guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: gnu: expat: fix CVE-2018-20843

From: guix-commits
Subject: 02/02: gnu: expat: fix CVE-2018-20843
Date: Thu, 11 Jul 2019 18:40:19 -0400 (EDT) 
mbakke pushed a commit to branch master
in repository guix.

commit 5a836ce38c9c29e9c2bd306007347486b90c5064
Author: Jack Hill <address@hidden>
Date:   Wed Jul 10 16:23:03 2019 -0400

    gnu: expat: fix CVE-2018-20843
    
    * gnu/packages/xml.scm (expat)[replacement]: New field.
    (expat/fixed): New variable.
    * gnu/packages/patches/expat-CVE-2018-20843.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add patch file.
    
    Signed-off-by: Marius Bakke <address@hidden>
---
 gnu/local.mk                                    |  1 +
 gnu/packages/patches/expat-CVE-2018-20843.patch | 21 +++++++++++++++++++++
 gnu/packages/xml.scm                            |  9 +++++++++
 3 files changed, 31 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index ae5477c..67d9eb7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -784,6 +784,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/evilwm-lost-focus-bug.patch             \
   %D%/packages/patches/exiv2-CVE-2017-14860.patch              \
   %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch  \
+  %D%/packages/patches/expat-CVE-2018-20843.patch              \
   %D%/packages/patches/extundelete-e2fsprogs-1.44.patch                \
   %D%/packages/patches/fastcap-mulGlobal.patch                 \
   %D%/packages/patches/fastcap-mulSetup.patch                  \
diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch 
b/gnu/packages/patches/expat-CVE-2018-20843.patch
new file mode 100644
index 0000000..216fbe9
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2018-20843.patch
@@ -0,0 +1,21 @@
+Fix extraction of namespace prefix from XML name.
+Fixes CVE-2018-20843
+
+This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5..737d7cd 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE 
*elementType)
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index e3260be..0cd9319 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -66,6 +66,7 @@
 (define-public expat
   (package
     (name "expat")
+    (replacement expat/fixed)
     (version "2.2.6")
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
@@ -88,6 +89,14 @@ stream-oriented parser in which an application registers 
handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+(define expat/fixed
+  (package
+    (inherit expat)
+    (source
+     (origin
+       (inherit (package-source expat))
+       (patches (search-patches "expat-CVE-2018-20843.patch"))))))
+
 (define-public libebml
   (package
     (name "libebml")
reply via email to
[Prev in Thread] Current Thread [Next in Thread]