From patchwork Fri May 9 16:50:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Z572 X-Patchwork-Id: 42489 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id F3A1927BC4B; Fri, 9 May 2025 17:52:39 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED, RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4477927BC49 for ; Fri, 9 May 2025 17:52:39 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uDQxL-0003d4-Db; Fri, 09 May 2025 12:52:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uDQxB-0003bx-SF for guix-patches@gnu.org; Fri, 09 May 2025 12:52:07 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uDQxA-0001lz-44 for guix-patches@gnu.org; Fri, 09 May 2025 12:52:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=6cHF+Flp5D97rZAupL+8xmeHR32yW+BjfPYVNRfh8HM=; b=JhJEWMxdAPpL1z/8fJPdgCNxw2arX8hP/nkxhzXFva4Lc+tXN+9ym6wSpsOHBTx5tsq892wKBQThCsKkekCEUpk0UGuNsoP5m33ga3DQ0vDwiep0n/Okr9hR/Z48sTMEN9fp3oC6/orLfLYqCqtthmD8WB6LSeKfA588Kadvi7INHjH7o2kWpKmtGPdqCS9VHqWBAcVVeVm5ithI1VoiYdRKJk/Xn55OAg0Gtz52e/kDbkZ9CET6f/sb9L8Tdwad1rvQDP37Z4THlZxv2guUORZ37pLR017gxVdaf0EU7+zd7o9rLRNCDeFzFSgR5QwDq2AGfqKidlY7gNSBFuJQOQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uDQx9-0007QU-Vp for guix-patches@gnu.org; Fri, 09 May 2025 12:52:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78337] [PATCH core-packages-team 4/4] gnu: expat: Update to 2.7.1. Resent-From: Zheng Junjie Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 09 May 2025 16:52:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78337 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78337@debbugs.gnu.org Received: via spool by 78337-submit@debbugs.gnu.org id=B78337.174680947428421 (code B ref 78337); Fri, 09 May 2025 16:52:03 +0000 Received: (at 78337) by debbugs.gnu.org; 9 May 2025 16:51:14 +0000 Received: from localhost ([127.0.0.1]:38980 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uDQwL-0007OE-O6 for submit@debbugs.gnu.org; Fri, 09 May 2025 12:51:14 -0400 Received: from mail.z572.online ([88.99.160.180]:46358) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uDQwI-0007N1-5o for 78337@debbugs.gnu.org; Fri, 09 May 2025 12:51:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=z572.online; s=me; t=1746809883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6cHF+Flp5D97rZAupL+8xmeHR32yW+BjfPYVNRfh8HM=; b=PMydZL3+yDjheJNYgHEMqzv+TOclqXAjtM925ZeJvX7bf+lQVGS2jDTSdtXIJIHnKxIqP0 rAAbpmEobifBGo5yPA+tPj96gq85pTb0WjJ0aedxa6W3bVkyCLWH15ocl05ynHcYObIctc 5meVC74jpNz9lK12B/h4nL8PetKTe5E= Received: from m.tailaa68d.ts.net ( [61.174.159.83]) by mail.z572.online (OpenSMTPD) with ESMTPSA id 6f6ce7a4 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <78337@debbugs.gnu.org>; Fri, 9 May 2025 16:58:03 +0000 (UTC) From: Zheng Junjie Date: Sat, 10 May 2025 00:50:55 +0800 Message-ID: <3b47e053512b58a4664503357f6a871e0c2a66e3.1746808204.git.z572@z572.online> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/packages/xml.scm (expat): Update to 2.7.1. (expat/fixed): Remove it. * gnu/packages/patches/expat-CVE-2024-45490.patch: Remove it. * gnu/packages/patches/expat-CVE-2024-45491.patch: Remove it. * gnu/packages/patches/expat-CVE-2024-45492.patch: Remove it. * gnu/local.mk (dist_patch_DATA): Unregister them. Change-Id: Ia0bc5da202afba0636032e4f4e10051778214944 --- gnu/local.mk | 3 -- .../patches/expat-CVE-2024-45490.patch | 34 ------------------- .../patches/expat-CVE-2024-45491.patch | 34 ------------------- .../patches/expat-CVE-2024-45492.patch | 33 ------------------ gnu/packages/xml.scm | 16 ++------- 5 files changed, 2 insertions(+), 118 deletions(-) delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch diff --git a/gnu/local.mk b/gnu/local.mk index 831939f72e..c15ef425ca 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1258,9 +1258,6 @@ dist_patch_DATA = \ %D%/packages/patches/esmini-use-pkgconfig.patch \ %D%/packages/patches/esmtp-add-lesmtp.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ - %D%/packages/patches/expat-CVE-2024-45490.patch \ - %D%/packages/patches/expat-CVE-2024-45491.patch \ - %D%/packages/patches/expat-CVE-2024-45492.patch \ %D%/packages/patches/extempore-unbundle-external-dependencies.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/fail2ban-paths-guix-conf.patch \ diff --git a/gnu/packages/patches/expat-CVE-2024-45490.patch b/gnu/packages/patches/expat-CVE-2024-45490.patch deleted file mode 100644 index f876e78651..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45490.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch -Fixed in 2.6.3. -Takes only 1 of the 3 patches from -https://github.com/libexpat/libexpat/pull/890 to take the fix and not the -tests because that part doesn't apply cleanly. - -From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Mon, 19 Aug 2024 22:26:07 +0200 -Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer - -Reported by TaiYou - ---- - expat/lib/xmlparse.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..ba1038119 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { - - if (parser == NULL) - return XML_STATUS_ERROR; -+ -+ if (len < 0) { -+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; -+ return XML_STATUS_ERROR; -+ } -+ - switch (parser->m_parsingStatus.parsing) { - case XML_SUSPENDED: - parser->m_errorCode = XML_ERROR_SUSPENDED; diff --git a/gnu/packages/patches/expat-CVE-2024-45491.patch b/gnu/packages/patches/expat-CVE-2024-45491.patch deleted file mode 100644 index 8ff10559bf..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45491.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch -Fixed in 2.6.3. - -From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Mon, 19 Aug 2024 22:34:13 +0200 -Subject: [PATCH] lib: Detect integer overflow in dtdCopy - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..e2327bdcf 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, - if (! newE) - return 0; - if (oldE->nDefaultAtts) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if ((size_t)oldE->nDefaultAtts -+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { -+ return 0; -+ } -+#endif - newE->defaultAtts - = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); - if (! newE->defaultAtts) { diff --git a/gnu/packages/patches/expat-CVE-2024-45492.patch b/gnu/packages/patches/expat-CVE-2024-45492.patch deleted file mode 100644 index 852a9b3f59..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45492.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch -Fixed in 2.6.3. - -From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping -Date: Mon, 19 Aug 2024 22:37:16 +0200 -Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..f737575ea 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { - int next; - - if (! dtd->scaffIndex) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { -+ return -1; -+ } -+#endif - dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); - if (! dtd->scaffIndex) - return -1; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index f29d5d2adc..5eb9be68c7 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -127,8 +127,7 @@ (define-public libxmlb (define-public expat (package (name "expat") - (version "2.5.0") - (replacement expat/fixed) + (version "2.7.1") (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin (method url-fetch) @@ -140,7 +139,7 @@ (define-public expat "/expat-" version ".tar.xz"))) (sha256 (base32 - "1gnwihpfz4x18rwd6cbrdggmfqjzwsdfh1gpmc0ph21c4gq2097g"))))) + "0c3w446jrrnss3ccgx9z590lpwbpxiqdbxv2a0p036cg9da54i9m"))))) (build-system gnu-build-system) (arguments '(#:phases (modify-phases %standard-phases @@ -164,17 +163,6 @@ (define-public expat things the parser might find in the XML document (like start tags).") (license license:expat))) -(define-public expat/fixed - (hidden-package - (package - (inherit expat) - (replacement expat/fixed) - (source (origin - (inherit (package-source expat)) - (patches (search-patches "expat-CVE-2024-45490.patch" - "expat-CVE-2024-45491.patch" - "expat-CVE-2024-45492.patch"))))))) - (define-public libebml (package (name "libebml")