From patchwork Wed Jul 10 20:54:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jack Hill X-Patchwork-Id: 14568 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6A331171EB; Wed, 10 Jul 2019 21:55:32 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 0691B171E5 for ; Wed, 10 Jul 2019 21:55:32 +0100 (BST) Received: from localhost ([::1]:37078 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hlJce-0008VG-Ap for patchwork@mira.cbaines.net; Wed, 10 Jul 2019 16:55:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39871) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hlJcG-00082o-Uq for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hlJcF-0000w3-Cv for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:56116) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hlJcF-0000vt-65 for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hlJcE-0007wu-41 for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843 Resent-From: Jack Hill Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 10 Jul 2019 20:55:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 36424 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: security To: Marius Bakke Received: via spool by 36424-submit@debbugs.gnu.org id=B36424.156279207030499 (code B ref 36424); Wed, 10 Jul 2019 20:55:02 +0000 Received: (at 36424) by debbugs.gnu.org; 10 Jul 2019 20:54:30 +0000 Received: from localhost ([127.0.0.1]:36698 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hlJbc-0007ve-92 for submit@debbugs.gnu.org; Wed, 10 Jul 2019 16:54:30 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:45214) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hlJbY-0007vN-3d for 36424@debbugs.gnu.org; Wed, 10 Jul 2019 16:54:20 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hlJbR-000615-4G; Wed, 10 Jul 2019 16:54:13 -0400 Date: Wed, 10 Jul 2019 16:54:12 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net In-Reply-To: <87tvc0qedh.fsf@devup.no> Message-ID: References: <87o92fv0u1.fsf@devup.no> <87tvc0qedh.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 36424@debbugs.gnu.org Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Please find updated patch files attached, that I think take into account Marius's suggestions (thanks Marius!) Best, Jack P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns in the attachments. From c79efd83ecaa0b541de050da035ef67d972ac458 Mon Sep 17 00:00:00 2001 From: Jack Hill Date: Wed, 10 Jul 2019 16:23:03 -0400 Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843 * gnu/packages/xml.scm (expat)[replacement]: New field. (expat/fixed): New variable. * gnu/packages/patches/expat-CVE-2018-20843.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patch file. --- gnu/local.mk | 1 + .../patches/expat-CVE-2018-20843.patch | 21 +++++++++++++++++++ gnu/packages/xml.scm | 9 ++++++++ 3 files changed, 31 insertions(+) create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9a70d73759..054aa93fd5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -785,6 +785,7 @@ dist_patch_DATA = \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ %D%/packages/patches/exiv2-CVE-2017-14860.patch \ %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ + %D%/packages/patches/expat-CVE-2018-20843.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/fastcap-mulGlobal.patch \ %D%/packages/patches/fastcap-mulSetup.patch \ diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch new file mode 100644 index 0000000000..216fbe9667 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch @@ -0,0 +1,21 @@ +Fix extraction of namespace prefix from XML name. +Fixes CVE-2018-20843 + +This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 +https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 + +CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 30d55c5..737d7cd 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType) + else + poolDiscard(&dtd->pool); + elementType->prefix = prefix; +- ++ break; + } + } + return 1; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index b6a376a405..fbd0ff284b 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -66,6 +66,7 @@ (define-public expat (package (name "expat") + (replacement expat/fixed) (version "2.2.6") (source (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) (origin @@ -88,6 +89,14 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +(define expat/fixed + (package + (inherit expat) + (source + (origin + (inherit (package-source expat)) + (patches (search-patches "expat-CVE-2018-20843.patch")))))) + (define-public libebml (package (name "libebml") -- 2.22.0