[bug#36424] expat-2.2.7 for CVE-2018-20843

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#36424] expat-2.2.7 for CVE-2018-20843

From:	Marius Bakke
Subject:	[bug#36424] expat-2.2.7 for CVE-2018-20843
Date:	Sun, 30 Jun 2019 12:12:22 +0200
User-agent:	Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu)

Hi Jack,

Jack Hill <address@hidden> writes:

> Hi Guix,
>
> Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which 
> fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a 
> replacement for expat with expat-2.2.7. I also changed the origin to use 
> the GitHub hosted tarball as upstream is moving in that direction.
>
> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Thank you very much for this patch!  It did not apply cleanly on my end,
perhaps it got mangled by your mail user agent?

I tried running `abidiff` (from libabigail) on the new and old Expat:

$ abidiff 
/gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so 
/gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 15 Removed, 0 Added function symbols not 
referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not 
referenced by debug info

15 Removed function symbols not referenced by debug info:

  XmlGetUtf16InternalEncoding
  XmlGetUtf16InternalEncodingNS
  XmlGetUtf8InternalEncoding
  XmlGetUtf8InternalEncodingNS
  XmlInitEncoding
  XmlInitEncodingNS
  XmlInitUnknownEncoding
  XmlInitUnknownEncodingNS
  XmlParseXmlDecl
  XmlParseXmlDeclNS
  XmlPrologStateInit
  XmlPrologStateInitExternalEntity
  XmlSizeOfUnknownEncoding
  XmlUtf16Encode
  XmlUtf8Encode

Apparently these symbols were never supposed to be exported:
<https://github.com/libexpat/libexpat/pull/197>.  However, there could
be packages "in the wild" that uses these symbols and would silently
break with the grafted Expat.

IIUC the fix for CVE-2018-20843 is this commit:
<https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.

I think it's better to graft a variant with only this patch to be on the
safe side.  Can you try that?

Could you also submit a second patch that adds GitHub as an additional
download location for the regular Expat package?  :-)

Thanks in advance,
Marius

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#36424] expat-2.2.7 for CVE-2018-20843, Jack Hill, 2019/06/28
- [bug#36424] gnu: expat: Replace with 2.2.7 [security fixes], Jack Hill, 2019/06/28
- [bug#36424] expat-2.2.7 for CVE-2018-20843, Marius Bakke <=

Prev by Date: [bug#34523] Add tetrinet
Next by Date: [bug#36230] [PATCH] Add emacs-multi-term
Previous by thread: [bug#36424] gnu: expat: Replace with 2.2.7 [security fixes]
Next by thread: [bug#36426] [PATCH] gnu: emacs-shroud: Update to 1.83.4.
Index(es):
- Date
- Thread