Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old vulnerable copy of Expat 2.1.0 bundled at ./external/expat/? #18

Closed
hartwork opened this issue May 23, 2021 · 7 comments · Fixed by #19
Closed

Old vulnerable copy of Expat 2.1.0 bundled at ./external/expat/? #18

hartwork opened this issue May 23, 2021 · 7 comments · Fixed by #19

Comments

@hartwork
Copy link

Expected Behaviour

Use of a version of Expat with all known vulnerabilities fixed, i.e. >=2.4.0, ideally 2.4.1

Actual Behaviour

Use of known vulnerable Expat 2.1.0
@hartwork hartwork mentioned this issue May 23, 2021
Closed
53 tasks
@hartwork
Copy link
Author

hartwork commented Jun 2, 2021

Any thoughts?

@scouten
Copy link
Collaborator

scouten commented Jun 2, 2021

@hartwork thanks for checking in on this again. I'm consulting with the team that builds the underlying C++ XMP Toolkit at Adobe to see if there are any potential compatibility issues and to see if we can share effort on vetting the upgrade. No news to share at the moment, but I'll speak up as soon as I know something.

scouten pushed a commit that referenced this issue Jun 3, 2021
@scouten-adobe
Incorporate libexpat via git submodule and upgrade to version 2.4.1.
b1b04b1 
Closes #18.
@scouten scouten mentioned this issue Jun 3, 2021
Merged
3 tasks
@scouten
Copy link
Collaborator

scouten commented Jun 3, 2021
edited
Loading

@hartwork could you look at the build log for #19 and advise on the "high quality entropy" error? I'm not sufficiently familiar with the innards of expat to know what to adjust. I've fixed this issue.

@scouten scouten mentioned this issue Jun 3, 2021
Closed
@scouten
Copy link
Collaborator

scouten commented Jun 3, 2021

@hartwork please see libexpat/libexpat#497. That is blocking my ability to update.

scouten pushed a commit that referenced this issue Jun 23, 2021
@scouten-adobe
Incorporate libexpat via git submodule and upgrade to version 2.4.1. (#…
7461be8 
…19)

Closes #18.
@hartwork
Copy link
Author

@scouten great to see this fixed, thanks for your work on this topic! 🎉 🙏

@scouten
Copy link
Collaborator

scouten commented Jun 23, 2021

@hartwork no worries. Thank you for bringing it to my attention and staying with me on this. New versioned release coming momentarily.

@scouten
Copy link
Collaborator

scouten commented Jun 23, 2021

The new version of expat is included in version 0.1.8, which is now published to crates.io.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Incorporate libexpat via git submodule and upgrade to version 2.4.1. adobe/xmp-toolkit-rs
2 participants
@scouten @hartwork