From 78ca483a0773d0c14f1b6cd972dd85d16327ced8 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 11 Jul 2019 00:27:14 +0200 Subject: gnu: perl-xml-compile: Update to 1.63. * gnu/packages/xml.scm (perl-xml-compile): Update to 1.63. --- gnu/packages/xml.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index fc60758724..8c5c7b08c9 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -671,14 +671,14 @@ This module provide functions which simplify writing tests for (define-public perl-xml-compile (package (name "perl-xml-compile") - (version "1.62") + (version "1.63") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MARKOV/" "XML-Compile-" version ".tar.gz")) (sha256 (base32 - "0a75gr4qcjj8ybzljacbbkdxprbqpypz49bc0jb7cfamx1hp7p2w")))) + "0psr5pwsk2biz2bfkigmx04v2rfhs6ybwcfmcrrg7gvh9bpp222b")))) (build-system perl-build-system) (propagated-inputs `(("perl-carp" ,perl-carp) -- cgit v1.2.3 From f85c8dd8aec96869d7b56e2e926d2e2e758da1cf Mon Sep 17 00:00:00 2001 From: Jack Hill Date: Wed, 10 Jul 2019 16:03:19 -0400 Subject: gnu: expat: Add additional source URI The expat sourceforge page announces that the project is in the process of moving to GitHub. * gnu/packages/xml.scm (expat)[source]: Add GitHub URI. Signed-off-by: Marius Bakke --- gnu/packages/xml.scm | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'gnu/packages/xml.scm') diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 8c5c7b08c9..e3260be103 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -20,6 +20,7 @@ ;;; Copyright © 2017 Petter ;;; Copyright © 2017 Stefan Reichör ;;; Copyright © 2018 Pierre Neidhardt +;;; Copyright © 2018 Jack Hill ;;; ;;; This file is part of GNU Guix. ;;; @@ -66,13 +67,18 @@ (package (name "expat") (version "2.2.6") - (source (origin - (method url-fetch) - (uri (string-append "mirror://sourceforge/expat/expat/" - version "/expat-" version ".tar.bz2")) - (sha256 - (base32 - "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p")))) + (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) + (origin + (method url-fetch) + (uri (list (string-append "mirror://sourceforge/expat/expat/" + version "/expat-" version ".tar.bz2") + (string-append + "https://github.com/libexpat/libexpat/releases/download/R_" + (string-map dot->underscore version) + "/expat-" version ".tar.bz2"))) + (sha256 + (base32 + "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))) (build-system gnu-build-system) (home-page "https://libexpat.github.io/") (synopsis "Stream-oriented XML parser library written in C") -- cgit v1.2.3 From 5a836ce38c9c29e9c2bd306007347486b90c5064 Mon Sep 17 00:00:00 2001 From: Jack Hill Date: Wed, 10 Jul 2019 16:23:03 -0400 Subject: gnu: expat: fix CVE-2018-20843 * gnu/packages/xml.scm (expat)[replacement]: New field. (expat/fixed): New variable. * gnu/packages/patches/expat-CVE-2018-20843.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patch file. Signed-off-by: Marius Bakke --- gnu/local.mk | 1 + gnu/packages/patches/expat-CVE-2018-20843.patch | 21 +++++++++++++++++++++ gnu/packages/xml.scm | 9 +++++++++ 3 files changed, 31 insertions(+) create mode 100644 gnu/packages/patches/expat-CVE-2018-20843.patch (limited to 'gnu/packages/xml.scm') diff --git a/gnu/local.mk b/gnu/local.mk index ae5477c428..67d9eb703a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -784,6 +784,7 @@ dist_patch_DATA = \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ %D%/packages/patches/exiv2-CVE-2017-14860.patch \ %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ + %D%/packages/patches/expat-CVE-2018-20843.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/fastcap-mulGlobal.patch \ %D%/packages/patches/fastcap-mulSetup.patch \ diff --git a/gnu/packages/patches/expat-CVE-2018-20843.patch b/gnu/packages/patches/expat-CVE-2018-20843.patch new file mode 100644 index 0000000000..216fbe9667 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2018-20843.patch @@ -0,0 +1,21 @@ +Fix extraction of namespace prefix from XML name. +Fixes CVE-2018-20843 + +This patch comes from upstream commit 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 +https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 + +CVE is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 30d55c5..737d7cd 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6071,7 +6071,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType) + else + poolDiscard(&dtd->pool); + elementType->prefix = prefix; +- ++ break; + } + } + return 1; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index e3260be103..0cd9319c95 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -66,6 +66,7 @@ (define-public expat (package (name "expat") + (replacement expat/fixed) (version "2.2.6") (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin @@ -88,6 +89,14 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +(define expat/fixed + (package + (inherit expat) + (source + (origin + (inherit (package-source expat)) + (patches (search-patches "expat-CVE-2018-20843.patch")))))) + (define-public libebml (package (name "libebml") -- cgit v1.2.3