From: Efraim Flashner <efraim@flashner.co.il>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Sun, 28 Aug 2016 12:41:49 +0300 [thread overview]
Message-ID: <20160828094149.GJ26988@macbook42.flashner.co.il> (raw)
In-Reply-To: <20160828005434.GA31891@jasmine>
[-- Attachment #1: Type: text/plain, Size: 1542 bytes --]
On Sat, Aug 27, 2016 at 08:54:34PM -0400, Leo Famulari wrote:
> On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Courtès wrote:
> > Hello!
> >
> > Leo Famulari <leo@famulari.name> skribis:
> >
> > > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> > >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> > >>
> > >> * gnu/packages/flex.scm (flex)[replacement]: New field.
> > >> (flex/fixed): New variable.
> > >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> > >> * gnu/local.mk (dist_patch_DATA): Add it.
> > >
> > > As Mark pointed out on #guix, bugs in flex's generated code can not be
> > > addressed with a graft.
> >
> > Indeed. We should add this patch to ‘core-updates’ and start building
> > it (I haven’t checked the status of the various branches, though.)
>
> Done as eba7fab890.
>
> I'm not sure of the overall health of the branch, but I have built some
> packages from it locally on x86_64. So, the base system seems to be
> working.
>
I somehow managed to push a lot to the branch, and currently cmake is
broken, both the "old" version and the "new" version I pushed. They are
broken in the same way, so (based on nothing at all) I assume its
related to the file update.
Also, gcc-4.9.4 causes the same breakage on arm as 5.3.0 did.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
prev parent reply other threads:[~2016-08-28 9:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-26 22:14 Flex security update: RCE in generated code (CVE-2016-6354) Leo Famulari
2016-08-26 22:49 ` Leo Famulari
2016-08-27 21:48 ` Ludovic Courtès
2016-08-28 0:54 ` Leo Famulari
2016-08-28 9:41 ` Efraim Flashner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160828094149.GJ26988@macbook42.flashner.co.il \
--to=efraim@flashner.co.il \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).