View Issue Details [ Jump to Notes ] | [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0016095 | CMake | CMake | public | 2016-05-05 12:36 | 2016-06-10 14:21 | ||||
Reporter | Sebastian Pipping | ||||||||
Assigned To | Brad King | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | CMake 3.5.2 | ||||||||
Target Version | CMake 3.6 | Fixed in Version | CMake 3.6 | ||||||
Summary | 0016095: Latest CMake bundles insecure copy of Expat | ||||||||
Description | I found that even recent CMake bundles a copy of libexpat in folder "Utilities/cmexpat" [1] that is 12 years old (version 1.95.2 [2]) and has known security issues. Due to the auto-detection of Expat at [3], I do not worry about users of Linux or OS X too much. How about Windows? Please consider resolving the bundled copy or update to the latest release of Expat. Thank you! Best, Sebastian [1] https://github.com/Kitware/CMake/tree/1d4ab06a7045edf366c689ba5e29bbc35d08718e/Utilities/cmexpat [^] [2] https://github.com/Kitware/CMake/blob/1d4ab06a7045edf366c689ba5e29bbc35d08718e/Utilities/cmexpat/expat.h#L732 [^] [3] https://github.com/Kitware/CMake/blob/1d4ab06a7045edf366c689ba5e29bbc35d08718e/CMakeLists.txt#L417 [^] | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Relationships | |
Relationships |
Notes | |
(0041031) Sean McBride (reporter) 2016-05-05 14:25 |
Last I checked, VTK and ITK also have this antique version, see also: http://www.vtk.org/Bug/view.php?id=5471 [^] |
(0041032) Sebastian Pipping (reporter) 2016-05-05 14:30 |
Interesting. Let's keep this ticket about CMake. I would be interested to hear about more like these or anything Expat at firstname@lastname.org, though. Best. |
(0041033) Brad King (manager) 2016-05-06 08:26 |
Thanks for pointing this out. I've updated it to the latest Expat upstream 'master' as of yesterday: Merge topic 'update-expat' https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=058b22cd [^] The topic also includes a script to make it easy to update again in the future. |
(0041034) Sebastian Pipping (reporter) 2016-05-06 09:26 |
Excellent, thank you! |
(0041135) Sebastian Pipping (reporter) 2016-06-04 11:14 |
Please re-sync, there have security fixes upstream. Thank you! |
(0041139) Brad King (manager) 2016-06-06 09:10 |
Thanks. Updated: Merge branch 'upstream-expat' into update-expat https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=182f6458 [^] I've queued the change for merge to 'release' for inclusion in 3.6.0-rc2. |
(0041156) Kitware Robot (administrator) 2016-06-10 14:21 |
This issue tracker is no longer used. Further discussion of this issue may take place in the current CMake Issues page linked in the banner at the top of this page. |
Notes |
Issue History | |||
Date Modified | Username | Field | Change |
2016-05-05 12:36 | Sebastian Pipping | New Issue | |
2016-05-05 14:25 | Sean McBride | Note Added: 0041031 | |
2016-05-05 14:30 | Sebastian Pipping | Note Added: 0041032 | |
2016-05-06 08:26 | Brad King | Note Added: 0041033 | |
2016-05-06 08:26 | Brad King | Assigned To | => Brad King |
2016-05-06 08:26 | Brad King | Status | new => resolved |
2016-05-06 08:26 | Brad King | Resolution | open => fixed |
2016-05-06 08:26 | Brad King | Fixed in Version | => CMake 3.6 |
2016-05-06 08:26 | Brad King | Target Version | => CMake 3.6 |
2016-05-06 09:26 | Sebastian Pipping | Note Added: 0041034 | |
2016-06-04 11:14 | Sebastian Pipping | Note Added: 0041135 | |
2016-06-04 11:14 | Sebastian Pipping | Status | resolved => feedback |
2016-06-04 11:14 | Sebastian Pipping | Resolution | fixed => reopened |
2016-06-06 09:10 | Brad King | Note Added: 0041139 | |
2016-06-06 09:10 | Brad King | Status | feedback => resolved |
2016-06-06 09:10 | Brad King | Resolution | reopened => fixed |
2016-06-10 14:21 | Kitware Robot | Note Added: 0041156 | |
2016-06-10 14:21 | Kitware Robot | Status | resolved => closed |
Issue History |
Copyright © 2000 - 2018 MantisBT Team |