Re: Expat 2.2.7 with security fixes has been released / CVE-2018-20843

[Marius Bakke]

Sebastian,

Thank you very much for reaching out downstream!

Sebastian Pipping <address@hidden> writes:

> Hi Jack,
>
>
> On 12.07.19 01:17, Jack Hill wrote:
>> I'm pleased to let you know that we've applied the fix for
>> CVE-2018-20843 in GNU Guix as of
>> 5a836ce38c9c29e9c2bd306007347486b90c5064 [0]. We elected to backport the
>> patch that fixed the problem instead of upgrading due to a change in the
>> expat abi with 2.2.7 [1].
>> 
>> Many thanks to Marius Bakke for advice and patience while reviewing the
>> patches.
>> 
>> [0]
>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=5a836ce38c9c29e9c2bd306007347486b90c5064
>> 
>> [1] https://issues.guix.gnu.org/issue/36424#2
>
> thanks for the update on that matter!
>
> Regarding the removed API symbols, those were never part of the public
> API so whoever used them needed to have copied prototypes for those into
> his own code base and be aware that using internal API is asking for
> trouble — the opposite of something to rely on.  They made that choice,
> it should be their cost.
>
> openSuse started using -fvisibility=hidden with their expat package way
> before Expat itself and they seem fine.  I discussed with senior Linux
> distro developers how hiding those symbols should affect Expat's .so
> versioning, if it should be an incompatible bump or not.  There was no
> demand for doing an incompatible bump because all related symbols were
> never exposed by headers.

Right, I was probably overly cautious here.  Because we already had
Expat 2.2.7 on a different branch-in-progress, I went with the path of
least surprise in order to get the security fix to users while we work
on merging it.

> If you don't upgrade to 2.2.7, are you going to backport all bugfixes to
> 2.2.6 from now on?  I maintain a few distro packages myself and I would
> consider that a big pain point and waste of time.
> I know of at least to parties how went with modifying a fork in the past
> and they are not in a good place with their fork regarding effort,
> bugfix, and security.  Please don't add to that list, just please don't :-)
>
> Is there anything I can do to make you reconsider?
>
> Is there something that I can do upstream in the Expat code base to
> smooth your path to Expat 2.2.8/2.3.0?

As Jack explains, we cannot update Expat directly because it would force
a rebuild of 7719 packages, due to the functional nature of Guix.
Instead we use a special mechanism called "grafting"[0] to quickly
deliver security updates to users, which replaces references to the
vulnerable Expat with a fixed version.

[0] https://www.gnu.org/software/guix/manual/en/guix.html#Security-Updates

As long as the ABIs are compatible, this mechanism works well.  But the
grafting operation is fairly expensive and happens on end-user systems,
so we do not do it without a good reason.

I don't think there is much you can do other than continue to write good
change logs.

Thanks, and sorry for the misunderstanding!

signature.asc
Description: PGP signature