From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sebastian Pipping Subject: Re: Expat 2.2.7 with security fixes has been released / CVE-2018-20843 Date: Fri, 12 Jul 2019 21:29:44 +0200 Message-ID: <9ba7e06a-e907-4703-7aa4-1c46961786ad@pipping.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:46001) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hm1Er-0006ib-QW for guix-devel@gnu.org; Fri, 12 Jul 2019 15:29:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hm1Eq-0007ex-As for guix-devel@gnu.org; Fri, 12 Jul 2019 15:29:49 -0400 Received: from smtprelay05.ispgateway.de ([80.67.31.99]:52614) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hm1Eq-0007cn-4X for guix-devel@gnu.org; Fri, 12 Jul 2019 15:29:48 -0400 In-Reply-To: Content-Language: en-US List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Jack Hill Cc: guix-devel@gnu.org Hi Jack, On 12.07.19 01:17, Jack Hill wrote: > I'm pleased to let you know that we've applied the fix for > CVE-2018-20843 in GNU Guix as of > 5a836ce38c9c29e9c2bd306007347486b90c5064 [0]. We elected to backport the > patch that fixed the problem instead of upgrading due to a change in the > expat abi with 2.2.7 [1]. > > Many thanks to Marius Bakke for advice and patience while reviewing the > patches. > > [0] > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=5a836ce38c9c29e9c2bd306007347486b90c5064 > > [1] https://issues.guix.gnu.org/issue/36424#2 thanks for the update on that matter! Regarding the removed API symbols, those were never part of the public API so whoever used them needed to have copied prototypes for those into his own code base and be aware that using internal API is asking for trouble — the opposite of something to rely on. They made that choice, it should be their cost. openSuse started using -fvisibility=hidden with their expat package way before Expat itself and they seem fine. I discussed with senior Linux distro developers how hiding those symbols should affect Expat's .so versioning, if it should be an incompatible bump or not. There was no demand for doing an incompatible bump because all related symbols were never exposed by headers. If you don't upgrade to 2.2.7, are you going to backport all bugfixes to 2.2.6 from now on? I maintain a few distro packages myself and I would consider that a big pain point and waste of time. I know of at least to parties how went with modifying a fork in the past and they are not in a good place with their fork regarding effort, bugfix, and security. Please don't add to that list, just please don't :-) Is there anything I can do to make you reconsider? Is there something that I can do upstream in the Expat code base to smooth your path to Expat 2.2.8/2.3.0? Thanks and best Sebastian