expat-2.2.7 for CVE-2018-20843

  • Done
  • quality assurance status badge
Details
3 participants
  • Jack Hill
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Jack Hill
Severity
normal

Debbugs page

J
J
Jack Hill wrote on 28 Jun 2019 12:56
(address . guix-patches@gnu.org)
alpine.DEB.2.20.1906281553100.17508@marsh.hcoop.net
Hi Guix,

Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which
fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a
replacement for expat with expat-2.2.7. I also changed the origin to use
the GitHub hosted tarball as upstream is moving in that direction.


Best,
Jack
J
J
Jack Hill wrote on 28 Jun 2019 12:57
gnu: expat: Replace with 2.2.7 [security fixes]
(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1906281557130.17508@marsh.hcoop.net
From 6db23c61704686016a57fb9557240dd83a79bea6 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Fri, 28 Jun 2019 15:47:35 -0400

This fixes CVE-2018-20843.

* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat-2.2.7): New public variable.
---
gnu/packages/xml.scm | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

Toggle diff (44 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..1be2a58d2e 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
;;; Copyright ᅵ 2017 Petter <petter@mykolab.ch>
;;; Copyright ᅵ 2017 Stefan Reichᅵr <stefan@xsteve.at>
;;; Copyright ᅵ 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright ᅵ 2019 Jack Hill <jackhill@jackhill.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -65,6 +66,7 @@
(define-public expat
(package
(name "expat")
+ (replacement expat-2.2.7)
(version "2.2.6")
(source (origin
(method url-fetch)
@@ -82,6 +84,21 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat)))

+(define-public expat-2.2.7
+ (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+ (package
+ (inherit expat)
+ (version "2.2.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1y5yax6bq8p9xk49zqkd62pxk8bq266wrgbrqgaxp3wsrw5g9qrh")))))))
+
(define-public libebml
(package
(name "libebml")
--
2.22.0
M
M
Marius Bakke wrote on 30 Jun 2019 03:12
Re: [bug#36424] expat-2.2.7 for CVE-2018-20843
87o92fv0u1.fsf@devup.no
Hi Jack,

Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (9 lines)
> Hi Guix,
>
> Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which
> fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a
> replacement for expat with expat-2.2.7. I also changed the origin to use
> the GitHub hosted tarball as upstream is moving in that direction.
>
> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Thank you very much for this patch! It did not apply cleanly on my end,
perhaps it got mangled by your mail user agent?

I tried running `abidiff` (from libabigail) on the new and old Expat:

$ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

15 Removed function symbols not referenced by debug info:

XmlGetUtf16InternalEncoding
XmlGetUtf16InternalEncodingNS
XmlGetUtf8InternalEncoding
XmlGetUtf8InternalEncodingNS
XmlInitEncoding
XmlInitEncodingNS
XmlInitUnknownEncoding
XmlInitUnknownEncodingNS
XmlParseXmlDecl
XmlParseXmlDeclNS
XmlPrologStateInit
XmlPrologStateInitExternalEntity
XmlSizeOfUnknownEncoding
XmlUtf16Encode
XmlUtf8Encode

Apparently these symbols were never supposed to be exported:
be packages "in the wild" that uses these symbols and would silently
break with the grafted Expat.

IIUC the fix for CVE-2018-20843 is this commit:

I think it's better to graft a variant with only this patch to be on the
safe side. Can you try that?

Could you also submit a second patch that adds GitHub as an additional
download location for the regular Expat package? :-)

Thanks in advance,
Marius
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0YiwYACgkQoqBt8qM6
VPooDAf+I0S7p4d76MiWIJeWCKLhIxCuu0hbxJbwq8GrfrYYmpVwBcB8BgyXhlQX
sJ4GSZEUX1h8hKbRHhSBeVsLIXrUaiNVYK1nNjdL4s5FCxzdhWpVuHypuUiBPOk5
rHkebNNF6/bnKEmaiUzE0gE86aJTs00nBDbz0bPIBENPbgBNy01SA2aM/c17LgsF
O/panqcs4lD0F23HBDJ9sc3cwvIIXVC8QHjR+Y+aOAbbwQrhcKX7ozTVRTwAQ7/v
azmtw8fNq9YfFiVM9aLq85whX113UxnCPqq21YbI2IiJ/R4NdlVpy1mJxHeQBXQ5
g2sexaRXdKqOLREjNSYKxpje3IP7jw==
=ZWs1
-----END PGP SIGNATURE-----

J
J
Jack Hill wrote on 2 Jul 2019 13:49
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907021647200.17508@marsh.hcoop.net
Marius,

Thanks for looking at this.

On Sun, 30 Jun 2019, Marius Bakke wrote:

Toggle quote (37 lines)
> I tried running `abidiff` (from libabigail) on the new and old Expat:
>
> $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info
> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
>
> 15 Removed function symbols not referenced by debug info:
>
> XmlGetUtf16InternalEncoding
> XmlGetUtf16InternalEncodingNS
> XmlGetUtf8InternalEncoding
> XmlGetUtf8InternalEncodingNS
> XmlInitEncoding
> XmlInitEncodingNS
> XmlInitUnknownEncoding
> XmlInitUnknownEncodingNS
> XmlParseXmlDecl
> XmlParseXmlDeclNS
> XmlPrologStateInit
> XmlPrologStateInitExternalEntity
> XmlSizeOfUnknownEncoding
> XmlUtf16Encode
> XmlUtf8Encode
>
> Apparently these symbols were never supposed to be exported:
> <https://github.com/libexpat/libexpat/pull/197>. However, there could
> be packages "in the wild" that uses these symbols and would silently
> break with the grafted Expat.
>
> IIUC the fix for CVE-2018-20843 is this commit:
> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>
> I think it's better to graft a variant with only this patch to be on the
> safe side. Can you try that?

Good idea. I didn't think to check. Yes, I can try to do that.

Toggle quote (3 lines)
> Could you also submit a second patch that adds GitHub as an additional
> download location for the regular Expat package? :-)

I'll try that as well.

I'll also try to not let my mail client mangle them :)

Best,
Jack
L
L
Ludovic Courtès wrote on 2 Jul 2019 15:34
control message for bug #36424
(address . control@debbugs.gnu.org)
87imsk3w25.fsf@gnu.org
tags 36424 + security
quit
J
J
Jack Hill wrote on 4 Jul 2019 16:49
Re: [bug#36424] expat-2.2.7 for CVE-2018-20843
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907041947340.17508@marsh.hcoop.net
On Tue, 2 Jul 2019, Jack Hill wrote:

Toggle quote (18 lines)
>> Apparently these symbols were never supposed to be exported:
>> <https://github.com/libexpat/libexpat/pull/197>. However, there could
>> be packages "in the wild" that uses these symbols and would silently
>> break with the grafted Expat.
>>
>> IIUC the fix for CVE-2018-20843 is this commit:
>> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>>
>> I think it's better to graft a variant with only this patch to be on the
>> safe side. Can you try that?
>
> Good idea. I didn't think to check. Yes, I can try to do that.
>
>> Could you also submit a second patch that adds GitHub as an additional
>> download location for the regular Expat package? :-)
>
> I'll try that as well.

I've prepared the two attached patches that I believe implement Marius's
proposed solution.

Thanks,
Jack
From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Thu, 4 Jul 2019 17:00:27 -0400
Subject: [PATCH 1/2] gnu: expat: Add additional source URI
The expat sourceforge page announces that the project is in the process of
moving to GitHub.
* gnu/packages/xml.scm (expat)[source]: Add GitHub URI.
---
gnu/packages/xml.scm | 39 +++++++++++++++++++++++----------------
1 file changed, 23 insertions(+), 16 deletions(-)
Toggle diff (61 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..dab6597690 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
;;; Copyright © 2017 Petter <petter@mykolab.ch>
;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2019 Jack Hill <jackhill@jackhill.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -63,24 +64,30 @@
#:use-module (gnu packages pkg-config))
(define-public expat
- (package
- (name "expat")
- (version "2.2.6")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://sourceforge/expat/expat/"
- version "/expat-" version ".tar.bz2"))
- (sha256
- (base32
- "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
- (build-system gnu-build-system)
- (home-page "https://libexpat.github.io/")
- (synopsis "Stream-oriented XML parser library written in C")
- (description
- "Expat is an XML parser library written in C. It is a
+ (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+ (package
+ (name "expat")
+ (version "2.2.6")
+ (source (origin
+ (method url-fetch)
+ (uri (list (string-append
+ "mirror://sourceforge/expat/expat/"
+ version "/expat-" version ".tar.bz2")
+ (string-append
+ "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.bz2")))
+ (sha256
+ (base32
+ "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
+ (build-system gnu-build-system)
+ (home-page "https://libexpat.github.io/")
+ (synopsis "Stream-oriented XML parser library written in C")
+ (description
+ "Expat is an XML parser library written in C. It is a
stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
- (license license:expat)))
+ (license license:expat))))
(define-public libebml
(package
--
2.22.0
From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Thu, 4 Jul 2019 19:41:30 -0400
Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843.
* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat/fixed): New variable.
* gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patch file.
---
gnu/local.mk | 7 ++++---
gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++
gnu/packages/xml.scm | 9 +++++++++
3 files changed, 29 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch
Toggle diff (80 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 6e90d88689..bcf47d7378 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -764,20 +764,21 @@ dist_patch_DATA = \
%D%/packages/patches/einstein-build.patch \
%D%/packages/patches/emacs-exec-path.patch \
%D%/packages/patches/emacs-fix-scheme-indent-function.patch \
- %D%/packages/patches/emacs-json-reformat-fix-tests.patch \
%D%/packages/patches/emacs-highlight-stages-add-gexp.patch \
+ %D%/packages/patches/emacs-json-reformat-fix-tests.patch \
%D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch \
%D%/packages/patches/emacs-source-date-epoch.patch \
- %D%/packages/patches/emacs-unpackaged-req.patch \
%D%/packages/patches/emacs-undohist-ignored.patch \
+ %D%/packages/patches/emacs-unpackaged-req.patch \
%D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch \
%D%/packages/patches/emacs-zones-called-interactively.patch \
%D%/packages/patches/enlightenment-fix-setuid-path.patch \
%D%/packages/patches/erlang-man-path.patch \
%D%/packages/patches/eudev-rules-directory.patch \
%D%/packages/patches/evilwm-lost-focus-bug.patch \
- %D%/packages/patches/exiv2-CVE-2017-14860.patch \
%D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \
+ %D%/packages/patches/exiv2-CVE-2017-14860.patch \
+ %D%/packages/patches/expat-CVE-2018-20843.patch \
%D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
%D%/packages/patches/fastcap-mulGlobal.patch \
%D%/packages/patches/fastcap-mulSetup.patch \
diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
new file mode 100644
index 0000000000..dd64b91965
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
@@ -0,0 +1,16 @@
+Fix extraction of namespace prefix from XML name.
+Fixes CVE-2018-20843
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5..737d7cd 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index dab6597690..8c289c5cbe 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -67,6 +67,7 @@
(let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
(package
(name "expat")
+ (replacement expat/fixed)
(version "2.2.6")
(source (origin
(method url-fetch)
@@ -89,6 +90,14 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat))))
+(define expat/fixed
+ (package
+ (inherit expat)
+ (source
+ (origin
+ (inherit (package-source expat))
+ (patches (search-patches "expat-CVE-2018-20843.patch"))))))
+
(define-public libebml
(package
(name "libebml")
--
2.22.0
J
J
Jack Hill wrote on 4 Jul 2019 16:57
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907041955400.17508@marsh.hcoop.net
Woops, looks like I still mangled the patches (by adding carriage-returns),
but hopefully in a way that they still apply without infecting the code
with that problem.

I guess Alpine has let me down. At any rate, hopefully they're still
useful and fix the problem. Let me know if you'd like me to try again.

Best,
Jack
J
J
Jack Hill wrote on 4 Jul 2019 17:02
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907041959080.17508@marsh.hcoop.net
Also, sorry for the extra noise in gnu/local.mk. I had inserted my patch
in the wrong place and alphabetized a number of lines using my
en_us.UTF-8 locale to fix it. Let me know if I should re-submit without
the extraneous changes.

Today hasn't been the best day for computer use for me I'm afraid.

Best,
Jack
M
M
Marius Bakke wrote on 5 Jul 2019 15:53
(name . Jack Hill)(address . jackhill@jackhill.us)(address . 36424@debbugs.gnu.org)
87wogwqein.fsf@devup.no
Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (23 lines)
> On Tue, 2 Jul 2019, Jack Hill wrote:
>
>>> Apparently these symbols were never supposed to be exported:
>>> <https://github.com/libexpat/libexpat/pull/197>. However, there could
>>> be packages "in the wild" that uses these symbols and would silently
>>> break with the grafted Expat.
>>>
>>> IIUC the fix for CVE-2018-20843 is this commit:
>>> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>>>
>>> I think it's better to graft a variant with only this patch to be on the
>>> safe side. Can you try that?
>>
>> Good idea. I didn't think to check. Yes, I can try to do that.
>>
>>> Could you also submit a second patch that adds GitHub as an additional
>>> download location for the regular Expat package? :-)
>>
>> I'll try that as well.
>
> I've prepared the two attached patches that I believe implement Marius's
> proposed solution.

Thanks!

One minor problem... the expat patch does not actually apply on our copy
of expat! Can you look into it?

Toggle quote (13 lines)
> From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001
> From: Jack Hill <jackhill@jackhill.us>
> Date: Thu, 4 Jul 2019 17:00:27 -0400
> Subject: [PATCH 1/2] gnu: expat: Add additional source URI
>
> The expat sourceforge page announces that the project is in the process of
> moving to GitHub.
>
> * gnu/packages/xml.scm (expat)[source]: Add GitHub URI.
> ---
> gnu/packages/xml.scm | 39 +++++++++++++++++++++++----------------
> 1 file changed, 23 insertions(+), 16 deletions(-)

[...]
Toggle quote (38 lines)
> (define-public expat
> - (package
> - (name "expat")
> - (version "2.2.6")
> - (source (origin
> - (method url-fetch)
> - (uri (string-append "mirror://sourceforge/expat/expat/"
> - version "/expat-" version ".tar.bz2"))
> - (sha256
> - (base32
> - "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
> - (build-system gnu-build-system)
> - (home-page "https://libexpat.github.io/")
> - (synopsis "Stream-oriented XML parser library written in C")
> - (description
> - "Expat is an XML parser library written in C. It is a
> + (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
> + (package
> + (name "expat")
> + (version "2.2.6")
> + (source (origin
> + (method url-fetch)
> + (uri (list (string-append
> + "mirror://sourceforge/expat/expat/"
> + version "/expat-" version ".tar.bz2")
> + (string-append
> + "https://github.com/libexpat/libexpat/releases/download/R_"
> + (string-map dot->underscore version)
> + "/expat-" version ".tar.bz2")))
> + (sha256
> + (base32
> + "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
> + (build-system gnu-build-system)
> + (home-page "https://libexpat.github.io/")
> + (synopsis "Stream-oriented XML parser library written in C")
> + (description
> + "Expat is an XML parser library written in C. It is a

Can you move this let binding inside the (source ...) field? That way
we don't have to reindent the whole thing.

Toggle quote (43 lines)
> From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001
> From: Jack Hill <jackhill@jackhill.us>
> Date: Thu, 4 Jul 2019 19:41:30 -0400
> Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843.
>
> * gnu/packages/xml.scm (expat)[replacement]: New field.
> (expat/fixed): New variable.
> * gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add patch file.
> ---
> gnu/local.mk | 7 ++++---
> gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++
> gnu/packages/xml.scm | 9 +++++++++
> 3 files changed, 29 insertions(+), 3 deletions(-)
> create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 6e90d88689..bcf47d7378 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -764,20 +764,21 @@ dist_patch_DATA = \
> %D%/packages/patches/einstein-build.patch \
> %D%/packages/patches/emacs-exec-path.patch \
> %D%/packages/patches/emacs-fix-scheme-indent-function.patch \
> - %D%/packages/patches/emacs-json-reformat-fix-tests.patch \
> %D%/packages/patches/emacs-highlight-stages-add-gexp.patch \
> + %D%/packages/patches/emacs-json-reformat-fix-tests.patch \
> %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch \
> %D%/packages/patches/emacs-source-date-epoch.patch \
> - %D%/packages/patches/emacs-unpackaged-req.patch \
> %D%/packages/patches/emacs-undohist-ignored.patch \
> + %D%/packages/patches/emacs-unpackaged-req.patch \
> %D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch \
> %D%/packages/patches/emacs-zones-called-interactively.patch \
> %D%/packages/patches/enlightenment-fix-setuid-path.patch \
> %D%/packages/patches/erlang-man-path.patch \
> %D%/packages/patches/eudev-rules-directory.patch \
> %D%/packages/patches/evilwm-lost-focus-bug.patch \
> - %D%/packages/patches/exiv2-CVE-2017-14860.patch \
> %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \
> + %D%/packages/patches/exiv2-CVE-2017-14860.patch \
> + %D%/packages/patches/expat-CVE-2018-20843.patch \

You addressed this in another email, and I do think we should try to
avoid needless moving around of these lines. There are enough merge
conflicts on this file as-is, no need to introduce artificial ones. :-)

Toggle quote (16 lines)
> %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
> %D%/packages/patches/fastcap-mulGlobal.patch \
> %D%/packages/patches/fastcap-mulSetup.patch \
> diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
> new file mode 100644
> index 0000000000..dd64b91965
> --- /dev/null
> +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
> @@ -0,0 +1,16 @@
> +Fix extraction of namespace prefix from XML name.
> +Fixes CVE-2018-20843
> +
> +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
> +index 30d55c5..737d7cd 100644
> +--- a/expat/lib/xmlparse.c
> ++++ b/expat/lib/xmlparse.c
^^^^^^
It looks like this has to be removed from the patch file. Could you
also add a link to the upstream commit for reference?

It's also good practice to provide an URL to the MITRE CVE page:

Thanks for working on this! :-)
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0f1QAACgkQoqBt8qM6
VPokxgf/ZxWLCSKT7mZBETM3yxCw634v/XEY/JumAEXmP7pxHEbvI3CWi4KpWUph
svfg7zqUcuIOj9nwla1tIRXESltTDbnuAd8VLRxFEUZbPBh3yN50JFkdIS1v7qcD
2gCT06D+qmiTB0tbxFLyyDysh5sjx7bV3DlDw5Lei6v7i+LxC0oRbvQ1qi30IUZx
5T/9CXuaZr4iN5bE0y2fk7cVrXnOgIVJ0hK8yy3492e4o0b3aRrtCV4uZo5DdNTX
hVeTQmWE8fS0SnyjthU3fAWKoJOsiEyxgwc/PlyAyg8HOFtQ9gNyWR4BICqf8h9N
lJyEa6Ugn98aBB9swAEMOmqXt8Os4g==
=TjuK
-----END PGP SIGNATURE-----

J
J
Jack Hill wrote on 10 Jul 2019 13:54
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net
Please find updated patch files attached, that I think take into account
Marius's suggestions (thanks Marius!)

Best,
Jack

P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns
in the attachments.
From 0e1394e7e410ec192b6c883b567ce414864cdbb1 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Wed, 10 Jul 2019 16:03:19 -0400
Subject: [PATCH 1/2] gnu: expat: Add additional source URI
The expat sourceforge page announces that the project is in the process of
moving to GitHub.
* gnu/packages/xml.scm (expat)[source]: Add GitHub URI.
---
gnu/packages/xml.scm | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
Toggle diff (40 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..b6a376a405 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
;;; Copyright © 2017 Petter <petter@mykolab.ch>
;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2018 Jack Hill <jackhill@jackhill.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,13 +67,18 @@
(package
(name "expat")
(version "2.2.6")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://sourceforge/expat/expat/"
- version "/expat-" version ".tar.bz2"))
- (sha256
- (base32
- "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
+ (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/expat/expat/"
+ version "/expat-" version ".tar.bz2")
+ (string-append
+ "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.bz2")))
+ (sha256
+ (base32
+ "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))))
(build-system gnu-build-system)
(home-page "https://libexpat.github.io/")
(synopsis "Stream-oriented XML parser library written in C")
--
2.22.0
From c79efd83ecaa0b541de050da035ef67d972ac458 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Wed, 10 Jul 2019 16:23:03 -0400
Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843
* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat/fixed): New variable.
* gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patch file.
---
gnu/local.mk | 1 +
.../patches/expat-CVE-2018-20843.patch | 21 +++++++++++++++++++
gnu/packages/xml.scm | 9 ++++++++
3 files changed, 31 insertions(+)
create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch
Toggle diff (68 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 9a70d73759..054aa93fd5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -785,6 +785,7 @@ dist_patch_DATA = \
%D%/packages/patches/evilwm-lost-focus-bug.patch \
%D%/packages/patches/exiv2-CVE-2017-14860.patch \
%D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \
+ %D%/packages/patches/expat-CVE-2018-20843.patch \
%D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
%D%/packages/patches/fastcap-mulGlobal.patch \
%D%/packages/patches/fastcap-mulSetup.patch \
diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
new file mode 100644
index 0000000000..216fbe9667
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
@@ -0,0 +1,21 @@
+Fix extraction of namespace prefix from XML name.
+Fixes CVE-2018-20843
+
+This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5..737d7cd 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index b6a376a405..fbd0ff284b 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -66,6 +66,7 @@
(define-public expat
(package
(name "expat")
+ (replacement expat/fixed)
(version "2.2.6")
(source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
(origin
@@ -88,6 +89,14 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat)))
+(define expat/fixed
+ (package
+ (inherit expat)
+ (source
+ (origin
+ (inherit (package-source expat))
+ (patches (search-patches "expat-CVE-2018-20843.patch"))))))
+
(define-public libebml
(package
(name "libebml")
--
2.22.0
M
M
Marius Bakke wrote on 11 Jul 2019 16:00
(name . Jack Hill)(address . jackhill@jackhill.us)(address . 36424-done@debbugs.gnu.org)
87ftncmb1r.fsf@devup.no
Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (3 lines)
> Please find updated patch files attached, that I think take into account
> Marius's suggestions (thanks Marius!)

Thank you! I made a tiny tweak to use char=? instead of equal=? for the
character comparison.

Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0nv5AACgkQoqBt8qM6
VPp62Qf9GdcExbQZBZibWrWR09y++bap5ymjWFSpcFm9TYqcOKfZKlk5UwijG2M7
rkYQnLfYM+1NKbvfYSxoZHLMtOryZ5ssbdP+JWYkHrxW8CEAx2ndAVDAzCP85oYH
7FzQlL6AVuP94SZ4Xwo/QGPTsvZvFX5CfhcCzzOlT4NHUVjMS6VbCOuYvI7TAl/x
I9+qqi5AMrbkQxmp5y52WAAZDVx9mRZm+GlXUwNQzebXkxpazEjuviPapOwLgK7v
wMCILM23KkaG5YJWV7CyLcNoVIu9ThpmGVzqlZF0BnKlI8DuRZWw2dcEhmCgBcnJ
mHehz2UlwCn9krdV6MIV497FajmIsw==
=tn/b
-----END PGP SIGNATURE-----

Closed
J
J
Jack Hill wrote on 11 Jul 2019 16:09
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 36424@debbugs.gnu.org)
alpine.DEB.2.20.1907111907530.17508@marsh.hcoop.net
On Fri, 12 Jul 2019, Marius Bakke wrote:

Toggle quote (3 lines)
> Thank you! I made a tiny tweak to use char=? instead of equal=? for the
> character comparison.

Cool, now I know about char=? ☺

Toggle quote (2 lines)
> Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.

Thanks, and thanks for being patient with me working through the issues.

Best,
Jack
?
Your comment

This issue is archived.

To comment on this conversation send an email to 36424@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 36424
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch