GNU bug report logs - #36424
expat-2.2.7 for CVE-2018-20843

Previous Next

Package: guix-patches;

Reported by: Jack Hill <jackhill <at> jackhill.us>

Date: Fri, 28 Jun 2019 19:57:02 UTC

Severity: normal

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log


View this message in rfc822 format

From: Jack Hill <jackhill <at> jackhill.us>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 36424 <at> debbugs.gnu.org
Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843
Date: Thu, 4 Jul 2019 19:49:57 -0400 (EDT)
[Message part 1 (text/plain, inline)]
On Tue, 2 Jul 2019, Jack Hill wrote:

>> Apparently these symbols were never supposed to be exported:
>> <https://github.com/libexpat/libexpat/pull/197>.  However, there could
>> be packages "in the wild" that uses these symbols and would silently
>> break with the grafted Expat.
>> 
>> IIUC the fix for CVE-2018-20843 is this commit:
>> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>> 
>> I think it's better to graft a variant with only this patch to be on the
>> safe side.  Can you try that?
>
> Good idea. I didn't think to check. Yes, I can try to do that.
>
>> Could you also submit a second patch that adds GitHub as an additional
>> download location for the regular Expat package?  :-)
>
> I'll try that as well.

I've prepared the two attached patches that I believe implement Marius's 
proposed solution.

Thanks,
Jack
[0001-gnu-expat-Add-additional-source-URI.patch (text/x-diff, attachment)]
[0002-gnu-expat-fix-CVE-2018-20843.patch (text/x-diff, attachment)]

This bug report was last modified 6 years and 5 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.