MantisBT - CMake
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0016095CMakeCMakepublic2016-05-05 12:362016-06-10 14:21
ReporterSebastian Pipping 
Assigned ToBrad King 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product VersionCMake 3.5.2 
Target VersionCMake 3.6Fixed in VersionCMake 3.6 
Summary0016095: Latest CMake bundles insecure copy of Expat
DescriptionI found that even recent CMake bundles a copy of libexpat in folder "Utilities/cmexpat" [1] that is 12 years old (version 1.95.2 [2]) and has known security issues. Due to the auto-detection of Expat at [3], I do not worry about users of Linux or OS X too much. How about Windows?

Please consider resolving the bundled copy or update to the latest release of Expat. Thank you!

Best, Sebastian


[1] https://github.com/Kitware/CMake/tree/1d4ab06a7045edf366c689ba5e29bbc35d08718e/Utilities/cmexpat [^]
[2] https://github.com/Kitware/CMake/blob/1d4ab06a7045edf366c689ba5e29bbc35d08718e/Utilities/cmexpat/expat.h#L732 [^]
[3] https://github.com/Kitware/CMake/blob/1d4ab06a7045edf366c689ba5e29bbc35d08718e/CMakeLists.txt#L417 [^]
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2016-05-05 12:36Sebastian PippingNew Issue
2016-05-05 14:25Sean McBrideNote Added: 0041031
2016-05-05 14:30Sebastian PippingNote Added: 0041032
2016-05-06 08:26Brad KingNote Added: 0041033
2016-05-06 08:26Brad KingAssigned To => Brad King
2016-05-06 08:26Brad KingStatusnew => resolved
2016-05-06 08:26Brad KingResolutionopen => fixed
2016-05-06 08:26Brad KingFixed in Version => CMake 3.6
2016-05-06 08:26Brad KingTarget Version => CMake 3.6
2016-05-06 09:26Sebastian PippingNote Added: 0041034
2016-06-04 11:14Sebastian PippingNote Added: 0041135
2016-06-04 11:14Sebastian PippingStatusresolved => feedback
2016-06-04 11:14Sebastian PippingResolutionfixed => reopened
2016-06-06 09:10Brad KingNote Added: 0041139
2016-06-06 09:10Brad KingStatusfeedback => resolved
2016-06-06 09:10Brad KingResolutionreopened => fixed
2016-06-10 14:21Kitware RobotNote Added: 0041156
2016-06-10 14:21Kitware RobotStatusresolved => closed

Notes
(0041031)
Sean McBride   
2016-05-05 14:25   
Last I checked, VTK and ITK also have this antique version, see also:
http://www.vtk.org/Bug/view.php?id=5471 [^]
(0041032)
Sebastian Pipping   
2016-05-05 14:30   
Interesting. Let's keep this ticket about CMake. I would be interested to hear about more like these or anything Expat at firstname@lastname.org, though. Best.
(0041033)
Brad King   
2016-05-06 08:26   
Thanks for pointing this out. I've updated it to the latest Expat upstream 'master' as of yesterday:

 Merge topic 'update-expat'
 https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=058b22cd [^]

The topic also includes a script to make it easy to update again in the future.
(0041034)
Sebastian Pipping   
2016-05-06 09:26   
Excellent, thank you!
(0041135)
Sebastian Pipping   
2016-06-04 11:14   
Please re-sync, there have security fixes upstream. Thank you!
(0041139)
Brad King   
2016-06-06 09:10   
Thanks. Updated:

 Merge branch 'upstream-expat' into update-expat
 https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=182f6458 [^]

I've queued the change for merge to 'release' for inclusion in 3.6.0-rc2.
(0041156)
Kitware Robot   
2016-06-10 14:21   
This issue tracker is no longer used. Further discussion of this issue may take place in the current CMake Issues page linked in the banner at the top of this page.