From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id GD3THXbCoGKpTgEAbAwnHQ (envelope-from ) for ; Wed, 08 Jun 2022 17:38:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id UEG1HXbCoGLkWwAA9RJhRA (envelope-from ) for ; Wed, 08 Jun 2022 17:38:30 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 04B4AB530 for ; Wed, 8 Jun 2022 17:38:29 +0200 (CEST) Received: from localhost ([::1]:60306 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nyxlK-0007ap-Ju for larch@yhetil.org; Wed, 08 Jun 2022 11:38:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46402) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nyxjy-0007Zz-UY for bug-guix@gnu.org; Wed, 08 Jun 2022 11:37:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:50118) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nyxjy-0005FN-8E for bug-guix@gnu.org; Wed, 08 Jun 2022 11:37:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nyxjy-00074C-6J for bug-guix@gnu.org; Wed, 08 Jun 2022 11:37:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#55776: maven-core fails to build Resent-From: Andrew Tropin Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 08 Jun 2022 15:37:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55776 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Julien Lepiller , Remco van 't Veer Cc: "Dr. Arne Babenhauserheide" , 55776@debbugs.gnu.org Received: via spool by 55776-submit@debbugs.gnu.org id=B55776.165470257227106 (code B ref 55776); Wed, 08 Jun 2022 15:37:02 +0000 Received: (at 55776) by debbugs.gnu.org; 8 Jun 2022 15:36:12 +0000 Received: from localhost ([127.0.0.1]:44015 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nyxj9-000737-K0 for submit@debbugs.gnu.org; Wed, 08 Jun 2022 11:36:11 -0400 Received: from relay12.mail.gandi.net ([217.70.178.232]:48247) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nyxj5-00072a-CF for 55776@debbugs.gnu.org; Wed, 08 Jun 2022 11:36:10 -0400 Received: (Authenticated sender: andrew@trop.in) by mail.gandi.net (Postfix) with ESMTPSA id 3FAC220000C; Wed, 8 Jun 2022 15:35:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trop.in; s=gm1; t=1654702561; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2+Ae+iXlv21+7Z4EYIJ6RgWNOJGQMe+c6TU3yb9h8yc=; b=bWW0zEkhw3U1jS87IGmE9yBAwa1dh8tkDDIgQP+7wlXE3y7d6bZ/ShAbOOQs6wcdetjmKp pGaBWReYziALnwaZ+Q4Fl9cL67XfsF8XWMEgyzcFWPhYqaTtHzQqhr1+x4k048uPQhgU7c q3LGLQUSWpwAAKLaWugtD5/OkPfPDOZhPqUPWMK1OCJ9nwYDLoGnFkPK2gzgRE2P5aJgz0 50h8S1aSpq5NzZ8fbGGbw6rfSgo3AhaKe/aViplrcg16xCvt8PraWKgmbMXcP4J50VhuN6 4Qnb/xrMxisVqMV/Bp2cTgP+FpiFyx6yCtw7wH0b9j43jRwv1QIqc82nnci+dw== From: Andrew Tropin In-Reply-To: <20220604154707.099a3679@sybil.lepiller.eu> References: <87sfomwaa6.fsf@web.de> <87wndwn2su.fsf@remworks.net> <20220604154707.099a3679@sybil.lepiller.eu> Date: Wed, 08 Jun 2022 18:35:54 +0300 Message-ID: <87k09r9nhh.fsf@trop.in> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1654702710; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=2+Ae+iXlv21+7Z4EYIJ6RgWNOJGQMe+c6TU3yb9h8yc=; b=gHhscp4Usp4oC+PuDrNho9CanQK6nhzXsWXi4j89paLZQtbjuMxjpwOf4yRBHYuSLgjQnP O+2stWUPOy+FszyAzqkggqYDaDELwXjg8Gxs4O4rsDliV3Nq1oRlsS4t8jyPRhiZSQr32p nCuUV5BqciNpDEWDKDyOPWbk/XBuqXFXVo1wzi27wh4HBWkt94wONq8vhgzqpPS31uRGqI e/8PAGuypmeTMTaT1nuxFa/HnuI/KbJl9J2akiMlkzSRTDCGwuty31Msr0tn70WdnX2ff2 YbDuZtcOr9P51XLC+1Iv2AgpkEYTHUAu75HhLi3aFOgQ9XnYKJQ9vDuNd9jWHw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654702710; a=rsa-sha256; cv=none; b=cOxXv7a9G9pPYfVIiqj4qmem5mTI/X7RHyWvPgyqysq0jPjAqvKcZbErJmptMwAA5vaWum bROrnciFZHyU60qLWRt0AVE7fW/9m7yZmPGAZ0VIwzN8wEp9jKaeU04mae4YDhK2SiQwho H4yoVY/F2wuCNOucMN1srNoIrF4Fzizx2D2AQzc2jhInyKoTeSDqynod02dlHnP+w5y8a+ YsjZ9ZJtIaRNzAP9CQz/dfKQ+LQEM7VkYjYSjHtUWFE4V/bzujz8EnSjThmXGymh3dsKdi NaBJhWI5YuRxero4dSioyW1BSntayivPxhNw97aGxCb/ED74IjxdLn0W4SeqLw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=trop.in header.s=gm1 header.b=bWW0zEkh; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.80 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=trop.in header.s=gm1 header.b=bWW0zEkh; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 04B4AB530 X-Spam-Score: -1.80 X-Migadu-Scanner: scn0.migadu.com X-TUID: BJBIJ/3vimX7 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2022-06-04 15:47, Julien Lepiller wrote: > Le Sat, 04 Jun 2022 12:25:21 +0200, > Remco van 't Veer a =C3=A9crit : > >> I did some digging and found this regression is caused by commit: >>=20 >> 6068b83b82475566acd4162467bcf54270f338f9 >> "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]." >>=20 >> Apparently the fix for this issue causes jdom to be very strict; >>=20 >> > java.io.IOException: Invalid input descriptor for merge: >> > /tmp/plexus-metadata3957336728290309540xml --> >> > http://xml.org/sax/features/external-general-entities feature >> > http://xml.org/sax/features/external-general-entities not supported >> > for SAX driver org.codehaus.plexus.metadata.merge.Driver=20=20 >>=20 >> Which sound familiar when looking at that CVE >> (https://github.com/advisories/GHSA-2363-cqg2-863c): >>=20 >> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to >> > cause a denial of service via a crafted HTTP request. At this time >> > there is not released fixed version of JDOM. As a workaround, to >> > avoid external entities being expanded, one can call >> > builder.setExpandEntities(false) and they won't be expanded.=20=20 >>=20 >> I dunno how to fix this though, I'm just a curious guixer. Easiest >> path seems to be to make a new java-jdom-2.0.6 var and use that as a >> native-input for maven. Would that be an acceptable solution? >>=20 >> Cheers, >> Remco >>=20 > > Like you say, the issue is with the new jdom. Believe it or not, but > between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of > changes, too)! > > So I figured I could fix java-plexus-component-metadata that we use to > generate some xml files during the build of maven. jdom is one of its > inputs. Adding another jdom to the native inputs would probably not fix > the issue. > > What I did instead is, since jdom wants to set more features than > supported in the driver, to add dummy support for all these additional > features by just not throwing the exception. It's not very satisfying, > but it works and we don't keep a vulnerable jdom around. With the > attached patch, I built up to maven. > From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001 > From: Julien Lepiller > Date: Sat, 4 Jun 2022 15:41:41 +0200 > Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package. > > * gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for > newer jdom. > --- > gnu/packages/java.scm | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm > index 336e84e3e5..f475f7c270 100644 > --- a/gnu/packages/java.scm > +++ b/gnu/packages/java.scm > @@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7 > (copy-recursively "src/main/resources" > "build/classes/") > #t)) > + (add-before 'build 'fix-jdom > + (lambda _ > + ;; The newer version of jdom now sets multiple features by = default > + ;; that are not supported. > + ;; Skip these features > + (substitute* "src/main/java/org/codehaus/plexus/metadata/me= rge/MXParser.java" > + (("throw new XmlPullParserException\\(\"unsupporte featur= e \"\\+name\\);") > + "// skip")))) > (add-before 'check 'fix-test-location > (lambda _ > (substitute* '("src/test/java/org/codehaus/plexus/metadata/= DefaultComponentDescriptorWriterTest.java" Work for me as well. Probably can be merged to master? =2D-=20 Best regards, Andrew Tropin --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmKgwdoACgkQIgjSCVjB 3rDO6BAAgMtp7Te99O5ICVD+/T9IhnRlc26T4TfBPgzTyzeS1Lgl7rFsFMNJsaUa MiOyA1Dg3xoi6XD/CTtoYmTNfrn/J//sspwbZGlt5vyhZOU65OKeuNltPe2RtNzX KNmgVMN9HUwK7srXVSQmcmsU9MX5Vpdtt8QRg8P3hCI9pdH5o4DUUByLhyR4lITF 3/v2jdHVeKHe1cJy7s+imSFw/A9xJeyFDqhUx8r+AQwHHFby6RLhEYTDgrSQluE9 B7C/jpBs62uFQ2YPyTit2oZ2G9nTKUivs6CLDkOdi/dgNKkqI0LY1R6IraTdK7+H ArSwxJhf+1EiR7JLqHbWJc0+z567+1VayHZrQiF2UGgTOQ4psPwIgDl9AxJyRQfn qQ5lzDyJx+q0FgvTbLuhK3QwbY72Agq5vGYQBuofBSiekvl5FiM8wg5n154hjvCh fm1pW9RZPoTj5d0cI8Hg0UT61lIEM9JWCMnqIuFE6/WHgPJUFVIdi2UofiPmlir0 CtOOKdrPikI1V3pX98VubWcJsOyotw4YcfSaOna6SEpIHNf17yGc6K5B9Fd2ulVo 2kNTMImi2eUHsvj/VssFXs2oc6Bkd16aCI4CcZC/ptX7ulIiPP6WdEE/rORrJnRQ Va2RxCMSr8+vRkA0IaUPLzCGEb5faa1XSU8DSc9E4tZ0ljPt4KQ= =I+wN -----END PGP SIGNATURE----- --=-=-=--