[bug#36424] expat-2.2.7 for CVE-2018-20843

[Jack Hill]

Marius,

Thanks for looking at this.

On Sun, 30 Jun 2019, Marius Bakke wrote:

> I tried running `abidiff` (from libabigail) on the new and old Expat:
>
> $ abidiff 
> /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so 
> /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so
> Functions changes summary: 0 Removed, 0 Changed, 0 Added function
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> Function symbols changes summary: 15 Removed, 0 Added function symbols not 
> referenced by debug info
> Variable symbols changes summary: 0 Removed, 0 Added variable symbol not 
> referenced by debug info
>
> 15 Removed function symbols not referenced by debug info:
>
>  XmlGetUtf16InternalEncoding
>  XmlGetUtf16InternalEncodingNS
>  XmlGetUtf8InternalEncoding
>  XmlGetUtf8InternalEncodingNS
>  XmlInitEncoding
>  XmlInitEncodingNS
>  XmlInitUnknownEncoding
>  XmlInitUnknownEncodingNS
>  XmlParseXmlDecl
>  XmlParseXmlDeclNS
>  XmlPrologStateInit
>  XmlPrologStateInitExternalEntity
>  XmlSizeOfUnknownEncoding
>  XmlUtf16Encode
>  XmlUtf8Encode
>
> Apparently these symbols were never supposed to be exported:
> <https://github.com/libexpat/libexpat/pull/197>.  However, there could
> be packages "in the wild" that uses these symbols and would silently
> break with the grafted Expat.
>
> IIUC the fix for CVE-2018-20843 is this commit:
> <https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
>
> I think it's better to graft a variant with only this patch to be on the
> safe side.  Can you try that?

Good idea. I didn't think to check. Yes, I can try to do that.

> Could you also submit a second patch that adds GitHub as an additional
> download location for the regular Expat package?  :-)

I'll try that as well.

I'll also try to not let my mail client mangle them :)

Best,
Jack