From b9bc6e842066b066ebdf9eaf75d41753598d75b5 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 12 Sep 2016 16:54:45 -0400 Subject: gnu: expat: Fix regression caused by fix for CVE-2016-0718. * gnu/packages/xml.scm (expat)[replacement]: New field. (expat/fixed): New variable. * gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 + .../expat-CVE-2016-0718-fix-regression.patch | 35 ++++++++++++++++++++++ gnu/packages/xml.scm | 12 ++++++++ 3 files changed, 48 insertions(+) create mode 100644 gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch diff --git a/gnu/local.mk b/gnu/local.mk index a690b6e25d..e8bae66d40 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -506,6 +506,7 @@ dist_patch_DATA = \ %D%/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch \ %D%/packages/patches/expat-CVE-2015-1283-refix.patch \ %D%/packages/patches/expat-CVE-2016-0718.patch \ + %D%/packages/patches/expat-CVE-2016-0718-fix-regression.patch \ %D%/packages/patches/fastcap-mulGlobal.patch \ %D%/packages/patches/fastcap-mulSetup.patch \ %D%/packages/patches/fasthenry-spAllocate.patch \ diff --git a/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch b/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch new file mode 100644 index 0000000000..b489401fea --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch @@ -0,0 +1,35 @@ +Fix regression caused by fix for CVE-2016-0718 when building with -DXML_UNICODE. + +Discussion: + +https://sourceforge.net/p/expat/bugs/539/ + +Patch copied from upstream source repository: + +https://sourceforge.net/p/expat/code_git/ci/af507cef2c93cb8d40062a0abe43a4f4e9158fb2/ + +From af507cef2c93cb8d40062a0abe43a4f4e9158fb2 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 17 Jul 2016 20:22:29 +0200 +Subject: [PATCH 1/2] Fix regression bug #539 (needs -DXML_UNICODE) + +Thanks to Andy Wang and Karl Waclawek! +--- + expat/lib/xmlparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index b308e67..0d5dd7b 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2468,7 +2468,7 @@ doContent(XML_Parser parser, + &fromPtr, rawNameEnd, + (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1); + convLen = (int)(toPtr - (XML_Char *)tag->buf); +- if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) { ++ if ((fromPtr >= rawNameEnd) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) { + tag->name.strLen = convLen; + break; + } +-- +2.10.0 diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index cd3426b55f..879b37a337 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -52,6 +52,7 @@ (define-module (gnu packages xml) (define-public expat (package (name "expat") + (replacement expat/fixed) (version "2.1.1") (source (origin (method url-fetch) @@ -72,6 +73,17 @@ (define-public expat things the parser might find in the XML document (like start tags).") (license license:expat))) +(define expat/fixed + (package + (inherit expat) + (source (origin + (inherit (package-source expat)) + (patches (search-patches + "expat-CVE-2012-6702-and-CVE-2016-5300.patch" + "expat-CVE-2015-1283-refix.patch" + "expat-CVE-2016-0718.patch" + "expat-CVE-2016-0718-fix-regression.patch")))))) + (define-public libxml2 (package (name "libxml2") -- cgit v1.2.3