[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#36424] expat-2.2.7 for CVE-2018-20843
From: |
Marius Bakke |
Subject: |
[bug#36424] expat-2.2.7 for CVE-2018-20843 |
Date: |
Sun, 30 Jun 2019 12:12:22 +0200 |
User-agent: |
Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) |
Hi Jack,
Jack Hill <address@hidden> writes:
> Hi Guix,
>
> Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which
> fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a
> replacement for expat with expat-2.2.7. I also changed the origin to use
> the GitHub hosted tarball as upstream is moving in that direction.
>
> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
Thank you very much for this patch! It did not apply cleanly on my end,
perhaps it got mangled by your mail user agent?
I tried running `abidiff` (from libabigail) on the new and old Expat:
$ abidiff
/gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so
/gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 15 Removed, 0 Added function symbols not
referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not
referenced by debug info
15 Removed function symbols not referenced by debug info:
XmlGetUtf16InternalEncoding
XmlGetUtf16InternalEncodingNS
XmlGetUtf8InternalEncoding
XmlGetUtf8InternalEncodingNS
XmlInitEncoding
XmlInitEncodingNS
XmlInitUnknownEncoding
XmlInitUnknownEncodingNS
XmlParseXmlDecl
XmlParseXmlDeclNS
XmlPrologStateInit
XmlPrologStateInitExternalEntity
XmlSizeOfUnknownEncoding
XmlUtf16Encode
XmlUtf8Encode
Apparently these symbols were never supposed to be exported:
<https://github.com/libexpat/libexpat/pull/197>. However, there could
be packages "in the wild" that uses these symbols and would silently
break with the grafted Expat.
IIUC the fix for CVE-2018-20843 is this commit:
<https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
I think it's better to graft a variant with only this patch to be on the
safe side. Can you try that?
Could you also submit a second patch that adds GitHub as an additional
download location for the regular Expat package? :-)
Thanks in advance,
Marius
signature.asc
Description: PGP signature