Vulnerable Version of xml2js Used in MLIR Manifest File (Again) [42410039]

Fixed

Bug

Status Update

No update yet.

Description

[Deleted User]

created issue #1

Jun 6, 2023 06:32PM

Note: this was reported

https://crbug.com/llvm/43 (

https://bugs.chromium.org/p/llvm/issues/detail?id=43#c1) but the incorrect file was fixed and the issue was closed before I could respond.

In mlir/utils/vscode/package-lock.json, there is a dependency on xml2js:

"xml2js": "^0.4.23"

This version of xml2js has recently had a CVE filed against it (

https://nvd.nist.gov/vuln/detail/CVE-2023-0842).

This version of xml2js should be bumped up to a version without CVEs to minimize disruptions to partners who redistribute LLVM source code. According to our scan tools, the earliest fixed version is 0.5.0.

P. S. I was told to report this issue to this channel by Andrew Kaylor.

Comments

di...@andric.com <di...@andric.com> #2Jun 6, 2023 09:44PM

Can you provide the below requested information to better understand the issue:

Can you please test with latest library and update result here.

https://developer.android.com/topic/libraries/support-library/revisions.html

If possible please provide a complete sample application.

Expected output
What do you expect to occur?

Current output
What do you see instead?

[Deleted User] <[Deleted User]> #3Jun 22, 2023 04:27PM

This seems to be intended according to

https://issuetracker.google.com/74278849, the suggestion is to remove the extra logic to deliverResult() in onStartLoading().

di...@andric.com <di...@andric.com> #4Jun 22, 2023 06:46PM

Marked as fixed, reassigned to di...@andric.com.

@gg..@google.com
Sample project is attached.

Steps to test:
1. Import, build and install apk
2. Notice "Number of 'onLoadFinished' calls: 1"
3. Click "Click me!" button to start Second Activity
4. Notice "Number of 'onLoadFinished' calls: 2"

EXPECTED: At stap 4 "Number of 'onLoadFinished' calls" should be 1.
ACTUAL: It's 2.

@ha...@gmail.com
That's not the solution because developers are not in control of all Loaders. For example CursorLoader from support libaray should be then fixed by google, not by developers.
And this is behavior change which is not documented, so suggestion on issuetracker is not good enough.

is...@google.com <is...@google.com> #5Jun 22, 2023 06:46PM

We have shared this with our engineering team and will update this issue with more information as it becomes available.

Issue 42410039

Description

Issue summary

Comments

di...@andric.com <di...@andric.com> #2Jun 6, 2023 09:44PM

[Deleted User] <[Deleted User]> #3Jun 22, 2023 04:27PM

di...@andric.com <di...@andric.com> #4Jun 22, 2023 06:46PM

is...@google.com <is...@google.com> #5Jun 22, 2023 06:46PM

Add comment

Issue metadata