[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#55776: maven-core fails to build
From: |
Remco van 't Veer |
Subject: |
bug#55776: maven-core fails to build |
Date: |
Sat, 04 Jun 2022 12:25:21 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) |
I did some digging and found this regression is caused by commit:
6068b83b82475566acd4162467bcf54270f338f9
"gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
Apparently the fix for this issue causes jdom to be very strict;
> java.io.IOException: Invalid input descriptor for merge:
> /tmp/plexus-metadata3957336728290309540xml -->
> http://xml.org/sax/features/external-general-entities feature
> http://xml.org/sax/features/external-general-entities not supported
> for SAX driver org.codehaus.plexus.metadata.merge.Driver
Which sound familiar when looking at that CVE
(https://github.com/advisories/GHSA-2363-cqg2-863c):
> An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> cause a denial of service via a crafted HTTP request. At this time
> there is not released fixed version of JDOM. As a workaround, to avoid
> external entities being expanded, one can call
> builder.setExpandEntities(false) and they won't be expanded.
I dunno how to fix this though, I'm just a curious guixer. Easiest path
seems to be to make a new java-jdom-2.0.6 var and use that as a
native-input for maven. Would that be an acceptable solution?
Cheers,
Remco