GNU bug report logs - #36424
expat-2.2.7 for CVE-2018-20843

Previous Next

Package: guix-patches;

Reported by: Jack Hill <jackhill <at> jackhill.us>

Date: Fri, 28 Jun 2019 19:57:02 UTC

Severity: normal

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 36424 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Jack Hill <jackhill <at> jackhill.us>, 36424 <at> debbugs.gnu.org
Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843
Date: Sun, 30 Jun 2019 12:12:22 +0200

[Message part 1 (text/plain, inline)]
Hi Jack,

Jack Hill <jackhill <at> jackhill.us> writes:

> Hi Guix,
>
> Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which 
> fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a 
> replacement for expat with expat-2.2.7. I also changed the origin to use 
> the GitHub hosted tarball as upstream is moving in that direction.
>
> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Thank you very much for this patch!  It did not apply cleanly on my end,
perhaps it got mangled by your mail user agent?

I tried running `abidiff` (from libabigail) on the new and old Expat:

$ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

15 Removed function symbols not referenced by debug info:

  XmlGetUtf16InternalEncoding
  XmlGetUtf16InternalEncodingNS
  XmlGetUtf8InternalEncoding
  XmlGetUtf8InternalEncodingNS
  XmlInitEncoding
  XmlInitEncodingNS
  XmlInitUnknownEncoding
  XmlInitUnknownEncodingNS
  XmlParseXmlDecl
  XmlParseXmlDeclNS
  XmlPrologStateInit
  XmlPrologStateInitExternalEntity
  XmlSizeOfUnknownEncoding
  XmlUtf16Encode
  XmlUtf8Encode

Apparently these symbols were never supposed to be exported:
<https://github.com/libexpat/libexpat/pull/197>.  However, there could
be packages "in the wild" that uses these symbols and would silently
break with the grafted Expat.

IIUC the fix for CVE-2018-20843 is this commit:
<https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.

I think it's better to graft a variant with only this patch to be on the
safe side.  Can you try that?

Could you also submit a second patch that adds GitHub as an additional
download location for the regular Expat package?  :-)

Thanks in advance,
Marius

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 317 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.