bug#47342: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

bug#47342: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

[Léo Le Bouter via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

Upstream has made a release: 1.4.16 - which fixes all the issues,
following is an unfinished patchset that fixes the issues, java-
mxparser package does not build and help from some more experienced
Java packagers is welcome to fix and push this patchset.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#47342: [PATCH 1/2] gnu: Add java-mxparser.

[Léo Le Bouter via Bug reports for GNU Guix]

* gnu/packages/xml.scm (java-mxparser): New variable.
---
 gnu/packages/xml.scm | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 2a72fc6ad2..96287b3174 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2256,6 +2256,34 @@ outputting XML data from Java code.")
 and back again.")
     (license license:bsd-3)))
 
+(define-public java-mxparser
+  (package
+    (name "java-mxparser")
+    (version "1.2.1")
+    (source (origin
+              (method url-fetch)
+              (uri
+               (string-append
+                "https://repo1.maven.org/maven2/io/github/x-stream/mxparser/"
+                version "/mxparser-" version "-sources.jar"))
+              (sha256
+               (base32
+                "0mly55qbs2109wwbiz890n87r54iz7cykazl0rlsih6sg5lx8kdl"))))
+    (build-system ant-build-system)
+    (home-page "https://github.com/x-stream/mxparser")
+    (synopsis "Streaming pull XML parser forked from @code{java-xpp3}")
+    (description "Xml Pull Parser (in short XPP) is a streaming pull XML
+parser and should be used when there is a need to process quickly and
+efficiently all input elements (for example in SOAP processors). This
+package is a stable XmlPull parsing engine that is based on ideas from XPP
+and in particular XPP2 but completely revised and rewritten to take the best
+advantage of JIT JVMs.
+
+MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged
+changes of the Plexus fork. It is an implementation of the XMLPULL V1 API
+(parser only).")
+    (license (license:non-copyleft "file://LICENSE.txt"))))
+
 (define-public xmlrpc-c
   (package
     (name "xmlrpc-c")
-- 
2.31.0

bug#47342: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes].

[Léo Le Bouter via Bug reports for GNU Guix]

Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.

* gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
[inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
former made by upstream.
---
 gnu/packages/xml.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 96287b3174..fdb8bff601 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2217,7 +2217,7 @@ outputting XML data from Java code.")
 (define-public java-xstream
   (package
     (name "java-xstream")
-    (version "1.4.15")
+    (version "1.4.16")
     (source
      (origin
        (method git-fetch)
@@ -2229,7 +2229,7 @@ outputting XML data from Java code.")
                                   version)))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1178qryrjwjp44439pi5dxzd32896r5zs429z1qhlc09951r7mi9"))))
+        (base32 "16k2mc63h2fw7lxv74qmhg4p8q9hfrw114daa6nxwnpv08cnq755"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name "xstream.jar"
@@ -2244,7 +2244,7 @@ outputting XML data from Java code.")
        ("java-joda-time" ,java-joda-time)
        ("java-jettison" ,java-jettison)
        ("java-xom" ,java-xom)
-       ("java-xpp3" ,java-xpp3)
+       ("java-mxparser" ,java-mxparser)
        ("java-dom4j" ,java-dom4j)
        ("java-stax2-api" ,java-stax2-api)
        ("java-woodstox-core" ,java-woodstox-core)
-- 
2.31.0

bug#47342: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes].

[Leo Famulari]

On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
> 
> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
> former made by upstream.

Thanks for the patch!

Pinging Julien...

bug#47342: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes].

[Julien Lepiller]

[-- Attachment #1: Type: text/plain, Size: 1162 bytes --]

So, mxparser seems to be pretty easy to package, but it depends on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana University, but their website has recently been "deprecated" and redirects to the internet archive.

This is an issue as we have xmlpull v2 and xpp3 whose sources have also disappeared. Not sure what to do about them?

I asked upstseam (xstream) for guidance on where to find the sources on https://github.com/x-stream/mxparser/issues/3.

Once we have that information, I can take care of the xstream update.

Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports
>for GNU Guix wrote:
>> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
>> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
>> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
>> 
>> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
>> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a
>fork of the
>> former made by upstream.
>
>Thanks for the patch!
>
>Pinging Julien...

[-- Attachment #2: Type: text/html, Size: 1608 bytes --]

bug#47342: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

[Julien Lepiller]

Le Tue, 23 Mar 2021 15:33:26 +0100,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :

> Upstream has made a release: 1.4.16 - which fixes all the issues,
> following is an unfinished patchset that fixes the issues, java-
> mxparser package does not build and help from some more experienced
> Java packagers is welcome to fix and push this patchset.

Pushed as 4490dff98c6979a77f3982716239b526e0ef1337 to
8b2b5463963d5d4dee480b0cf73fa4a9eca414ba to master,
with changes discussed on IRC.

Thanks a lot for noticing it!