From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 28 15:56:52 2019 Received: (at submit) by debbugs.gnu.org; 28 Jun 2019 19:56:53 +0000 Received: from localhost ([127.0.0.1]:43069 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgwzM-0008Ly-LC for submit@debbugs.gnu.org; Fri, 28 Jun 2019 15:56:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:54466) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgwzK-0008Lq-Qq for submit@debbugs.gnu.org; Fri, 28 Jun 2019 15:56:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36970) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hgwzG-0000cB-RP for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:50 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_20,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hgwzF-0000Kj-1G for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:46 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:34784) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hgwzE-0000Jg-ST for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:44 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hgwzC-0003W5-W3 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:42 -0400 Date: Fri, 28 Jun 2019 15:56:42 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: guix-patches@gnu.org Subject: expat-2.2.7 for CVE-2018-20843 Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 104.248.1.95 X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hi Guix, Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a replacement for expat with expat-2.2.7. I also changed the origin to use the GitHub hosted tarball as upstream is moving in that direction. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 28 15:58:06 2019 Received: (at 36424) by debbugs.gnu.org; 28 Jun 2019 19:58:06 +0000 Received: from localhost ([127.0.0.1]:43075 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgx0Y-0008Oa-0r for submit@debbugs.gnu.org; Fri, 28 Jun 2019 15:58:06 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:38390) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgx0W-0008O5-3X for 36424@debbugs.gnu.org; Fri, 28 Jun 2019 15:58:04 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hgx0Q-0003XP-Rh for 36424@debbugs.gnu.org; Fri, 28 Jun 2019 15:57:58 -0400 Date: Fri, 28 Jun 2019 15:57:58 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: 36424@debbugs.gnu.org Subject: gnu: expat: Replace with 2.2.7 [security fixes] Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1133735364-1561751878=:17508" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36424 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1133735364-1561751878=:17508 Content-Type: text/plain; format=flowed; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT >From 6db23c61704686016a57fb9557240dd83a79bea6 Mon Sep 17 00:00:00 2001 From: Jack Hill Date: Fri, 28 Jun 2019 15:47:35 -0400 This fixes CVE-2018-20843. * gnu/packages/xml.scm (expat)[replacement]: New field. (expat-2.2.7): New public variable. --- gnu/packages/xml.scm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index fc60758724..1be2a58d2e 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -20,6 +20,7 @@ ;;; Copyright © 2017 Petter ;;; Copyright © 2017 Stefan Reichör ;;; Copyright © 2018 Pierre Neidhardt +;;; Copyright © 2019 Jack Hill ;;; ;;; This file is part of GNU Guix. ;;; @@ -65,6 +66,7 @@ (define-public expat (package (name "expat") + (replacement expat-2.2.7) (version "2.2.6") (source (origin (method url-fetch) @@ -82,6 +84,21 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +(define-public expat-2.2.7 + (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) + (package + (inherit expat) + (version "2.2.7") + (source + (origin + (method url-fetch) + (uri (string-append "https://github.com/libexpat/libexpat/releases/download/R_" + (string-map dot->underscore version) + "/expat-" version ".tar.xz")) + (sha256 + (base32 + "1y5yax6bq8p9xk49zqkd62pxk8bq266wrgbrqgaxp3wsrw5g9qrh"))))))) + (define-public libebml (package (name "libebml") -- 2.22.0 --925712948-1133735364-1561751878=:17508-- From debbugs-submit-bounces@debbugs.gnu.org Sun Jun 30 06:12:36 2019 Received: (at 36424) by debbugs.gnu.org; 30 Jun 2019 10:12:36 +0000 Received: from localhost ([127.0.0.1]:45397 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hhWoy-0004Vh-Lj for submit@debbugs.gnu.org; Sun, 30 Jun 2019 06:12:36 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43135) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hhWow-0004VQ-A6 for 36424@debbugs.gnu.org; Sun, 30 Jun 2019 06:12:30 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id A86F421B2C; Sun, 30 Jun 2019 06:12:24 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 30 Jun 2019 06:12:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm3; bh=Lvwf+mcl1RMIswraOs3dJE6tIJ 3Y6poD3hcVdWbywnk=; b=BUvYgxJWS18Kik7snSBPErcmoHfGdA4zhkRVrSGv9A WleqAEPbqNH/NN6W+eN42e5dH7I5HGyeoiVwAgMXEmt4vLVRzy688RbP/gBED3yH Hzv3YF9sBWtOwCfaKwgzBYuPThR3NOXFAanNzJxorGxhYhxYIQyAjIc8Uff4RCvz GO92LVcOqsgRSyKdXmVVZPQthFxEBwXF4ghWgCH0TdOYPmTC4ZrLII48SBwO2icC OH1i6EMXzb1YKBd+buDfToLwqcxUcs5ndN6RWFOZTVdMaZ3V3wbobahnIsOtpaAt jf58oqHadTV20nXSkuCBnSpg9XWfp/gQ3wsZ6A+q6Zxg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=Lvwf+m cl1RMIswraOs3dJE6tIJ3Y6poD3hcVdWbywnk=; b=ZLeIM4J707KjSlXUVr5XjO oDS6TbOvxhqGuKFpDjdNq93hH7oO5NbQFaYTaRLIQr6mzSXlD3VSn+/3qFpC9eLR I0lR6smImRlbRufeoXnDdsQn8ugK39hUfHQkmzT35zqN216yRnXN8u7/HENaomaU +4VF8BX/2LnktHK5DE42Ie/jPoSC5Xv4yBkGHOsdnSKwKjK6XjYV3tfJxEz4cDmR 0jD6QV3hfQxlPo0K1522Kg1xiDplHjDe3j4qMuSkqczdUjMUDvNBZsON6IACeVG2 fh/DzQYBDg/Urkvlmq7N72j01o0fXsFzFJsC6xPjSR9wJwN7pVUyLVjp8Z/8qIKg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrvdeggddvhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvffujghffgffkfggtgesghdtreertdertdenucfhrhhomhepofgrrhhiuhhs uceurghkkhgvuceomhgsrghkkhgvsehfrghsthhmrghilhdrtghomheqnecuffhomhgrih hnpehmihhtrhgvrdhorhhgpdhlihgsvgigphgrthdrshhopdhgihhthhhusgdrtghomhen ucfkphepiedvrdduiedrvddviedrudegtdenucfrrghrrghmpehmrghilhhfrhhomhepmh gsrghkkhgvsehfrghsthhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 0DE26380075; Sun, 30 Jun 2019 06:12:23 -0400 (EDT) From: Marius Bakke To: Jack Hill , 36424@debbugs.gnu.org Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: References: User-Agent: Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) Date: Sun, 30 Jun 2019 12:12:22 +0200 Message-ID: <87o92fv0u1.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 36424 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Jack, Jack Hill writes: > Hi Guix, > > Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which=20 > fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a=20 > replacement for expat with expat-2.2.7. I also changed the origin to use= =20 > the GitHub hosted tarball as upstream is moving in that direction. > > [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-20843 Thank you very much for this patch! It did not apply cleanly on my end, perhaps it got mangled by your mail user agent? I tried running `abidiff` (from libabigail) on the new and old Expat: $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libex= pat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat= .so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 15 Removed, 0 Added function symbols not = referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not re= ferenced by debug info 15 Removed function symbols not referenced by debug info: XmlGetUtf16InternalEncoding XmlGetUtf16InternalEncodingNS XmlGetUtf8InternalEncoding XmlGetUtf8InternalEncodingNS XmlInitEncoding XmlInitEncodingNS XmlInitUnknownEncoding XmlInitUnknownEncodingNS XmlParseXmlDecl XmlParseXmlDeclNS XmlPrologStateInit XmlPrologStateInitExternalEntity XmlSizeOfUnknownEncoding XmlUtf16Encode XmlUtf8Encode Apparently these symbols were never supposed to be exported: . However, there could be packages "in the wild" that uses these symbols and would silently break with the grafted Expat. IIUC the fix for CVE-2018-20843 is this commit: . I think it's better to graft a variant with only this patch to be on the safe side. Can you try that? Could you also submit a second patch that adds GitHub as an additional download location for the regular Expat package? :-) Thanks in advance, Marius --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0YiwYACgkQoqBt8qM6 VPooDAf+I0S7p4d76MiWIJeWCKLhIxCuu0hbxJbwq8GrfrYYmpVwBcB8BgyXhlQX sJ4GSZEUX1h8hKbRHhSBeVsLIXrUaiNVYK1nNjdL4s5FCxzdhWpVuHypuUiBPOk5 rHkebNNF6/bnKEmaiUzE0gE86aJTs00nBDbz0bPIBENPbgBNy01SA2aM/c17LgsF O/panqcs4lD0F23HBDJ9sc3cwvIIXVC8QHjR+Y+aOAbbwQrhcKX7ozTVRTwAQ7/v azmtw8fNq9YfFiVM9aLq85whX113UxnCPqq21YbI2IiJ/R4NdlVpy1mJxHeQBXQ5 g2sexaRXdKqOLREjNSYKxpje3IP7jw== =ZWs1 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 02 16:49:40 2019 Received: (at 36424) by debbugs.gnu.org; 2 Jul 2019 20:49:40 +0000 Received: from localhost ([127.0.0.1]:48061 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hiPid-0002Gb-Vq for submit@debbugs.gnu.org; Tue, 02 Jul 2019 16:49:40 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:59212) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hiPic-0002GP-A3 for 36424@debbugs.gnu.org; Tue, 02 Jul 2019 16:49:39 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hiPiV-0003RA-7R; Tue, 02 Jul 2019 16:49:31 -0400 Date: Tue, 2 Jul 2019 16:49:30 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Marius Bakke Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: <87o92fv0u1.fsf@devup.no> Message-ID: References: <87o92fv0u1.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Marius, Thanks for looking at this. On Sun, 30 Jun 2019, Marius Bakke wrote: > I tried running `abidiff` (from libabigail) on the new and old Expat: > > $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so > Functions changes summary: 0 Removed, 0 Changed, 0 Added function > Variables changes summary: 0 Removed, 0 Changed, 0 Added variable > Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info > Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info > > 15 Removed function symbols not referenced by debug info: > > XmlGetUtf16InternalEncoding > XmlGetUtf16InternalEncodingNS > XmlGetUtf8InternalEncoding > XmlGetUtf8InternalEncodingNS > XmlInitEncoding > XmlInitEncodingNS > XmlInitUnknownEncoding > XmlInitUnknownEncodingNS > XmlParseXmlDecl > XmlParseXmlDeclNS > XmlPrologStateInit > XmlPrologStateInitExternalEntity > XmlSizeOfUnknownEncoding > XmlUtf16Encode > XmlUtf8Encode > > Apparently these symbols were never supposed to be exported: > . However, there could > be packages "in the wild" that uses these symbols and would silently > break with the grafted Expat. > > IIUC the fix for CVE-2018-20843 is this commit: > . > > I think it's better to graft a variant with only this patch to be on the > safe side. Can you try that? Good idea. I didn't think to check. Yes, I can try to do that. > Could you also submit a second patch that adds GitHub as an additional > download location for the regular Expat package? :-) I'll try that as well. I'll also try to not let my mail client mangle them :) Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 02 18:34:42 2019 Received: (at control) by debbugs.gnu.org; 2 Jul 2019 22:34:42 +0000 Received: from localhost ([127.0.0.1]:48118 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hiRMI-0004lu-MS for submit@debbugs.gnu.org; Tue, 02 Jul 2019 18:34:42 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45903) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hiRMH-0004lg-9u for control@debbugs.gnu.org; Tue, 02 Jul 2019 18:34:41 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:57613) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hiRM8-0005rN-4m for control@debbugs.gnu.org; Tue, 02 Jul 2019 18:34:33 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=34902 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hiRM4-0007xD-2X for control@debbugs.gnu.org; Tue, 02 Jul 2019 18:34:29 -0400 Date: Wed, 03 Jul 2019 00:34:26 +0200 Message-Id: <87imsk3w25.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #36424 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 36424 + security quit From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 04 19:50:15 2019 Received: (at 36424) by debbugs.gnu.org; 4 Jul 2019 23:50:15 +0000 Received: from localhost ([127.0.0.1]:52105 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjBUQ-0006WS-1S for submit@debbugs.gnu.org; Thu, 04 Jul 2019 19:50:15 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:53520) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjBUL-0006VO-T7 for 36424@debbugs.gnu.org; Thu, 04 Jul 2019 19:50:06 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hjBUE-0005Wn-7M; Thu, 04 Jul 2019 19:49:58 -0400 Date: Thu, 4 Jul 2019 19:49:57 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Marius Bakke Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: Message-ID: References: <87o92fv0u1.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1618475577-1562284198=:17508" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1618475577-1562284198=:17508 Content-Type: text/plain; charset=US-ASCII; format=flowed On Tue, 2 Jul 2019, Jack Hill wrote: >> Apparently these symbols were never supposed to be exported: >> . However, there could >> be packages "in the wild" that uses these symbols and would silently >> break with the grafted Expat. >> >> IIUC the fix for CVE-2018-20843 is this commit: >> . >> >> I think it's better to graft a variant with only this patch to be on the >> safe side. Can you try that? > > Good idea. I didn't think to check. Yes, I can try to do that. > >> Could you also submit a second patch that adds GitHub as an additional >> download location for the regular Expat package? :-) > > I'll try that as well. I've prepared the two attached patches that I believe implement Marius's proposed solution. Thanks, Jack --925712948-1618475577-1562284198=:17508 Content-Type: text/x-diff; name=0001-gnu-expat-Add-additional-source-URI.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=0001-gnu-expat-Add-additional-source-URI.patch RnJvbSA0MTg2YTY4YjY2MGM5M2I1ODAwYmU4ZjEyNjA1MWRhOTI3NDlkYzlh IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogSmFjayBIaWxsIDxq YWNraGlsbEBqYWNraGlsbC51cz4NCkRhdGU6IFRodSwgNCBKdWwgMjAxOSAx NzowMDoyNyAtMDQwMA0KU3ViamVjdDogW1BBVENIIDEvMl0gZ251OiBleHBh dDogQWRkIGFkZGl0aW9uYWwgc291cmNlIFVSSQ0KDQpUaGUgZXhwYXQgc291 cmNlZm9yZ2UgcGFnZSBhbm5vdW5jZXMgdGhhdCB0aGUgcHJvamVjdCBpcyBp biB0aGUgcHJvY2VzcyBvZg0KbW92aW5nIHRvIEdpdEh1Yi4NCg0KKiBnbnUv cGFja2FnZXMveG1sLnNjbSAoZXhwYXQpW3NvdXJjZV06IEFkZCBHaXRIdWIg VVJJLg0KLS0tDQogZ251L3BhY2thZ2VzL3htbC5zY20gfCAzOSArKysrKysr KysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLS0tLS0NCiAxIGZpbGUgY2hh bmdlZCwgMjMgaW5zZXJ0aW9ucygrKSwgMTYgZGVsZXRpb25zKC0pDQoNCmRp ZmYgLS1naXQgYS9nbnUvcGFja2FnZXMveG1sLnNjbSBiL2dudS9wYWNrYWdl cy94bWwuc2NtDQppbmRleCBmYzYwNzU4NzI0Li5kYWI2NTk3NjkwIDEwMDY0 NA0KLS0tIGEvZ251L3BhY2thZ2VzL3htbC5zY20NCisrKyBiL2dudS9wYWNr YWdlcy94bWwuc2NtDQpAQCAtMjAsNiArMjAsNyBAQA0KIDs7OyBDb3B5cmln aHQgwqkgMjAxNyBQZXR0ZXIgPHBldHRlckBteWtvbGFiLmNoPg0KIDs7OyBD b3B5cmlnaHQgwqkgMjAxNyBTdGVmYW4gUmVpY2jDtnIgPHN0ZWZhbkB4c3Rl dmUuYXQ+DQogOzs7IENvcHlyaWdodCDCqSAyMDE4IFBpZXJyZSBOZWlkaGFy ZHQgPG1haWxAYW1icmV2YXIueHl6Pg0KKzs7OyBDb3B5cmlnaHQgwqkgMjAx OSBKYWNrIEhpbGwgPGphY2toaWxsQGphY2toaWxsLnVzPg0KIDs7Ow0KIDs7 OyBUaGlzIGZpbGUgaXMgcGFydCBvZiBHTlUgR3VpeC4NCiA7OzsNCkBAIC02 MywyNCArNjQsMzAgQEANCiAgICM6dXNlLW1vZHVsZSAoZ251IHBhY2thZ2Vz IHBrZy1jb25maWcpKQ0KIA0KIChkZWZpbmUtcHVibGljIGV4cGF0DQotICAo cGFja2FnZQ0KLSAgICAobmFtZSAiZXhwYXQiKQ0KLSAgICAodmVyc2lvbiAi Mi4yLjYiKQ0KLSAgICAoc291cmNlIChvcmlnaW4NCi0gICAgICAgICAgICAg KG1ldGhvZCB1cmwtZmV0Y2gpDQotICAgICAgICAgICAgICh1cmkgKHN0cmlu Zy1hcHBlbmQgIm1pcnJvcjovL3NvdXJjZWZvcmdlL2V4cGF0L2V4cGF0LyIN Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2ZXJzaW9uICIv ZXhwYXQtIiB2ZXJzaW9uICIudGFyLmJ6MiIpKQ0KLSAgICAgICAgICAgICAo c2hhMjU2DQotICAgICAgICAgICAgICAoYmFzZTMyDQotICAgICAgICAgICAg ICAgIjF3bDF4OTNiNXc0NTdkZHNkZ2owbGg3eWpxNHE2bDd3ZmJnd2hhZ2tj OGZtMnFra3JkMHAiKSkpKQ0KLSAgICAoYnVpbGQtc3lzdGVtIGdudS1idWls ZC1zeXN0ZW0pDQotICAgIChob21lLXBhZ2UgImh0dHBzOi8vbGliZXhwYXQu Z2l0aHViLmlvLyIpDQotICAgIChzeW5vcHNpcyAiU3RyZWFtLW9yaWVudGVk IFhNTCBwYXJzZXIgbGlicmFyeSB3cml0dGVuIGluIEMiKQ0KLSAgICAoZGVz Y3JpcHRpb24NCi0gICAgICJFeHBhdCBpcyBhbiBYTUwgcGFyc2VyIGxpYnJh cnkgd3JpdHRlbiBpbiBDLiAgSXQgaXMgYQ0KKyAgKGxldCAoKGRvdC0+dW5k ZXJzY29yZSAobGFtYmRhIChjKSAoaWYgKGVxdWFsPyAjXC4gYykgI1xfIGMp KSkpDQorICAgICAgKHBhY2thZ2UNCisgICAgICAgIChuYW1lICJleHBhdCIp DQorICAgICAgICAodmVyc2lvbiAiMi4yLjYiKQ0KKyAgICAgICAgKHNvdXJj ZSAob3JpZ2luDQorICAgICAgICAgICAgICAgICAgKG1ldGhvZCB1cmwtZmV0 Y2gpDQorICAgICAgICAgICAgICAgICAgKHVyaSAobGlzdCAoc3RyaW5nLWFw cGVuZA0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtaXJyb3I6 Ly9zb3VyY2Vmb3JnZS9leHBhdC9leHBhdC8iDQorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgdmVyc2lvbiAiL2V4cGF0LSIgdmVyc2lvbiAiLnRh ci5iejIiKQ0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmlu Zy1hcHBlbmQNCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHR0 cHM6Ly9naXRodWIuY29tL2xpYmV4cGF0L2xpYmV4cGF0L3JlbGVhc2VzL2Rv d25sb2FkL1JfIg0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChz dHJpbmctbWFwIGRvdC0+dW5kZXJzY29yZSB2ZXJzaW9uKQ0KKyAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICIvZXhwYXQtIiB2ZXJzaW9uICIudGFy LmJ6MiIpKSkNCisgICAgICAgICAgICAgICAgICAoc2hhMjU2DQorICAgICAg ICAgICAgICAgICAgIChiYXNlMzINCisgICAgICAgICAgICAgICAgICAgICIx d2wxeDkzYjV3NDU3ZGRzZGdqMGxoN3lqcTRxNmw3d2ZiZ3doYWdrYzhmbTJx a2tyZDBwIikpKSkNCisgICAgICAgIChidWlsZC1zeXN0ZW0gZ251LWJ1aWxk LXN5c3RlbSkNCisgICAgICAgIChob21lLXBhZ2UgImh0dHBzOi8vbGliZXhw YXQuZ2l0aHViLmlvLyIpDQorICAgICAgICAoc3lub3BzaXMgIlN0cmVhbS1v cmllbnRlZCBYTUwgcGFyc2VyIGxpYnJhcnkgd3JpdHRlbiBpbiBDIikNCisg ICAgICAgIChkZXNjcmlwdGlvbg0KKyAgICAgICAgICJFeHBhdCBpcyBhbiBY TUwgcGFyc2VyIGxpYnJhcnkgd3JpdHRlbiBpbiBDLiAgSXQgaXMgYQ0KIHN0 cmVhbS1vcmllbnRlZCBwYXJzZXIgaW4gd2hpY2ggYW4gYXBwbGljYXRpb24g cmVnaXN0ZXJzIGhhbmRsZXJzIGZvcg0KIHRoaW5ncyB0aGUgcGFyc2VyIG1p Z2h0IGZpbmQgaW4gdGhlIFhNTCBkb2N1bWVudCAobGlrZSBzdGFydCB0YWdz KS4iKQ0KLSAgICAobGljZW5zZSBsaWNlbnNlOmV4cGF0KSkpDQorICAgICAg ICAobGljZW5zZSBsaWNlbnNlOmV4cGF0KSkpKQ0KIA0KIChkZWZpbmUtcHVi bGljIGxpYmVibWwNCiAgIChwYWNrYWdlDQotLSANCjIuMjIuMA0KDQo= --925712948-1618475577-1562284198=:17508 Content-Type: text/x-diff; name=0002-gnu-expat-fix-CVE-2018-20843.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=0002-gnu-expat-fix-CVE-2018-20843.patch RnJvbSAyZjgyNjhhMGI1NDliOWMwODc0NGQ4YmMwNWUyY2YxMzVlNDBiZTk5 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogSmFjayBIaWxsIDxq YWNraGlsbEBqYWNraGlsbC51cz4NCkRhdGU6IFRodSwgNCBKdWwgMjAxOSAx OTo0MTozMCAtMDQwMA0KU3ViamVjdDogW1BBVENIIDIvMl0gZ251OiBleHBh dDogZml4IENWRS0yMDE4LTIwODQzLg0KDQoqIGdudS9wYWNrYWdlcy94bWwu c2NtIChleHBhdClbcmVwbGFjZW1lbnRdOiBOZXcgZmllbGQuDQooZXhwYXQv Zml4ZWQpOiBOZXcgdmFyaWFibGUuDQoqIGdudS9wYWNrYWdlcy9wYXRjaGVz L2V4cGF0LUNWRS0yMDE4LTIwODQzLnBhdGNoOiBOZXcgZmlsZS4NCiogZ251 L2xvY2FsLm1rIChkaXN0X3BhdGNoX0RBVEEpOiBBZGQgcGF0Y2ggZmlsZS4N Ci0tLQ0KIGdudS9sb2NhbC5tayAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIHwgIDcgKysrKy0tLQ0KIGdudS9wYWNrYWdlcy9wYXRjaGVz L2V4cGF0LUNWRS0yMDE4LTIwODQzLnBhdGNoIHwgMTYgKysrKysrKysrKysr KysrKw0KIGdudS9wYWNrYWdlcy94bWwuc2NtICAgICAgICAgICAgICAgICAg ICAgICAgICAgIHwgIDkgKysrKysrKysrDQogMyBmaWxlcyBjaGFuZ2VkLCAy OSBpbnNlcnRpb25zKCspLCAzIGRlbGV0aW9ucygtKQ0KIGNyZWF0ZSBtb2Rl IDEwMDY0NCBnbnUvcGFja2FnZXMvcGF0Y2hlcy9leHBhdC1DVkUtMjAxOC0y MDg0My5wYXRjaA0KDQpkaWZmIC0tZ2l0IGEvZ251L2xvY2FsLm1rIGIvZ251 L2xvY2FsLm1rDQppbmRleCA2ZTkwZDg4Njg5Li5iY2Y0N2Q3Mzc4IDEwMDY0 NA0KLS0tIGEvZ251L2xvY2FsLm1rDQorKysgYi9nbnUvbG9jYWwubWsNCkBA IC03NjQsMjAgKzc2NCwyMSBAQCBkaXN0X3BhdGNoX0RBVEEgPQkJCQkJCVwN CiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2VpbnN0ZWluLWJ1aWxkLnBhdGNo CQkJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZW1hY3MtZXhlYy1wYXRo LnBhdGNoCQkJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZW1hY3MtZml4 LXNjaGVtZS1pbmRlbnQtZnVuY3Rpb24ucGF0Y2gJXA0KLSAgJUQlL3BhY2th Z2VzL3BhdGNoZXMvZW1hY3MtanNvbi1yZWZvcm1hdC1maXgtdGVzdHMucGF0 Y2gJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZW1hY3MtaGlnaGxpZ2h0 LXN0YWdlcy1hZGQtZ2V4cC5wYXRjaAlcDQorICAlRCUvcGFja2FnZXMvcGF0 Y2hlcy9lbWFjcy1qc29uLXJlZm9ybWF0LWZpeC10ZXN0cy5wYXRjaAlcDQog ICAlRCUvcGFja2FnZXMvcGF0Y2hlcy9lbWFjcy1zY2hlbWUtY29tcGxldGUt c2NoZW1lLXI1cnMtaW5mby5wYXRjaAlcDQogICAlRCUvcGFja2FnZXMvcGF0 Y2hlcy9lbWFjcy1zb3VyY2UtZGF0ZS1lcG9jaC5wYXRjaAkJXA0KLSAgJUQl L3BhY2thZ2VzL3BhdGNoZXMvZW1hY3MtdW5wYWNrYWdlZC1yZXEucGF0Y2gJ CVwNCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2VtYWNzLXVuZG9oaXN0LWln bm9yZWQucGF0Y2gJXA0KKyAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZW1hY3Mt dW5wYWNrYWdlZC1yZXEucGF0Y2gJCVwNCiAgICVEJS9wYWNrYWdlcy9wYXRj aGVzL2VtYWNzLXdvcmRudXQtcmVxdWlyZS1hZGFwdGl2ZS13cmFwLnBhdGNo CVwNCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2VtYWNzLXpvbmVzLWNhbGxl ZC1pbnRlcmFjdGl2ZWx5LnBhdGNoCVwNCiAgICVEJS9wYWNrYWdlcy9wYXRj aGVzL2VubGlnaHRlbm1lbnQtZml4LXNldHVpZC1wYXRoLnBhdGNoCVwNCiAg ICVEJS9wYWNrYWdlcy9wYXRjaGVzL2VybGFuZy1tYW4tcGF0aC5wYXRjaAkJ CVwNCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2V1ZGV2LXJ1bGVzLWRpcmVj dG9yeS5wYXRjaAkJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZXZpbHdt LWxvc3QtZm9jdXMtYnVnLnBhdGNoCQlcDQotICAlRCUvcGFja2FnZXMvcGF0 Y2hlcy9leGl2Mi1DVkUtMjAxNy0xNDg2MC5wYXRjaAkJXA0KICAgJUQlL3Bh Y2thZ2VzL3BhdGNoZXMvZXhpdjItQ1ZFLTIwMTctMTQ4NTktMTQ4NjItMTQ4 NjQucGF0Y2gJXA0KKyAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZXhpdjItQ1ZF LTIwMTctMTQ4NjAucGF0Y2gJCVwNCisgICVEJS9wYWNrYWdlcy9wYXRjaGVz L2V4cGF0LUNWRS0yMDE4LTIwODQzLnBhdGNoCQlcDQogICAlRCUvcGFja2Fn ZXMvcGF0Y2hlcy9leHR1bmRlbGV0ZS1lMmZzcHJvZ3MtMS40NC5wYXRjaAkJ XA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZmFzdGNhcC1tdWxHbG9iYWwu cGF0Y2gJCQlcDQogICAlRCUvcGFja2FnZXMvcGF0Y2hlcy9mYXN0Y2FwLW11 bFNldHVwLnBhdGNoCQkJXA0KZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy9w YXRjaGVzL2V4cGF0LUNWRS0yMDE4LTIwODQzLnBhdGNoIGIvZ251L3BhY2th Z2VzL3BhdGNoZXMvZXhwYXQtQ1ZFLTIwMTgtMjA4NDMucGF0Y2gNCm5ldyBm aWxlIG1vZGUgMTAwNjQ0DQppbmRleCAwMDAwMDAwMDAwLi5kZDY0YjkxOTY1 DQotLS0gL2Rldi9udWxsDQorKysgYi9nbnUvcGFja2FnZXMvcGF0Y2hlcy9l eHBhdC1DVkUtMjAxOC0yMDg0My5wYXRjaA0KQEAgLTAsMCArMSwxNiBAQA0K K0ZpeCBleHRyYWN0aW9uIG9mIG5hbWVzcGFjZSBwcmVmaXggZnJvbSBYTUwg bmFtZS4NCitGaXhlcyBDVkUtMjAxOC0yMDg0Mw0KKw0KK2RpZmYgLS1naXQg YS9leHBhdC9saWIveG1scGFyc2UuYyBiL2V4cGF0L2xpYi94bWxwYXJzZS5j DQoraW5kZXggMzBkNTVjNS4uNzM3ZDdjZCAxMDA2NDQNCistLS0gYS9leHBh dC9saWIveG1scGFyc2UuYw0KKysrKyBiL2V4cGF0L2xpYi94bWxwYXJzZS5j DQorQEAgLTYwNzEsNyArNjA3MSw3IEBAIHNldEVsZW1lbnRUeXBlUHJlZml4 KFhNTF9QYXJzZXIgcGFyc2VyLCBFTEVNRU5UX1RZUEUgKmVsZW1lbnRUeXBl KQ0KKyAgICAgICBlbHNlDQorICAgICAgICAgcG9vbERpc2NhcmQoJmR0ZC0+ cG9vbCk7DQorICAgICAgIGVsZW1lbnRUeXBlLT5wcmVmaXggPSBwcmVmaXg7 DQorLQ0KKysgICAgICBicmVhazsNCisgICAgIH0NCisgICB9DQorICAgcmV0 dXJuIDE7DQpkaWZmIC0tZ2l0IGEvZ251L3BhY2thZ2VzL3htbC5zY20gYi9n bnUvcGFja2FnZXMveG1sLnNjbQ0KaW5kZXggZGFiNjU5NzY5MC4uOGMyODlj NWNiZSAxMDA2NDQNCi0tLSBhL2dudS9wYWNrYWdlcy94bWwuc2NtDQorKysg Yi9nbnUvcGFja2FnZXMveG1sLnNjbQ0KQEAgLTY3LDYgKzY3LDcgQEANCiAg IChsZXQgKChkb3QtPnVuZGVyc2NvcmUgKGxhbWJkYSAoYykgKGlmIChlcXVh bD8gI1wuIGMpICNcXyBjKSkpKQ0KICAgICAgIChwYWNrYWdlDQogICAgICAg ICAobmFtZSAiZXhwYXQiKQ0KKyAgICAgICAgKHJlcGxhY2VtZW50IGV4cGF0 L2ZpeGVkKQ0KICAgICAgICAgKHZlcnNpb24gIjIuMi42IikNCiAgICAgICAg IChzb3VyY2UgKG9yaWdpbg0KICAgICAgICAgICAgICAgICAgIChtZXRob2Qg dXJsLWZldGNoKQ0KQEAgLTg5LDYgKzkwLDE0IEBAIHN0cmVhbS1vcmllbnRl ZCBwYXJzZXIgaW4gd2hpY2ggYW4gYXBwbGljYXRpb24gcmVnaXN0ZXJzIGhh bmRsZXJzIGZvcg0KIHRoaW5ncyB0aGUgcGFyc2VyIG1pZ2h0IGZpbmQgaW4g dGhlIFhNTCBkb2N1bWVudCAobGlrZSBzdGFydCB0YWdzKS4iKQ0KICAgICAg ICAgKGxpY2Vuc2UgbGljZW5zZTpleHBhdCkpKSkNCiANCisoZGVmaW5lIGV4 cGF0L2ZpeGVkDQorICAocGFja2FnZQ0KKyAgICAoaW5oZXJpdCBleHBhdCkN CisgICAgKHNvdXJjZQ0KKyAgICAgKG9yaWdpbg0KKyAgICAgICAoaW5oZXJp dCAocGFja2FnZS1zb3VyY2UgZXhwYXQpKQ0KKyAgICAgICAocGF0Y2hlcyAo c2VhcmNoLXBhdGNoZXMgImV4cGF0LUNWRS0yMDE4LTIwODQzLnBhdGNoIikp KSkpKQ0KKw0KIChkZWZpbmUtcHVibGljIGxpYmVibWwNCiAgIChwYWNrYWdl DQogICAgIChuYW1lICJsaWJlYm1sIikNCi0tIA0KMi4yMi4wDQoNCg== --925712948-1618475577-1562284198=:17508-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 04 19:57:42 2019 Received: (at 36424) by debbugs.gnu.org; 4 Jul 2019 23:57:42 +0000 Received: from localhost ([127.0.0.1]:52109 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjBbi-0006hi-E8 for submit@debbugs.gnu.org; Thu, 04 Jul 2019 19:57:42 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:53554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjBbh-0006hW-AH for 36424@debbugs.gnu.org; Thu, 04 Jul 2019 19:57:41 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hjBbb-0005lr-MD; Thu, 04 Jul 2019 19:57:35 -0400 Date: Thu, 4 Jul 2019 19:57:33 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Marius Bakke Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: Message-ID: References: <87o92fv0u1.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Woops, looks like I still mangled the patches (by adding carriage-returns), but hopefully in a way that they still apply without infecting the code with that problem. I guess Alpine has let me down. At any rate, hopefully they're still useful and fix the problem. Let me know if you'd like me to try again. Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 04 20:02:20 2019 Received: (at 36424) by debbugs.gnu.org; 5 Jul 2019 00:02:20 +0000 Received: from localhost ([127.0.0.1]:52113 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjBgC-0006pU-1e for submit@debbugs.gnu.org; Thu, 04 Jul 2019 20:02:20 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:53592) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjBgA-0006pI-Nr for 36424@debbugs.gnu.org; Thu, 04 Jul 2019 20:02:18 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hjBg5-0005sz-K2; Thu, 04 Jul 2019 20:02:13 -0400 Date: Thu, 4 Jul 2019 20:02:13 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Marius Bakke Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: Message-ID: References: <87o92fv0u1.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Also, sorry for the extra noise in gnu/local.mk. I had inserted my patch in the wrong place and alphabetized a number of lines using my en_us.UTF-8 locale to fix it. Let me know if I should re-submit without the extraneous changes. Today hasn't been the best day for computer use for me I'm afraid. Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 05 18:54:14 2019 Received: (at 36424) by debbugs.gnu.org; 5 Jul 2019 22:54:14 +0000 Received: from localhost ([127.0.0.1]:53935 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjX5l-00066d-DJ for submit@debbugs.gnu.org; Fri, 05 Jul 2019 18:54:14 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41717) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjX5c-00065o-9r for 36424@debbugs.gnu.org; Fri, 05 Jul 2019 18:54:08 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 1E63F208A4; Fri, 5 Jul 2019 18:53:55 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Fri, 05 Jul 2019 18:53:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm3; bh=zYZF+RAsrWaRtPDLIJgyWdwlzq +AEtIN02Erf1g00vU=; b=eLrfQHgjcnNIe8DYvxQir7jGRMy6oPoQIoQJu1YZ+d zDyk4xSIWXC5f6ovJM5a1HwpVTYy6wQbJZWuqHauap9TEgoVEPy84o5ceCZrYnhn 4EbHunlZlBJL0RVWM9RBqifcAxUOtTGQFD0gDSkdvxBpxiMdQq80ziiXW/ukLSiA +IAk/S2b2KUe7VJyPGCcC5laUiI8Q3egvj8+LIrIfTJ+K3YARrNpxa9VJTp8S5qb /EwwzWY/H3ZZuBNKBjLkfzpGs0Nxr/77o7xXQk/fle4r3C4JyUb1iO7AvCqLwLDF KCg2wmWN0MZ2ZkeowYZpTcehIls9NMEom3n2LmNMd7iQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=zYZF+R AsrWaRtPDLIJgyWdwlzq+AEtIN02Erf1g00vU=; b=rLtcd17UMHg2MPKUFe5w4X qXRbUA8xCSgfJBkw4EwmEG70Q97N4JB5oPIvWtrT7VihNPZPRgLIJCtZtOoqHatF yYa/SuwPk/pxLRwggi9262GLl7qQTzmScOzz1Y9JtklHczGj9/+96G4U5KDRiJu4 S3+QKztGUz2rmK783IYUsZkUUMnHGOGfZqToudBc+E1OhUCKhlbrDeDdtrAPiGr8 TMNuJmh/JBLXNZfP8YGbcmwNcJDyc9qa/PiUh+s9KN2I+L36wX2rfXX2gbV8IaEL kQjmUxh5HE3WL5RQ4K6TQdBvtMEJ/nuRgOpG1G9UX+g2qBYTORJGwIp/glxsdI0Q == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrfeehgdduiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenog fuuhhsphgvtghtffhomhgrihhnucdlgeelmdenucfjughrpefhvffujghffgffkfggtges ghdtreertdertdenucfhrhhomhepofgrrhhiuhhsuceurghkkhgvuceomhgsrghkkhgvse hfrghsthhmrghilhdrtghomheqnecuffhomhgrihhnpehmihhtrhgvrdhorhhgpdhgihht hhhusgdrihhopdhgihhthhhusgdrtghomhenucfkphepiedvrdduiedrvddviedrudegtd enucfrrghrrghmpehmrghilhhfrhhomhepmhgsrghkkhgvsehfrghsthhmrghilhdrtgho mhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 324568005B; Fri, 5 Jul 2019 18:53:54 -0400 (EDT) From: Marius Bakke To: Jack Hill Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: References: <87o92fv0u1.fsf@devup.no> User-Agent: Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) Date: Sat, 06 Jul 2019 00:53:52 +0200 Message-ID: <87wogwqein.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Jack Hill writes: > On Tue, 2 Jul 2019, Jack Hill wrote: > >>> Apparently these symbols were never supposed to be exported: >>> . However, there could >>> be packages "in the wild" that uses these symbols and would silently >>> break with the grafted Expat. >>>=20 >>> IIUC the fix for CVE-2018-20843 is this commit: >>> . >>>=20 >>> I think it's better to graft a variant with only this patch to be on the >>> safe side. Can you try that? >> >> Good idea. I didn't think to check. Yes, I can try to do that. >> >>> Could you also submit a second patch that adds GitHub as an additional >>> download location for the regular Expat package? :-) >> >> I'll try that as well. > > I've prepared the two attached patches that I believe implement Marius's= =20 > proposed solution. Thanks! One minor problem... the expat patch does not actually apply on our copy of expat! Can you look into it? > From 4186a68b660c93b5800be8f126051da92749dc9a Mon Sep 17 00:00:00 2001 > From: Jack Hill > Date: Thu, 4 Jul 2019 17:00:27 -0400 > Subject: [PATCH 1/2] gnu: expat: Add additional source URI > > The expat sourceforge page announces that the project is in the process of > moving to GitHub. > > * gnu/packages/xml.scm (expat)[source]: Add GitHub URI. > --- > gnu/packages/xml.scm | 39 +++++++++++++++++++++++---------------- > 1 file changed, 23 insertions(+), 16 deletions(-) [...] =20=20 > (define-public expat > - (package > - (name "expat") > - (version "2.2.6") > - (source (origin > - (method url-fetch) > - (uri (string-append "mirror://sourceforge/expat/expat/" > - version "/expat-" version ".tar.bz2")) > - (sha256 > - (base32 > - "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))) > - (build-system gnu-build-system) > - (home-page "https://libexpat.github.io/") > - (synopsis "Stream-oriented XML parser library written in C") > - (description > - "Expat is an XML parser library written in C. It is a > + (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c)))) > + (package > + (name "expat") > + (version "2.2.6") > + (source (origin > + (method url-fetch) > + (uri (list (string-append > + "mirror://sourceforge/expat/expat/" > + version "/expat-" version ".tar.bz2") > + (string-append > + "https://github.com/libexpat/libexpat/rele= ases/download/R_" > + (string-map dot->underscore version) > + "/expat-" version ".tar.bz2"))) > + (sha256 > + (base32 > + "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0= p")))) > + (build-system gnu-build-system) > + (home-page "https://libexpat.github.io/") > + (synopsis "Stream-oriented XML parser library written in C") > + (description > + "Expat is an XML parser library written in C. It is a Can you move this let binding inside the (source ...) field? That way we don't have to reindent the whole thing. > From 2f8268a0b549b9c08744d8bc05e2cf135e40be99 Mon Sep 17 00:00:00 2001 > From: Jack Hill > Date: Thu, 4 Jul 2019 19:41:30 -0400 > Subject: [PATCH 2/2] gnu: expat: fix CVE-2018-20843. > > * gnu/packages/xml.scm (expat)[replacement]: New field. > (expat/fixed): New variable. > * gnu/packages/patches/expat-CVE-2018-20843.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add patch file. > --- > gnu/local.mk | 7 ++++--- > gnu/packages/patches/expat-CVE-2018-20843.patch | 16 ++++++++++++++++ > gnu/packages/xml.scm | 9 +++++++++ > 3 files changed, 29 insertions(+), 3 deletions(-) > create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 6e90d88689..bcf47d7378 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -764,20 +764,21 @@ dist_patch_DATA =3D \ > %D%/packages/patches/einstein-build.patch \ > %D%/packages/patches/emacs-exec-path.patch \ > %D%/packages/patches/emacs-fix-scheme-indent-function.patch \ > - %D%/packages/patches/emacs-json-reformat-fix-tests.patch \ > %D%/packages/patches/emacs-highlight-stages-add-gexp.patch \ > + %D%/packages/patches/emacs-json-reformat-fix-tests.patch \ > %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch \ > %D%/packages/patches/emacs-source-date-epoch.patch \ > - %D%/packages/patches/emacs-unpackaged-req.patch \ > %D%/packages/patches/emacs-undohist-ignored.patch \ > + %D%/packages/patches/emacs-unpackaged-req.patch \ > %D%/packages/patches/emacs-wordnut-require-adaptive-wrap.patch \ > %D%/packages/patches/emacs-zones-called-interactively.patch \ > %D%/packages/patches/enlightenment-fix-setuid-path.patch \ > %D%/packages/patches/erlang-man-path.patch \ > %D%/packages/patches/eudev-rules-directory.patch \ > %D%/packages/patches/evilwm-lost-focus-bug.patch \ > - %D%/packages/patches/exiv2-CVE-2017-14860.patch \ > %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ > + %D%/packages/patches/exiv2-CVE-2017-14860.patch \ > + %D%/packages/patches/expat-CVE-2018-20843.patch \ You addressed this in another email, and I do think we should try to avoid needless moving around of these lines. There are enough merge conflicts on this file as-is, no need to introduce artificial ones. :-) > %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ > %D%/packages/patches/fastcap-mulGlobal.patch \ > %D%/packages/patches/fastcap-mulSetup.patch \ > diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packag= es/patches/expat-CVE-2018-20843.patch > new file mode 100644 > index 0000000000..dd64b91965 > --- /dev/null > +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch > @@ -0,0 +1,16 @@ > +Fix extraction of namespace prefix from XML name. > +Fixes CVE-2018-20843 > + > +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c > +index 30d55c5..737d7cd 100644 > +--- a/expat/lib/xmlparse.c > ++++ b/expat/lib/xmlparse.c ^^^^^^ It looks like this has to be removed from the patch file. Could you also add a link to the upstream commit for reference? It's also good practice to provide an URL to the MITRE CVE page: . Thanks for working on this! :-) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0f1QAACgkQoqBt8qM6 VPokxgf/ZxWLCSKT7mZBETM3yxCw634v/XEY/JumAEXmP7pxHEbvI3CWi4KpWUph svfg7zqUcuIOj9nwla1tIRXESltTDbnuAd8VLRxFEUZbPBh3yN50JFkdIS1v7qcD 2gCT06D+qmiTB0tbxFLyyDysh5sjx7bV3DlDw5Lei6v7i+LxC0oRbvQ1qi30IUZx 5T/9CXuaZr4iN5bE0y2fk7cVrXnOgIVJ0hK8yy3492e4o0b3aRrtCV4uZo5DdNTX hVeTQmWE8fS0SnyjthU3fAWKoJOsiEyxgwc/PlyAyg8HOFtQ9gNyWR4BICqf8h9N lJyEa6Ugn98aBB9swAEMOmqXt8Os4g== =TjuK -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 10 16:54:30 2019 Received: (at 36424) by debbugs.gnu.org; 10 Jul 2019 20:54:30 +0000 Received: from localhost ([127.0.0.1]:36698 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hlJbc-0007ve-92 for submit@debbugs.gnu.org; Wed, 10 Jul 2019 16:54:30 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:45214) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hlJbY-0007vN-3d for 36424@debbugs.gnu.org; Wed, 10 Jul 2019 16:54:20 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hlJbR-000615-4G; Wed, 10 Jul 2019 16:54:13 -0400 Date: Wed, 10 Jul 2019 16:54:12 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Marius Bakke Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: <87tvc0qedh.fsf@devup.no> Message-ID: References: <87o92fv0u1.fsf@devup.no> <87tvc0qedh.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1990263252-1562792053=:17508" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1990263252-1562792053=:17508 Content-Type: text/plain; format=flowed; charset=US-ASCII Please find updated patch files attached, that I think take into account Marius's suggestions (thanks Marius!) Best, Jack P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns in the attachments. --925712948-1990263252-1562792053=:17508 Content-Type: text/x-diff; name=0001-gnu-expat-Add-additional-source-URI.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=0001-gnu-expat-Add-additional-source-URI.patch RnJvbSAwZTEzOTRlN2U0MTBlYzE5MmI2Yzg4M2I1NjdjZTQxNDg2NGNkYmIx IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogSmFjayBIaWxsIDxq YWNraGlsbEBqYWNraGlsbC51cz4NCkRhdGU6IFdlZCwgMTAgSnVsIDIwMTkg MTY6MDM6MTkgLTA0MDANClN1YmplY3Q6IFtQQVRDSCAxLzJdIGdudTogZXhw YXQ6IEFkZCBhZGRpdGlvbmFsIHNvdXJjZSBVUkkNCg0KVGhlIGV4cGF0IHNv dXJjZWZvcmdlIHBhZ2UgYW5ub3VuY2VzIHRoYXQgdGhlIHByb2plY3QgaXMg aW4gdGhlIHByb2Nlc3Mgb2YNCm1vdmluZyB0byBHaXRIdWIuDQoNCiogZ251 L3BhY2thZ2VzL3htbC5zY20gKGV4cGF0KVtzb3VyY2VdOiBBZGQgR2l0SHVi IFVSSS4NCi0tLQ0KIGdudS9wYWNrYWdlcy94bWwuc2NtIHwgMjAgKysrKysr KysrKysrKy0tLS0tLS0NCiAxIGZpbGUgY2hhbmdlZCwgMTMgaW5zZXJ0aW9u cygrKSwgNyBkZWxldGlvbnMoLSkNCg0KZGlmZiAtLWdpdCBhL2dudS9wYWNr YWdlcy94bWwuc2NtIGIvZ251L3BhY2thZ2VzL3htbC5zY20NCmluZGV4IGZj NjA3NTg3MjQuLmI2YTM3NmE0MDUgMTAwNjQ0DQotLS0gYS9nbnUvcGFja2Fn ZXMveG1sLnNjbQ0KKysrIGIvZ251L3BhY2thZ2VzL3htbC5zY20NCkBAIC0y MCw2ICsyMCw3IEBADQogOzs7IENvcHlyaWdodCDCqSAyMDE3IFBldHRlciA8 cGV0dGVyQG15a29sYWIuY2g+DQogOzs7IENvcHlyaWdodCDCqSAyMDE3IFN0 ZWZhbiBSZWljaMO2ciA8c3RlZmFuQHhzdGV2ZS5hdD4NCiA7OzsgQ29weXJp Z2h0IMKpIDIwMTggUGllcnJlIE5laWRoYXJkdCA8bWFpbEBhbWJyZXZhci54 eXo+DQorOzs7IENvcHlyaWdodCDCqSAyMDE4IEphY2sgSGlsbCA8amFja2hp bGxAamFja2hpbGwudXM+DQogOzs7DQogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0 IG9mIEdOVSBHdWl4Lg0KIDs7Ow0KQEAgLTY2LDEzICs2NywxOCBAQA0KICAg KHBhY2thZ2UNCiAgICAgKG5hbWUgImV4cGF0IikNCiAgICAgKHZlcnNpb24g IjIuMi42IikNCi0gICAgKHNvdXJjZSAob3JpZ2luDQotICAgICAgICAgICAg IChtZXRob2QgdXJsLWZldGNoKQ0KLSAgICAgICAgICAgICAodXJpIChzdHJp bmctYXBwZW5kICJtaXJyb3I6Ly9zb3VyY2Vmb3JnZS9leHBhdC9leHBhdC8i DQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdmVyc2lvbiAi L2V4cGF0LSIgdmVyc2lvbiAiLnRhci5iejIiKSkNCi0gICAgICAgICAgICAg KHNoYTI1Ng0KLSAgICAgICAgICAgICAgKGJhc2UzMg0KLSAgICAgICAgICAg ICAgICIxd2wxeDkzYjV3NDU3ZGRzZGdqMGxoN3lqcTRxNmw3d2ZiZ3doYWdr YzhmbTJxa2tyZDBwIikpKSkNCisgICAgKHNvdXJjZSAobGV0ICgoZG90LT51 bmRlcnNjb3JlIChsYW1iZGEgKGMpIChpZiAoZXF1YWw/ICNcLiBjKSAjXF8g YykpKSkNCisgICAgICAgICAgICAgIChvcmlnaW4NCisgICAgICAgICAgICAg ICAgKG1ldGhvZCB1cmwtZmV0Y2gpDQorICAgICAgICAgICAgICAgICh1cmkg KGxpc3QgKHN0cmluZy1hcHBlbmQgIm1pcnJvcjovL3NvdXJjZWZvcmdlL2V4 cGF0L2V4cGF0LyINCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICB2ZXJzaW9uICIvZXhwYXQtIiB2ZXJzaW9uICIudGFyLmJ6 MiIpDQorICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1hcHBl bmQNCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgImh0dHBzOi8vZ2l0 aHViLmNvbS9saWJleHBhdC9saWJleHBhdC9yZWxlYXNlcy9kb3dubG9hZC9S XyINCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1tYXAg ZG90LT51bmRlcnNjb3JlIHZlcnNpb24pDQorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICIvZXhwYXQtIiB2ZXJzaW9uICIudGFyLmJ6MiIpKSkNCisg ICAgICAgICAgICAgICAgKHNoYTI1Ng0KKyAgICAgICAgICAgICAgICAgKGJh c2UzMg0KKyAgICAgICAgICAgICAgICAgICIxd2wxeDkzYjV3NDU3ZGRzZGdq MGxoN3lqcTRxNmw3d2ZiZ3doYWdrYzhmbTJxa2tyZDBwIikpKSkpDQogICAg IChidWlsZC1zeXN0ZW0gZ251LWJ1aWxkLXN5c3RlbSkNCiAgICAgKGhvbWUt cGFnZSAiaHR0cHM6Ly9saWJleHBhdC5naXRodWIuaW8vIikNCiAgICAgKHN5 bm9wc2lzICJTdHJlYW0tb3JpZW50ZWQgWE1MIHBhcnNlciBsaWJyYXJ5IHdy aXR0ZW4gaW4gQyIpDQotLSANCjIuMjIuMA0KDQo= --925712948-1990263252-1562792053=:17508 Content-Type: text/x-diff; name=0002-gnu-expat-fix-CVE-2018-20843.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=0002-gnu-expat-fix-CVE-2018-20843.patch RnJvbSBjNzllZmQ4M2VjYWEwYjU0MWRlMDUwZGEwMzVlZjY3ZDk3MmFjNDU4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogSmFjayBIaWxsIDxq YWNraGlsbEBqYWNraGlsbC51cz4NCkRhdGU6IFdlZCwgMTAgSnVsIDIwMTkg MTY6MjM6MDMgLTA0MDANClN1YmplY3Q6IFtQQVRDSCAyLzJdIGdudTogZXhw YXQ6IGZpeCBDVkUtMjAxOC0yMDg0Mw0KDQoqIGdudS9wYWNrYWdlcy94bWwu c2NtIChleHBhdClbcmVwbGFjZW1lbnRdOiBOZXcgZmllbGQuDQooZXhwYXQv Zml4ZWQpOiBOZXcgdmFyaWFibGUuDQoqIGdudS9wYWNrYWdlcy9wYXRjaGVz L2V4cGF0LUNWRS0yMDE4LTIwODQzLnBhdGNoOiBOZXcgZmlsZS4NCiogZ251 L2xvY2FsLm1rIChkaXN0X3BhdGNoX0RBVEEpOiBBZGQgcGF0Y2ggZmlsZS4N Ci0tLQ0KIGdudS9sb2NhbC5tayAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICB8ICAxICsNCiAuLi4vcGF0Y2hlcy9leHBhdC1DVkUtMjAxOC0y MDg0My5wYXRjaCAgICAgICAgfCAyMSArKysrKysrKysrKysrKysrKysrDQog Z251L3BhY2thZ2VzL3htbC5zY20gICAgICAgICAgICAgICAgICAgICAgICAg IHwgIDkgKysrKysrKysNCiAzIGZpbGVzIGNoYW5nZWQsIDMxIGluc2VydGlv bnMoKykNCiBjcmVhdGUgbW9kZSAxMDA2NDQgZ251L3BhY2thZ2VzL3BhdGNo ZXMvZXhwYXQtQ1ZFLTIwMTgtMjA4NDMucGF0Y2gNCg0KZGlmZiAtLWdpdCBh L2dudS9sb2NhbC5tayBiL2dudS9sb2NhbC5taw0KaW5kZXggOWE3MGQ3Mzc1 OS4uMDU0YWE5M2ZkNSAxMDA2NDQNCi0tLSBhL2dudS9sb2NhbC5taw0KKysr IGIvZ251L2xvY2FsLm1rDQpAQCAtNzg1LDYgKzc4NSw3IEBAIGRpc3RfcGF0 Y2hfREFUQSA9CQkJCQkJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZXZp bHdtLWxvc3QtZm9jdXMtYnVnLnBhdGNoCQlcDQogICAlRCUvcGFja2FnZXMv cGF0Y2hlcy9leGl2Mi1DVkUtMjAxNy0xNDg2MC5wYXRjaAkJXA0KICAgJUQl L3BhY2thZ2VzL3BhdGNoZXMvZXhpdjItQ1ZFLTIwMTctMTQ4NTktMTQ4NjIt MTQ4NjQucGF0Y2gJXA0KKyAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZXhwYXQt Q1ZFLTIwMTgtMjA4NDMucGF0Y2gJCVwNCiAgICVEJS9wYWNrYWdlcy9wYXRj aGVzL2V4dHVuZGVsZXRlLWUyZnNwcm9ncy0xLjQ0LnBhdGNoCQlcDQogICAl RCUvcGFja2FnZXMvcGF0Y2hlcy9mYXN0Y2FwLW11bEdsb2JhbC5wYXRjaAkJ CVwNCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2Zhc3RjYXAtbXVsU2V0dXAu cGF0Y2gJCQlcDQpkaWZmIC0tZ2l0IGEvZ251L3BhY2thZ2VzL3BhdGNoZXMv ZXhwYXQtQ1ZFLTIwMTgtMjA4NDMucGF0Y2ggYi9nbnUvcGFja2FnZXMvcGF0 Y2hlcy9leHBhdC1DVkUtMjAxOC0yMDg0My5wYXRjaA0KbmV3IGZpbGUgbW9k ZSAxMDA2NDQNCmluZGV4IDAwMDAwMDAwMDAuLjIxNmZiZTk2NjcNCi0tLSAv ZGV2L251bGwNCisrKyBiL2dudS9wYWNrYWdlcy9wYXRjaGVzL2V4cGF0LUNW RS0yMDE4LTIwODQzLnBhdGNoDQpAQCAtMCwwICsxLDIxIEBADQorRml4IGV4 dHJhY3Rpb24gb2YgbmFtZXNwYWNlIHByZWZpeCBmcm9tIFhNTCBuYW1lLg0K K0ZpeGVzIENWRS0yMDE4LTIwODQzDQorDQorVGhpcyBwYXRjaCBjb21lcyBm cm9tIHVwc3RyZWFtIGNvbW1pdCAxMWY4ODM4YmY5OWVhMGE2ZjBiNzZmOTc2 MGM0MzcwNGQwMGM0ZmY2DQoraHR0cHM6Ly9naXRodWIuY29tL2xpYmV4cGF0 L2xpYmV4cGF0L2NvbW1pdC8xMWY4ODM4YmY5OWVhMGE2ZjBiNzZmOTc2MGM0 MzcwNGQwMGM0ZmY2DQorDQorQ1ZFIGlzIGh0dHBzOi8vY3ZlLm1pdHJlLm9y Zy9jZ2ktYmluL2N2ZW5hbWUuY2dpP25hbWU9Q1ZFLTIwMTgtMjA4NDMNCisN CitkaWZmIC0tZ2l0IGEvZXhwYXQvbGliL3htbHBhcnNlLmMgYi9leHBhdC9s aWIveG1scGFyc2UuYw0KK2luZGV4IDMwZDU1YzUuLjczN2Q3Y2QgMTAwNjQ0 DQorLS0tIGEvbGliL3htbHBhcnNlLmMNCisrKysgYi9saWIveG1scGFyc2Uu Yw0KK0BAIC02MDcxLDcgKzYwNzEsNyBAQCBzZXRFbGVtZW50VHlwZVByZWZp eChYTUxfUGFyc2VyIHBhcnNlciwgRUxFTUVOVF9UWVBFICplbGVtZW50VHlw ZSkNCisgICAgICAgZWxzZQ0KKyAgICAgICAgIHBvb2xEaXNjYXJkKCZkdGQt PnBvb2wpOw0KKyAgICAgICBlbGVtZW50VHlwZS0+cHJlZml4ID0gcHJlZml4 Ow0KKy0NCisrICAgICAgYnJlYWs7DQorICAgICB9DQorICAgfQ0KKyAgIHJl dHVybiAxOw0KZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy94bWwuc2NtIGIv Z251L3BhY2thZ2VzL3htbC5zY20NCmluZGV4IGI2YTM3NmE0MDUuLmZiZDBm ZjI4NGIgMTAwNjQ0DQotLS0gYS9nbnUvcGFja2FnZXMveG1sLnNjbQ0KKysr IGIvZ251L3BhY2thZ2VzL3htbC5zY20NCkBAIC02Niw2ICs2Niw3IEBADQog KGRlZmluZS1wdWJsaWMgZXhwYXQNCiAgIChwYWNrYWdlDQogICAgIChuYW1l ICJleHBhdCIpDQorICAgIChyZXBsYWNlbWVudCBleHBhdC9maXhlZCkNCiAg ICAgKHZlcnNpb24gIjIuMi42IikNCiAgICAgKHNvdXJjZSAobGV0ICgoZG90 LT51bmRlcnNjb3JlIChsYW1iZGEgKGMpIChpZiAoZXF1YWw/ICNcLiBjKSAj XF8gYykpKSkNCiAgICAgICAgICAgICAgIChvcmlnaW4NCkBAIC04OCw2ICs4 OSwxNCBAQCBzdHJlYW0tb3JpZW50ZWQgcGFyc2VyIGluIHdoaWNoIGFuIGFw cGxpY2F0aW9uIHJlZ2lzdGVycyBoYW5kbGVycyBmb3INCiB0aGluZ3MgdGhl IHBhcnNlciBtaWdodCBmaW5kIGluIHRoZSBYTUwgZG9jdW1lbnQgKGxpa2Ug c3RhcnQgdGFncykuIikNCiAgICAgKGxpY2Vuc2UgbGljZW5zZTpleHBhdCkp KQ0KIA0KKyhkZWZpbmUgZXhwYXQvZml4ZWQNCisgIChwYWNrYWdlDQorICAg IChpbmhlcml0IGV4cGF0KQ0KKyAgICAoc291cmNlDQorICAgICAob3JpZ2lu DQorICAgICAgIChpbmhlcml0IChwYWNrYWdlLXNvdXJjZSBleHBhdCkpDQor ICAgICAgIChwYXRjaGVzIChzZWFyY2gtcGF0Y2hlcyAiZXhwYXQtQ1ZFLTIw MTgtMjA4NDMucGF0Y2giKSkpKSkpDQorDQogKGRlZmluZS1wdWJsaWMgbGli ZWJtbA0KICAgKHBhY2thZ2UNCiAgICAgKG5hbWUgImxpYmVibWwiKQ0KLS0g DQoyLjIyLjANCg0K --925712948-1990263252-1562792053=:17508-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 11 19:00:44 2019 Received: (at 36424-done) by debbugs.gnu.org; 11 Jul 2019 23:00:44 +0000 Received: from localhost ([127.0.0.1]:39022 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hli3P-0006tL-VJ for submit@debbugs.gnu.org; Thu, 11 Jul 2019 19:00:44 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:52289) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hli3N-0006t5-7o for 36424-done@debbugs.gnu.org; Thu, 11 Jul 2019 19:00:41 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id CAF992220A; Thu, 11 Jul 2019 19:00:35 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Thu, 11 Jul 2019 19:00:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm3; bh=fhU20t+XLXnohTsahUhJ5+r9Id 9togZSSjVFGORLzaw=; b=urpo0b60axeDMWK6Nj2rcVquLB+sQOfwtUAT50ERnn 7Zxu5tjHUemk0s5jOj29TRMwmRDGKFK8nvQZd/Hz5Sb8pMLXUIVzQAfSlG4Jwatx O7300TBCyyzuz7n7OMUFj+VljA0XpSLIIy7Oidh2T1OIMrfbjmkTMr8/stkQNZfX TZdTMYSO8JVYIFqOOB7Xq3mjQSDspiOXu8C4eGaURbme82QjasSqy23wUIRouOba Z/4CaoleP7kS9cMuWzLlmh9pSTLaBchvUJtfa0/iYpy4Vm9oP6+M4WoU6Box9pep nE8PIFWxyhuuQE3kQRZCYzTLnL7u8jfAdewi6Jj42iFw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=fhU20t +XLXnohTsahUhJ5+r9Id9togZSSjVFGORLzaw=; b=N/UNqnXiEQfCAOkiKMj1ER AB5/tjalRNc+sRv+Y/u5byB2Eo0G1n/p6PF7TxilWGZYJ+SqAT8ZkZWT9ok2OYb1 AS6AGsMukEjMseV6uSHFEGkxuN5f90yu+S1kRg8WjDEMYKWaNzapDz4A2ZrIfQWz +TXcExKHSIcBltL2uOFuKg4UBOWJOkztJHNOqmvW7kIpfU4SbYXjKXjj/ODeTlov tYBUZU/SX8cv5VFTsc8WyGLAaQw0hFBYA5neYiR7miiO6/pSJuNjSICESELzXopV JpGGsOD8yRm2d3zMaYFCP5h55uvv+bKVHI4TvqpTi1lsfSyaf0E3ji7wcAA0LyBw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrgeelgddukecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvffujghffgffkfggtgesghdtreertdertdenucfhrhhomhepofgrrhhiuhhs uceurghkkhgvuceomhgsrghkkhgvsehfrghsthhmrghilhdrtghomheqnecukfhppeeivd drudeirddvvdeirddugedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmsggrkhhkvges fhgrshhtmhgrihhlrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 9CCA2380075; Thu, 11 Jul 2019 19:00:34 -0400 (EDT) From: Marius Bakke To: Jack Hill Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: References: <87o92fv0u1.fsf@devup.no> <87tvc0qedh.fsf@devup.no> User-Agent: Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) Date: Fri, 12 Jul 2019 01:00:32 +0200 Message-ID: <87ftncmb1r.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 36424-done Cc: 36424-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Jack Hill writes: > Please find updated patch files attached, that I think take into account= =20 > Marius's suggestions (thanks Marius!) Thank you! I made a tiny tweak to use char=3D? instead of equal=3D? for the character comparison. Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl0nv5AACgkQoqBt8qM6 VPp62Qf9GdcExbQZBZibWrWR09y++bap5ymjWFSpcFm9TYqcOKfZKlk5UwijG2M7 rkYQnLfYM+1NKbvfYSxoZHLMtOryZ5ssbdP+JWYkHrxW8CEAx2ndAVDAzCP85oYH 7FzQlL6AVuP94SZ4Xwo/QGPTsvZvFX5CfhcCzzOlT4NHUVjMS6VbCOuYvI7TAl/x I9+qqi5AMrbkQxmp5y52WAAZDVx9mRZm+GlXUwNQzebXkxpazEjuviPapOwLgK7v wMCILM23KkaG5YJWV7CyLcNoVIu9ThpmGVzqlZF0BnKlI8DuRZWw2dcEhmCgBcnJ mHehz2UlwCn9krdV6MIV497FajmIsw== =tn/b -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 11 19:09:55 2019 Received: (at 36424) by debbugs.gnu.org; 11 Jul 2019 23:09:55 +0000 Received: from localhost ([127.0.0.1]:39035 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hliCJ-00076N-6Y for submit@debbugs.gnu.org; Thu, 11 Jul 2019 19:09:55 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:35334) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hliCG-000769-CZ for 36424@debbugs.gnu.org; Thu, 11 Jul 2019 19:09:53 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hliCA-0007oT-No; Thu, 11 Jul 2019 19:09:46 -0400 Date: Thu, 11 Jul 2019 19:09:45 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Marius Bakke Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843 In-Reply-To: <87ftncmb1r.fsf@devup.no> Message-ID: References: <87o92fv0u1.fsf@devup.no> <87tvc0qedh.fsf@devup.no> <87ftncmb1r.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1530591711-1562886586=:17508" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36424 Cc: 36424@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1530591711-1562886586=:17508 Content-Type: text/plain; format=flowed; charset=UTF-8 Content-Transfer-Encoding: 8BIT On Fri, 12 Jul 2019, Marius Bakke wrote: > Thank you! I made a tiny tweak to use char=? instead of equal=? for the > character comparison. Cool, now I know about char=? ☺ > Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064. Thanks, and thanks for being patient with me working through the issues. Best, Jack --925712948-1530591711-1562886586=:17508-- From unknown Sat Jun 21 12:19:29 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 09 Aug 2019 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator