GNU bug report logs - #55776
maven-core fails to build

Previous Next

Package: guix;

Reported by: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>

Date: Fri, 3 Jun 2022 06:07:01 UTC

Severity: normal

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 55776 <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: 55776 <at> debbugs.gnu.org
Cc: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>
Subject: Re: bug#55776: maven-core fails to build
Date: Sat, 04 Jun 2022 12:25:21 +0200

I did some digging and found this regression is caused by commit:

 6068b83b82475566acd4162467bcf54270f338f9
 "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."

Apparently the fix for this issue causes jdom to be very strict;

> java.io.IOException: Invalid input descriptor for merge:
> /tmp/plexus-metadata3957336728290309540xml -->
> http://xml.org/sax/features/external-general-entities feature
> http://xml.org/sax/features/external-general-entities not supported
> for SAX driver org.codehaus.plexus.metadata.merge.Driver

Which sound familiar when looking at that CVE
(https://github.com/advisories/GHSA-2363-cqg2-863c):

> An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> cause a denial of service via a crafted HTTP request. At this time
> there is not released fixed version of JDOM. As a workaround, to avoid
> external entities being expanded, one can call
> builder.setExpandEntities(false) and they won't be expanded.

I dunno how to fix this though, I'm just a curious guixer.  Easiest path
seems to be to make a new java-jdom-2.0.6 var and use that as a
native-input for maven.  Would that be an acceptable solution?

Cheers,
Remco
This bug report was last modified 3 years and 68 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.