GNU bug report logs -
#47342
java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Tue, 23 Mar 2021 14:34:02 UTC
Severity: normal
Tags: security
Done: Julien Lepiller <julien <at> lepiller.eu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47342 in the body.
You can then email your comments to 47342 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#47342; Package
guix.
(Tue, 23 Mar 2021 14:34:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Tue, 23 Mar 2021 14:34:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Upstream has made a release: 1.4.16 - which fixes all the issues,
following is an unfinished patchset that fixes the issues, java-
mxparser package does not build and help from some more experienced
Java packagers is welcome to fix and push this patchset.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47342; Package
guix.
(Tue, 23 Mar 2021 14:39:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 47342 <at> debbugs.gnu.org (full text, mbox):
Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
* gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
[inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
former made by upstream.
---
gnu/packages/xml.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 96287b3174..fdb8bff601 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2217,7 +2217,7 @@ outputting XML data from Java code.")
(define-public java-xstream
(package
(name "java-xstream")
- (version "1.4.15")
+ (version "1.4.16")
(source
(origin
(method git-fetch)
@@ -2229,7 +2229,7 @@ outputting XML data from Java code.")
version)))))
(file-name (git-file-name name version))
(sha256
- (base32 "1178qryrjwjp44439pi5dxzd32896r5zs429z1qhlc09951r7mi9"))))
+ (base32 "16k2mc63h2fw7lxv74qmhg4p8q9hfrw114daa6nxwnpv08cnq755"))))
(build-system ant-build-system)
(arguments
`(#:jar-name "xstream.jar"
@@ -2244,7 +2244,7 @@ outputting XML data from Java code.")
("java-joda-time" ,java-joda-time)
("java-jettison" ,java-jettison)
("java-xom" ,java-xom)
- ("java-xpp3" ,java-xpp3)
+ ("java-mxparser" ,java-mxparser)
("java-dom4j" ,java-dom4j)
("java-stax2-api" ,java-stax2-api)
("java-woodstox-core" ,java-woodstox-core)
--
2.31.0
Information forwarded
to
bug-guix <at> gnu.org:
bug#47342; Package
guix.
(Tue, 23 Mar 2021 14:39:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 47342 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/xml.scm (java-mxparser): New variable.
---
gnu/packages/xml.scm | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 2a72fc6ad2..96287b3174 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2256,6 +2256,34 @@ outputting XML data from Java code.")
and back again.")
(license license:bsd-3)))
+(define-public java-mxparser
+ (package
+ (name "java-mxparser")
+ (version "1.2.1")
+ (source (origin
+ (method url-fetch)
+ (uri
+ (string-append
+ "https://repo1.maven.org/maven2/io/github/x-stream/mxparser/"
+ version "/mxparser-" version "-sources.jar"))
+ (sha256
+ (base32
+ "0mly55qbs2109wwbiz890n87r54iz7cykazl0rlsih6sg5lx8kdl"))))
+ (build-system ant-build-system)
+ (home-page "https://github.com/x-stream/mxparser")
+ (synopsis "Streaming pull XML parser forked from @code{java-xpp3}")
+ (description "Xml Pull Parser (in short XPP) is a streaming pull XML
+parser and should be used when there is a need to process quickly and
+efficiently all input elements (for example in SOAP processors). This
+package is a stable XmlPull parsing engine that is based on ideas from XPP
+and in particular XPP2 but completely revised and rewritten to take the best
+advantage of JIT JVMs.
+
+MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged
+changes of the Plexus fork. It is an implementation of the XMLPULL V1 API
+(parser only).")
+ (license (license:non-copyleft "file://LICENSE.txt"))))
+
(define-public xmlrpc-c
(package
(name "xmlrpc-c")
--
2.31.0
Added tag(s) security.
Request was from
Léo Le Bouter <lle-bout <at> zaclys.net>
to
control <at> debbugs.gnu.org.
(Tue, 23 Mar 2021 15:10:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47342; Package
guix.
(Tue, 23 Mar 2021 17:34:01 GMT)
Full text and
rfc822 format available.
Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):
On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
>
> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
> former made by upstream.
Thanks for the patch!
Pinging Julien...
Information forwarded
to
bug-guix <at> gnu.org:
bug#47342; Package
guix.
(Tue, 23 Mar 2021 17:34:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47342; Package
guix.
(Tue, 23 Mar 2021 21:19:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 47342 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
So, mxparser seems to be pretty easy to package, but it depends on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana University, but their website has recently been "deprecated" and redirects to the internet archive.
This is an issue as we have xmlpull v2 and xpp3 whose sources have also disappeared. Not sure what to do about them?
I asked upstseam (xstream) for guidance on where to find the sources on https://github.com/x-stream/mxparser/issues/3.
Once we have that information, I can take care of the xstream update.
Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari <leo <at> famulari.name> a écrit :
>On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports
>for GNU Guix wrote:
>> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
>> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
>> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
>>
>> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
>> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a
>fork of the
>> former made by upstream.
>
>Thanks for the patch!
>
>Pinging Julien...
[Message part 2 (text/html, inline)]
Reply sent
to
Julien Lepiller <julien <at> lepiller.eu>:
You have taken responsibility.
(Tue, 23 Mar 2021 22:32:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer.
(Tue, 23 Mar 2021 22:32:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 47342-done <at> debbugs.gnu.org (full text, mbox):
Le Tue, 23 Mar 2021 15:33:26 +0100,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> a écrit :
> Upstream has made a release: 1.4.16 - which fixes all the issues,
> following is an unfinished patchset that fixes the issues, java-
> mxparser package does not build and help from some more experienced
> Java packagers is welcome to fix and push this patchset.
Pushed as 4490dff98c6979a77f3982716239b526e0ef1337 to
8b2b5463963d5d4dee480b0cf73fa4a9eca414ba to master,
with changes discussed on IRC.
Thanks a lot for noticing it!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 21 Apr 2021 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 3 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.