GNU bug report logs

#47342 java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Léo Le Bouter <lle-bout@zaclys.net>
Date 2021-03-23T14:34:02
Severity normal
Tags security
Done Julien Lepiller <julien@lepiller.eu>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47342; Package guix. (Tue, 23 Mar 2021 14:34:02 GMT) (full text, mbox, link).

Acknowledgement sent to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Tue, 23 Mar 2021 14:34:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Upstream has made a release: 1.4.16 - which fixes all the issues,
following is an unfinished patchset that fixes the issues, java-
mxparser package does not build and help from some more experienced
Java packagers is welcome to fix and push this patchset.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47342; Package guix. (Tue, 23 Mar 2021 14:39:02 GMT) (full text, mbox, link).

Message #8 received at 47342@debbugs.gnu.org (full text, mbox, reply):

Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.

* gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
[inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
former made by upstream.
---
 gnu/packages/xml.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 96287b3174..fdb8bff601 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2217,7 +2217,7 @@ outputting XML data from Java code.")
 (define-public java-xstream
   (package
     (name "java-xstream")
-    (version "1.4.15")
+    (version "1.4.16")
     (source
      (origin
        (method git-fetch)
@@ -2229,7 +2229,7 @@ outputting XML data from Java code.")
                                   version)))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1178qryrjwjp44439pi5dxzd32896r5zs429z1qhlc09951r7mi9"))))
+        (base32 "16k2mc63h2fw7lxv74qmhg4p8q9hfrw114daa6nxwnpv08cnq755"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name "xstream.jar"
@@ -2244,7 +2244,7 @@ outputting XML data from Java code.")
        ("java-joda-time" ,java-joda-time)
        ("java-jettison" ,java-jettison)
        ("java-xom" ,java-xom)
-       ("java-xpp3" ,java-xpp3)
+       ("java-mxparser" ,java-mxparser)
        ("java-dom4j" ,java-dom4j)
        ("java-stax2-api" ,java-stax2-api)
        ("java-woodstox-core" ,java-woodstox-core)
-- 
2.31.0

Information forwarded to bug-guix@gnu.org:
bug#47342; Package guix. (Tue, 23 Mar 2021 14:39:02 GMT) (full text, mbox, link).

Message #11 received at 47342@debbugs.gnu.org (full text, mbox, reply):

* gnu/packages/xml.scm (java-mxparser): New variable.
---
 gnu/packages/xml.scm | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 2a72fc6ad2..96287b3174 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2256,6 +2256,34 @@ outputting XML data from Java code.")
 and back again.")
     (license license:bsd-3)))
 
+(define-public java-mxparser
+  (package
+    (name "java-mxparser")
+    (version "1.2.1")
+    (source (origin
+              (method url-fetch)
+              (uri
+               (string-append
+                "https://repo1.maven.org/maven2/io/github/x-stream/mxparser/"
+                version "/mxparser-" version "-sources.jar"))
+              (sha256
+               (base32
+                "0mly55qbs2109wwbiz890n87r54iz7cykazl0rlsih6sg5lx8kdl"))))
+    (build-system ant-build-system)
+    (home-page "https://github.com/x-stream/mxparser")
+    (synopsis "Streaming pull XML parser forked from @code{java-xpp3}")
+    (description "Xml Pull Parser (in short XPP) is a streaming pull XML
+parser and should be used when there is a need to process quickly and
+efficiently all input elements (for example in SOAP processors). This
+package is a stable XmlPull parsing engine that is based on ideas from XPP
+and in particular XPP2 but completely revised and rewritten to take the best
+advantage of JIT JVMs.
+
+MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged
+changes of the Plexus fork. It is an implementation of the XMLPULL V1 API
+(parser only).")
+    (license (license:non-copyleft "file://LICENSE.txt"))))
+
 (define-public xmlrpc-c
   (package
     (name "xmlrpc-c")
-- 
2.31.0

Added tag(s) security. Request was from Léo Le Bouter <lle-bout@zaclys.net> to control@debbugs.gnu.org. (Tue, 23 Mar 2021 15:10:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#47342; Package guix. (Tue, 23 Mar 2021 17:34:01 GMT) (full text, mbox, link).

Message #16 received at submit@debbugs.gnu.org (full text, mbox, reply):

On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
> 
> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
> former made by upstream.

Thanks for the patch!

Pinging Julien...

Information forwarded to bug-guix@gnu.org:
bug#47342; Package guix. (Tue, 23 Mar 2021 17:34:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#47342; Package guix. (Tue, 23 Mar 2021 21:19:01 GMT) (full text, mbox, link).

Message #22 received at 47342@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

So, mxparser seems to be pretty easy to package, but it depends on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana University, but their website has recently been "deprecated" and redirects to the internet archive.

This is an issue as we have xmlpull v2 and xpp3 whose sources have also disappeared. Not sure what to do about them?

I asked upstseam (xstream) for guidance on where to find the sources on https://github.com/x-stream/mxparser/issues/3.

Once we have that information, I can take care of the xstream update.

Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports
>for GNU Guix wrote:
>> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
>> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
>> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
>> 
>> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
>> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a
>fork of the
>> former made by upstream.
>
>Thanks for the patch!
>
>Pinging Julien...

[Message part 2 (text/html, inline)]

Reply sent to Julien Lepiller <julien@lepiller.eu>:
You have taken responsibility. (Tue, 23 Mar 2021 22:32:01 GMT) (full text, mbox, link).

Notification sent to Léo Le Bouter <lle-bout@zaclys.net>:
bug acknowledged by developer. (Tue, 23 Mar 2021 22:32:02 GMT) (full text, mbox, link).

Message #27 received at 47342-done@debbugs.gnu.org (full text, mbox, reply):

Le Tue, 23 Mar 2021 15:33:26 +0100,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :

> Upstream has made a release: 1.4.16 - which fixes all the issues,
> following is an unfinished patchset that fixes the issues, java-
> mxparser package does not build and help from some more experienced
> Java packagers is welcome to fix and push this patchset.

Pushed as 4490dff98c6979a77f3982716239b526e0ef1337 to
8b2b5463963d5d4dee480b0cf73fa4a9eca414ba to master,
with changes discussed on IRC.

Thanks a lot for noticing it!

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Wed, 21 Apr 2021 11:24:05 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 14:04:35 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.