[bug#36424] expat-2.2.7 for CVE-2018-20843

Message ID	alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net
State	Accepted
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843 Resent-From: Jack Hill <jackhill@jackhill.us> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 10 Jul 2019 20:55:02 +0000 Resent-Message-ID: <handler.36424.B36424.156279207030499@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: Marius Bakke <mbakke@fastmail.com> Date: Wed, 10 Jul 2019 16:54:12 -0400 (EDT) From: Jack Hill <jackhill@jackhill.us> In-Reply-To: <87tvc0qedh.fsf@devup.no> Message-ID: <alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net> References: <alpine.DEB.2.20.1906281553100.17508@marsh.hcoop.net> <87o92fv0u1.fsf@devup.no> <alpine.DEB.2.20.1907021647200.17508@marsh.hcoop.net> <alpine.DEB.2.20.1907041947340.17508@marsh.hcoop.net> <alpine.DEB.2.20.1907041955400.17508@marsh.hcoop.net> <alpine.DEB.2.20.1907041959080.17508@marsh.hcoop.net> <87tvc0qedh.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1990263252-1562792053=:17508" Precedence: list Cc: 36424@debbugs.gnu.org Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches
Series	[bug#36424] expat-2.2.7 for CVE-2018-20843 \| expand [bug#36424] expat-2.2.7 for CVE-2018-20843

Message ID

alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net

State

Accepted

Headers

Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843
Resent-From: Jack Hill <jackhill@jackhill.us>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 10 Jul 2019 20:55:02 +0000
Resent-Message-ID: <handler.36424.B36424.156279207030499@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 10 Jul 2019 16:54:12 -0400 (EDT)
From: Jack Hill <jackhill@jackhill.us>
In-Reply-To: <87tvc0qedh.fsf@devup.no>
Message-ID: <alpine.DEB.2.20.1907101651470.17508@marsh.hcoop.net>
References: <alpine.DEB.2.20.1906281553100.17508@marsh.hcoop.net>
 <87o92fv0u1.fsf@devup.no>
 <alpine.DEB.2.20.1907021647200.17508@marsh.hcoop.net>
 <alpine.DEB.2.20.1907041947340.17508@marsh.hcoop.net>
 <alpine.DEB.2.20.1907041955400.17508@marsh.hcoop.net>
 <alpine.DEB.2.20.1907041959080.17508@marsh.hcoop.net>
 <87tvc0qedh.fsf@devup.no>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed;
 BOUNDARY="925712948-1990263252-1562792053=:17508"
Precedence: list
Cc: 36424@debbugs.gnu.org
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>

Series

[bug#36424] expat-2.2.7 for CVE-2018-20843 | expand

Please find updated patch files attached, that I think take into account Marius's suggestions (thanks Marius!) Best, Jack P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns in the attachments.

Comments

Marius Bakke July 11, 2019, 11 p.m. UTC | #1

Jack Hill <jackhill@jackhill.us> writes:

> Please find updated patch files attached, that I think take into account 
> Marius's suggestions (thanks Marius!)

Thank you!  I made a tiny tweak to use char=? instead of equal=? for the
character comparison.

Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.

Jack Hill July 11, 2019, 11:09 p.m. UTC | #2

On Fri, 12 Jul 2019, Marius Bakke wrote:

> Thank you!  I made a tiny tweak to use char=? instead of equal=? for the
> character comparison.

Cool, now I know about char=? ☺

> Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.

Thanks, and thanks for being patient with me working through the issues.

Best,
Jack

From c79efd83ecaa0b541de050da035ef67d972ac458 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Wed, 10 Jul 2019 16:23:03 -0400
Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843

* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat/fixed): New variable.
* gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patch file.
---
 gnu/local.mk                                  |  1 +
 .../patches/expat-CVE-2018-20843.patch        | 21 +++++++++++++++++++
 gnu/packages/xml.scm                          |  9 ++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9a70d73759..054aa93fd5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -785,6 +785,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
   %D%/packages/patches/exiv2-CVE-2017-14860.patch		\
   %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch	\
+  %D%/packages/patches/expat-CVE-2018-20843.patch		\
   %D%/packages/patches/extundelete-e2fsprogs-1.44.patch		\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
   %D%/packages/patches/fastcap-mulSetup.patch			\
diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch
new file mode 100644
index 0000000000..216fbe9667
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
@@ -0,0 +1,21 @@ 
+Fix extraction of namespace prefix from XML name.
+Fixes CVE-2018-20843
+
+This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5..737d7cd 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index b6a376a405..fbd0ff284b 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -66,6 +66,7 @@ 
 (define-public expat
   (package
     (name "expat")
+    (replacement expat/fixed)
     (version "2.2.6")
     (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
               (origin
@@ -88,6 +89,14 @@  stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+(define expat/fixed
+  (package
+    (inherit expat)
+    (source
+     (origin
+       (inherit (package-source expat))
+       (patches (search-patches "expat-CVE-2018-20843.patch"))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.22.0

[bug#36424] expat-2.2.7 for CVE-2018-20843

Commit Message

Comments

Patch