View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016095CMakeCMakepublic2016-05-05 12:362016-06-10 14:21
ReporterSebastian Pipping 
Assigned ToBrad King 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product VersionCMake 3.5.2 
Target VersionCMake 3.6Fixed in VersionCMake 3.6 
Summary0016095: Latest CMake bundles insecure copy of Expat
DescriptionI found that even recent CMake bundles a copy of libexpat in folder "Utilities/cmexpat" [1] that is 12 years old (version 1.95.2 [2]) and has known security issues. Due to the auto-detection of Expat at [3], I do not worry about users of Linux or OS X too much. How about Windows?

Please consider resolving the bundled copy or update to the latest release of Expat. Thank you!

Best, Sebastian


[1] https://github.com/Kitware/CMake/tree/1d4ab06a7045edf366c689ba5e29bbc35d08718e/Utilities/cmexpat [^]
[2] https://github.com/Kitware/CMake/blob/1d4ab06a7045edf366c689ba5e29bbc35d08718e/Utilities/cmexpat/expat.h#L732 [^]
[3] https://github.com/Kitware/CMake/blob/1d4ab06a7045edf366c689ba5e29bbc35d08718e/CMakeLists.txt#L417 [^]
TagsNo tags attached.
Attached Files

 Relationships

  Notes
(0041031)
Sean McBride (reporter)
2016-05-05 14:25

Last I checked, VTK and ITK also have this antique version, see also:
http://www.vtk.org/Bug/view.php?id=5471 [^]
(0041032)
Sebastian Pipping (reporter)
2016-05-05 14:30

Interesting. Let's keep this ticket about CMake. I would be interested to hear about more like these or anything Expat at firstname@lastname.org, though. Best.
(0041033)
Brad King (manager)
2016-05-06 08:26

Thanks for pointing this out. I've updated it to the latest Expat upstream 'master' as of yesterday:

 Merge topic 'update-expat'
 https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=058b22cd [^]

The topic also includes a script to make it easy to update again in the future.
(0041034)
Sebastian Pipping (reporter)
2016-05-06 09:26

Excellent, thank you!
(0041135)
Sebastian Pipping (reporter)
2016-06-04 11:14

Please re-sync, there have security fixes upstream. Thank you!
(0041139)
Brad King (manager)
2016-06-06 09:10

Thanks. Updated:

 Merge branch 'upstream-expat' into update-expat
 https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=182f6458 [^]

I've queued the change for merge to 'release' for inclusion in 3.6.0-rc2.
(0041156)
Kitware Robot (administrator)
2016-06-10 14:21

This issue tracker is no longer used. Further discussion of this issue may take place in the current CMake Issues page linked in the banner at the top of this page.

 Issue History
Date Modified Username Field Change
2016-05-05 12:36 Sebastian Pipping New Issue
2016-05-05 14:25 Sean McBride Note Added: 0041031
2016-05-05 14:30 Sebastian Pipping Note Added: 0041032
2016-05-06 08:26 Brad King Note Added: 0041033
2016-05-06 08:26 Brad King Assigned To => Brad King
2016-05-06 08:26 Brad King Status new => resolved
2016-05-06 08:26 Brad King Resolution open => fixed
2016-05-06 08:26 Brad King Fixed in Version => CMake 3.6
2016-05-06 08:26 Brad King Target Version => CMake 3.6
2016-05-06 09:26 Sebastian Pipping Note Added: 0041034
2016-06-04 11:14 Sebastian Pipping Note Added: 0041135
2016-06-04 11:14 Sebastian Pipping Status resolved => feedback
2016-06-04 11:14 Sebastian Pipping Resolution fixed => reopened
2016-06-06 09:10 Brad King Note Added: 0041139
2016-06-06 09:10 Brad King Status feedback => resolved
2016-06-06 09:10 Brad King Resolution reopened => fixed
2016-06-10 14:21 Kitware Robot Note Added: 0041156
2016-06-10 14:21 Kitware Robot Status resolved => closed


Copyright © 2000 - 2018 MantisBT Team