[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#55776: maven-core fails to build
From: |
Andrew Tropin |
Subject: |
bug#55776: maven-core fails to build |
Date: |
Wed, 08 Jun 2022 18:35:54 +0300 |
On 2022-06-04 15:47, Julien Lepiller wrote:
> Le Sat, 04 Jun 2022 12:25:21 +0200,
> Remco van 't Veer <remco@remworks.net> a écrit :
>
>> I did some digging and found this regression is caused by commit:
>>
>> 6068b83b82475566acd4162467bcf54270f338f9
>> "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
>>
>> Apparently the fix for this issue causes jdom to be very strict;
>>
>> > java.io.IOException: Invalid input descriptor for merge:
>> > /tmp/plexus-metadata3957336728290309540xml -->
>> > http://xml.org/sax/features/external-general-entities feature
>> > http://xml.org/sax/features/external-general-entities not supported
>> > for SAX driver org.codehaus.plexus.metadata.merge.Driver
>>
>> Which sound familiar when looking at that CVE
>> (https://github.com/advisories/GHSA-2363-cqg2-863c):
>>
>> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
>> > cause a denial of service via a crafted HTTP request. At this time
>> > there is not released fixed version of JDOM. As a workaround, to
>> > avoid external entities being expanded, one can call
>> > builder.setExpandEntities(false) and they won't be expanded.
>>
>> I dunno how to fix this though, I'm just a curious guixer. Easiest
>> path seems to be to make a new java-jdom-2.0.6 var and use that as a
>> native-input for maven. Would that be an acceptable solution?
>>
>> Cheers,
>> Remco
>>
>
> Like you say, the issue is with the new jdom. Believe it or not, but
> between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
> changes, too)!
>
> So I figured I could fix java-plexus-component-metadata that we use to
> generate some xml files during the build of maven. jdom is one of its
> inputs. Adding another jdom to the native inputs would probably not fix
> the issue.
>
> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.
> From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Sat, 4 Jun 2022 15:41:41 +0200
> Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package.
>
> * gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for
> newer jdom.
> ---
> gnu/packages/java.scm | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
> index 336e84e3e5..f475f7c270 100644
> --- a/gnu/packages/java.scm
> +++ b/gnu/packages/java.scm
> @@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7
> (copy-recursively "src/main/resources"
> "build/classes/")
> #t))
> + (add-before 'build 'fix-jdom
> + (lambda _
> + ;; The newer version of jdom now sets multiple features by
> default
> + ;; that are not supported.
> + ;; Skip these features
> + (substitute*
> "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java"
> + (("throw new XmlPullParserException\\(\"unsupporte feature
> \"\\+name\\);")
> + "// skip"))))
> (add-before 'check 'fix-test-location
> (lambda _
> (substitute*
> '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java"
Work for me as well. Probably can be merged to master?
--
Best regards,
Andrew Tropin
signature.asc
Description: PGP signature