachment #1: Type: text/plain, Size: 222 bytes --]
Please find updated patch files attached, that I think take into account
Marius's suggestions (thanks Marius!)
Best,
Jack
P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns
in the attachments.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-diff; name=0001-gnu-expat-Add-additional-source-URI.patch, Size: 2189 bytes --]
From 0e1394e7e410ec192b6c883b567ce414864cdbb1 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Wed, 10 Jul 2019 16:03:19 -0400
Subject: [PATCH 1/2] gnu: expat: Add additional source URI
The expat sourceforge page announces that the project is in the process of
moving to GitHub.
* gnu/packages/xml.scm (expat)[source]: Add GitHub URI.
---
gnu/packages/xml.scm | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..b6a376a405 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
;;; Copyright © 2017 Petter <petter@mykolab.ch>
;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2018 Jack Hill <jackhill@jackhill.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,13 +67,18 @@
(package
(name "expat")
(version "2.2.6")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://sourceforge/expat/expat/"
- version "/expat-" version ".tar.bz2"))
- (sha256
- (base32
- "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
+ (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/expat/expat/"
+ version "/expat-" version ".tar.bz2")
+ (string-append
+ "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.bz2")))
+ (sha256
+ (base32
+ "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))))
(build-system gnu-build-system)
(home-page "https://libexpat.github.io/")
(synopsis "Stream-oriented XML parser library written in C")
--
2.22.0
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: Type: text/x-diff; name=0002-gnu-expat-fix-CVE-2018-20843.patch, Size: 3072 bytes --]
From c79efd83ecaa0b541de050da035ef67d972ac458 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Wed, 10 Jul 2019 16:23:03 -0400
Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843
* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat/fixed): New variable.
* gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patch file.
---
gnu/local.mk | 1 +
.../patches/expat-CVE-2018-20843.patch | 21 +++++++++++++++++++
gnu/packages/xml.scm | 9 ++++++++
3 files changed, 31 insertions(+)
create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 9a70d73759..054aa93fd5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -785,6 +785,7 @@ dist_patch_DATA = \
%D%/packages/patches/evilwm-lost-focus-bug.patch \
%D%/packages/patches/exiv2-CVE-2017-14860.patch \
%D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \
+ %D%/packages/patches/expat-CVE-2018-20843.patch \
%D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
%D%/packages/patches/fastcap-mulGlobal.patch \
%D%/packages/patches/fastcap-mulSetup.patch \
diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
new file mode 100644
index 0000000000..216fbe9667
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
@@ -0,0 +1,21 @@
+Fix extraction of namespace prefix from XML name.
+Fixes CVE-2018-20843
+
+This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5..737d7cd 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index b6a376a405..fbd0ff284b 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -66,6 +66,7 @@
(define-public expat
(package
(name "expat")
+ (replacement expat/fixed)
(version "2.2.6")
(source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
(origin
@@ -88,6 +89,14 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat)))
+(define expat/fixed
+ (package
+ (inherit expat)
+ (source
+ (origin
+ (inherit (package-source expat))
+ (patches (search-patches "expat-CVE-2018-20843.patch"))))))
+
(define-public libebml
(package
(name "libebml")
--
2.22.0
next prev parent reply other threads:[~2019-07-10 20:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-28 19:56 [bug#36424] expat-2.2.7 for CVE-2018-20843 Jack Hill
2019-06-28 19:57 ` [bug#36424] gnu: expat: Replace with 2.2.7 [security fixes] Jack Hill
2019-06-30 10:12 ` [bug#36424] expat-2.2.7 for CVE-2018-20843 Marius Bakke
2019-07-02 20:49 ` Jack Hill
2019-07-04 23:49 ` Jack Hill
2019-07-04 23:57 ` Jack Hill
2019-07-05 0:02 ` Jack Hill
[not found] ` <87tvc0qedh.fsf@devup.no>
2019-07-10 20:54 ` Jack Hill [this message]
2019-07-11 23:00 ` bug#36424: " Marius Bakke
2019-07-11 23:09 ` [bug#36424] " Jack Hill
2019-07-05 22:53 ` Marius Bakke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net \
--to=jackhill@jackhill.us \
--cc=36424@debbugs.gnu.org \
--cc=mbakke@fastmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).