Debian looking to backport parser changes for CVE-2021-37714 #1627
Comments
|
Hi, Personally, I am quite wary of the idea of trying to backport these changes to the old version of jsoup that Debian publishes. There have been many changes to the parser and related classes since that release, and I don't know how cleanly the patches will apply, and whether that could then still be considered a 1.10.x version. It would be some hybrid fork between 1.10 and 1.14.2 and is in my view likely to behave differently (including creating different parse trees) than any published version of jsoup. My strong recommendation is that users upgrade to 1.14.2, and get into a position to stay up to date with the current version. Here are the details on the changes: I believe that I included the "Fuzz" label on each issue, which links to the relevant commit: Closed issues with Fuzz label: https://github.com/jhy/jsoup/issues?q=label%3Afuzz+is%3Aclosed You would need to pick up at least the changes in the parser from 1.14.1 and 1.14.2. Given that Debian is running such an old fork of jsoup (1.10.2, from Jan 2017) there are probably other changes in the parser and related interacting classes that will be required. Take a look at these files: Specific tests: Let me know if I can help detail out anything else! |
jhy
changed the title
|
Hello @jhy, Thanks a bunch for your detailed reply! 🎉
Aha, I see! (more below)
We'll indeed move to 1.14.2 in the newer releases of Debian, however upgrading to the latest version in the older releases (buster, stretch, jessie) isn't really a viable option, I am afraid. :(
Oh wow, that is an awful lot! Are these all, more or less, affiliated to CVE-2021-37714?
Hah, I was also looking forward to backporting this to v1.8.1. But now as I see it, that's a bit too ambitious, I guess? Is it even possible to go back so far w/o causing regressions, et al?
Thank you so much! 🎉 |
Yes.
The logical structure of the parser is pretty similar between 1.8 and 1.10. So I'm not sure how much of a bigger piece of work it would be. (The parser structure changed largely in 1.6.) The object layout of the nodes package changed in 1.12 which I expect you would need to accommodate. While you're in there, maybe you could fix the build so that the test results are not just ignored? Seeing that made me lose a lot of trust in Debian's QC practices. |
|
(Closing, but please feel free to reopen if there's any more Qs or discussion points. Thanks!) |
|
Thank you, @jhy. I'll try to ping the person to update the Debian package in the -devel release and might as well open the bug to do that. Thanks for your help, shall let you know if we want more information! \o/ |
Hello,
Thank you for your work on jsoup. However, since we have CVE-2021-37714 (which is fixed in the latest release), I'd like to backport the fixes to older releases (in Debian). To do that, I need to know the relevant commits that are sufficient to be backported for fixing the mentioned CVEs. On a quick look, it wasn't clear which ones are they, could you please point me to them? TIA! \o/
The text was updated successfully, but these errors were encountered: