all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Julien Lepiller <julien@lepiller.eu>
To: Remco van 't Veer <remco@remworks.net>
Cc: "Dr. Arne Babenhauserheide" <arne_bab@web.de>, 55776@debbugs.gnu.org
Subject: bug#55776: maven-core fails to build
Date: Sat, 4 Jun 2022 15:47:07 +0200	[thread overview]
Message-ID: <20220604154707.099a3679@sybil.lepiller.eu> (raw)
In-Reply-To: <87wndwn2su.fsf@remworks.net>

[-- Attachment #1: Type: text/plain, Size: 2064 bytes --]

Le Sat, 04 Jun 2022 12:25:21 +0200,
Remco van 't Veer <remco@remworks.net> a écrit :

> I did some digging and found this regression is caused by commit:
> 
>  6068b83b82475566acd4162467bcf54270f338f9
>  "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
> 
> Apparently the fix for this issue causes jdom to be very strict;
> 
> > java.io.IOException: Invalid input descriptor for merge:
> > /tmp/plexus-metadata3957336728290309540xml -->
> > http://xml.org/sax/features/external-general-entities feature
> > http://xml.org/sax/features/external-general-entities not supported
> > for SAX driver org.codehaus.plexus.metadata.merge.Driver  
> 
> Which sound familiar when looking at that CVE
> (https://github.com/advisories/GHSA-2363-cqg2-863c):
> 
> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> > cause a denial of service via a crafted HTTP request. At this time
> > there is not released fixed version of JDOM. As a workaround, to
> > avoid external entities being expanded, one can call
> > builder.setExpandEntities(false) and they won't be expanded.  
> 
> I dunno how to fix this though, I'm just a curious guixer.  Easiest
> path seems to be to make a new java-jdom-2.0.6 var and use that as a
> native-input for maven.  Would that be an acceptable solution?
> 
> Cheers,
> Remco
> 

Like you say, the issue is with the new jdom. Believe it or not, but
between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
changes, too)!

So I figured I could fix java-plexus-component-metadata that we use to
generate some xml files during the build of maven. jdom is one of its
inputs. Adding another jdom to the native inputs would probably not fix
the issue.

What I did instead is, since jdom wants to set more features than
supported in the driver, to add dummy support for all these additional
features by just not throwing the exception. It's not very satisfying,
but it works and we don't keep a vulnerable jdom around. With the
attached patch, I built up to maven.

[-- Attachment #2: 0001-gnu-java-plexus-component-metadata-Fix-package.patch --]
[-- Type: text/x-patch, Size: 1356 bytes --]

From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Sat, 4 Jun 2022 15:41:41 +0200
Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package.

* gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for
  newer jdom.
---
 gnu/packages/java.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 336e84e3e5..f475f7c270 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7
              (copy-recursively "src/main/resources"
                                "build/classes/")
              #t))
+         (add-before 'build 'fix-jdom
+           (lambda _
+             ;; The newer version of jdom now sets multiple features by default
+             ;; that are not supported.
+             ;; Skip these features
+             (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java"
+               (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);")
+                "// skip"))))
          (add-before 'check 'fix-test-location
            (lambda _
              (substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java"
-- 
2.35.1


  reply	other threads:[~2022-06-04 13:48 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-03  6:05 bug#55776: maven-core fails to build Dr. Arne Babenhauserheide
2022-06-04 10:25 ` Remco van 't Veer
2022-06-04 13:47   ` Julien Lepiller [this message]
2022-06-04 14:25     ` Remco van 't Veer
2022-06-04 15:00     ` Dr. Arne Babenhauserheide
2022-06-08 18:36       ` Julien Lepiller
2022-06-08 15:35     ` Andrew Tropin
2022-06-07 10:32 ` Steve George

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220604154707.099a3679@sybil.lepiller.eu \
    --to=julien@lepiller.eu \
    --cc=55776@debbugs.gnu.org \
    --cc=arne_bab@web.de \
    --cc=remco@remworks.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.