bug#55776: maven-core fails to build

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#55776: maven-core fails to build

From:	Julien Lepiller
Subject:	bug#55776: maven-core fails to build
Date:	Sat, 4 Jun 2022 15:47:07 +0200

Le Sat, 04 Jun 2022 12:25:21 +0200,
Remco van 't Veer <remco@remworks.net> a écrit :

> I did some digging and found this regression is caused by commit:
> 
>  6068b83b82475566acd4162467bcf54270f338f9
>  "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
> 
> Apparently the fix for this issue causes jdom to be very strict;
> 
> > java.io.IOException: Invalid input descriptor for merge:
> > /tmp/plexus-metadata3957336728290309540xml -->
> > http://xml.org/sax/features/external-general-entities feature
> > http://xml.org/sax/features/external-general-entities not supported
> > for SAX driver org.codehaus.plexus.metadata.merge.Driver  
> 
> Which sound familiar when looking at that CVE
> (https://github.com/advisories/GHSA-2363-cqg2-863c):
> 
> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> > cause a denial of service via a crafted HTTP request. At this time
> > there is not released fixed version of JDOM. As a workaround, to
> > avoid external entities being expanded, one can call
> > builder.setExpandEntities(false) and they won't be expanded.  
> 
> I dunno how to fix this though, I'm just a curious guixer.  Easiest
> path seems to be to make a new java-jdom-2.0.6 var and use that as a
> native-input for maven.  Would that be an acceptable solution?
> 
> Cheers,
> Remco
> 

Like you say, the issue is with the new jdom. Believe it or not, but
between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
changes, too)!

So I figured I could fix java-plexus-component-metadata that we use to
generate some xml files during the build of maven. jdom is one of its
inputs. Adding another jdom to the native inputs would probably not fix
the issue.

What I did instead is, since jdom wants to set more features than
supported in the driver, to add dummy support for all these additional
features by just not throwing the exception. It's not very satisfying,
but it works and we don't keep a vulnerable jdom around. With the
attached patch, I built up to maven.

0001-gnu-java-plexus-component-metadata-Fix-package.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

bug#55776: maven-core fails to build, Dr. Arne Babenhauserheide, 2022/06/03
- bug#55776: maven-core fails to build, Remco van 't Veer, 2022/06/04
  - bug#55776: maven-core fails to build, Julien Lepiller <=
    - bug#55776: maven-core fails to build, Remco van 't Veer, 2022/06/04
    - bug#55776: maven-core fails to build, Dr. Arne Babenhauserheide, 2022/06/04
    - bug#55776: maven-core fails to build, Julien Lepiller, 2022/06/08
    - bug#55776: maven-core fails to build, Andrew Tropin, 2022/06/08
- bug#55776: maven-core fails to build, Steve George, 2022/06/07

Prev by Date: bug#55776: maven-core fails to build
Next by Date: bug#55657: libgccjit is unusable
Previous by thread: bug#55776: maven-core fails to build
Next by thread: bug#55776: maven-core fails to build
Index(es):
- Date
- Thread