From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id 6I0MD7pJuGDuYQEAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 03 Jun 2021 05:17:14 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id oGmvCrpJuGDneAAAbx9fmQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 03 Jun 2021 03:17:14 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id C3A861ABFB
	for <larch@yhetil.org>; Thu,  3 Jun 2021 05:17:13 +0200 (CEST)
Received: from localhost ([::1]:57514 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lodr6-0005z6-Pi
	for larch@yhetil.org; Wed, 02 Jun 2021 23:17:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48036)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lodqx-0005yh-L9
 for bug-guix@gnu.org; Wed, 02 Jun 2021 23:17:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:58409)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lodqw-0007gW-M4
 for bug-guix@gnu.org; Wed, 02 Jun 2021 23:17:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lodqw-00013x-IZ
 for bug-guix@gnu.org; Wed, 02 Jun 2021 23:17:02 -0400
Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-guix@gnu.org
Resent-Date: Thu, 03 Jun 2021 03:17:02 +0000
Resent-Message-ID: <handler.48612.D48612.16226901974035.done@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: cc-closed 48612
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: security
To: Marius Bakke <marius@gnu.org>
Mail-Followup-To: 48612@debbugs.gnu.org, leo@famulari.name, marius@gnu.org
Received: via spool by 48612-done@debbugs.gnu.org id=D48612.16226901974035
 (code D ref 48612); Thu, 03 Jun 2021 03:17:02 +0000
Received: (at 48612-done) by debbugs.gnu.org; 3 Jun 2021 03:16:37 +0000
Received: from localhost ([127.0.0.1]:41720 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lodqX-000130-7X
 for submit@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:37 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:39691)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lodqW-00012p-0K
 for 48612-done@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:36 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.nyi.internal (Postfix) with ESMTP id E8B0E5C010E;
 Wed,  2 Jun 2021 23:16:30 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute2.internal (MEProxy); Wed, 02 Jun 2021 23:16:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=1yDLU8o1ZoUtqo8XIZppsfXX
 KCLwiMqn+syvAzfaWfc=; b=QFTcnlB35BHxYJblVkRuGxwKWoxvxKno2NIuDfG5
 J2w3A2mBnSf3FLT46mm+/XGYsDIS0IFijYQ2pA9Oo8WsL75UdLrjxGbglSte1PIK
 0HZhJnXLwEU1QYNn3P+gDT4mPsFQHafZXZz992YatyUTwvfe5kEMsl1FAi4A8Os/
 B1Q=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=1yDLU8
 o1ZoUtqo8XIZppsfXXKCLwiMqn+syvAzfaWfc=; b=dn0X28FPZ/Wngf0Mn8rqHY
 fC9HWjFAb/U3exMuqPx4vwEXOx29R0UTSYXoRuOQYCU7Nr4g6/UpEATk3n6Gg8en
 AC9jKwFFDjlXSJRfzZ+/+aKk5ZZIVw6czkBv7fAsLYJwORrRTEFxspdQHTeOW+wQ
 y9aaftCRt661fBvIcMdgqapP+sIttyLKq5kkR1EH/AHmgPHgkBFC4BYNixKQKNIr
 sX/QKGtppuKARvd90fdkv9NOW0gibWMA8r6aHLg2ko3a60h+DdKk6Vvuk90xhgmr
 0oPVV3/gvuQTBeDZpfv/ZyT5U5F07tI2YbeUH2WAo26kKC+zr5DadYSeRAGw6R2A
 ==
X-ME-Sender: <xms:jkm4YC2gtE7sF56Pgfxw_NbBqDnoLsPWvaCuc_xojzOuSaSdEUOBUQ>
 <xme:jkm4YFG9QsJUqTp2-7c91Uvx9-gRA8P8JjR8dpDZbM6nbSKJftNUtVJzraGJKqYBG
 -mw85kG0rgNPs-HFA>
X-ME-Received: <xmr:jkm4YK65jWjJgUCErT_R67bmRiBcBsDOW_-mj_MgQcQM1s6rNIdsaoxb9Gx0o9nixBMCJZhrlSORMcFSInfYzKE6jg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelkedgieejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh
 rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth
 gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff
 teenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg
 hosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:jkm4YD3PdS4gx2vgteCtnKABI_-qTP6-ZwiKOuTCxPChwAODuJM3Bg>
 <xmx:jkm4YFHP2c7GOsAsgfA0-YiLNWlcT9XMioz7nit8ATtsajXM8gRcew>
 <xmx:jkm4YM-nkqBBZjggvQnn0d-EW8OvdLnVTNA4sw8gb4hKwco55H1Ieg>
 <xmx:jkm4YIMeC5EA3-oJFU-mlOR6H-L9S5LW0r8HWxMPKPUerwBc2xLFfg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 2 Jun 2021 23:16:30 -0400 (EDT)
Date: Wed, 2 Jun 2021 23:16:29 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <YLhJjeorZ1b9o4NK@jasmine.lan>
References: <87bl91qy68.fsf@gnu.org>
 <YKvdJ75zNMh+8aHw@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="c5XPOlW05k7pye8d"
Content-Disposition: inline
In-Reply-To: <YKvdJ75zNMh+8aHw@jasmine.lan>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Cc: 48612-done@debbugs.gnu.org
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1622690234;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-to:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=1yDLU8o1ZoUtqo8XIZppsfXXKCLwiMqn+syvAzfaWfc=;
	b=psHS6lJG1NSFzeWFjHcc1PDkt2r9qWA5zw/SnHXbPQkOePxaZcq7YMQ9hYtIpmzJXxtOhz
	ElAhrErBmPy14kC2iISnG0M653k/QfKyNDG2LEuJQiccG7c0XcKZ8yF11ZNXK6cKHLG7s6
	vOHRGhYytZLFlWR9nOpby4YKcb7aQZA2y+XAeTMerwlzRy+4LayUouQuduJAODkOrp36ek
	49P+wm0c+PVvxG6Yo3mriLye5II64w9H3HpnErcf7KBBWdcvlYtjQHWKaLrMAIbW0bjvKL
	LVYBPZ4vvs+1w5U3VfZ+Ax2xm0p34gMlgHG/jgWF7oVnS5BKgf+rSJVk4dViSg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622690234; a=rsa-sha256; cv=none;
	b=QFZBxx7Jt8A8z8ykzrtEOvoZSYYyuNzP0XLsQqQVFE+cGgGkCdz4DBMYOIxelD18+kNRY1
	tLnH5zN0qNLQ41JLJ8Jd+d4bkCqIYIY27xjV7+FrClNT5VX9PSWnWr7KSdVCJE5f/DIboC
	G9M9pBtSk1ujWd4JGu/3YVd2wihRka0rQhSElWavSqgsGO134Q02JgMn4XylmtFi2YR234
	9GJkBsxxsjUFhXQVl+AO3o9r+6gU/H158pDZh9nlDF3DAYibVFT4lSG/QVEhAmlI2QWFGk
	2HeeT92z2ADIBNZx6fUg82d+1rb/4S3HmUFIwmtvM1RkT+Csg86LA1ugFIhIJA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=QFTcnlB3;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=dn0X28FP;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -3.53
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=QFTcnlB3;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=dn0X28FP;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: C3A861ABFB
X-Spam-Score: -3.53
X-Migadu-Scanner: scn0.migadu.com
X-TUID: +0V7ABCYhbsv


--c5XPOlW05k7pye8d
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2

--c5XPOlW05k7pye8d
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SYwACgkQJkb6MLrK
fwhQ+A//QDsBUWnEmBmfrsvWhg8sRH1c606Uz+AHfloFaRk82aSCauCrv4uFI1z8
81aOw2KAJhyv/wmC9VXsannnD5ZaFtjJtzEaWJ5x79sJIIe8/bLmqI4t0QR5re66
tCgK7FecF9HJ6+GeNJCHU4o/3PeN1BZ8ECqP9nZkXHe7kUQFMN1Eln3zK79BygwA
EJaVF1Yay6qMmW8U5jIQtnTA88x6iGZU4UHYOjbpUmWL1TpeRVrz36EPQc4rp0ub
vE+2PrNLqyYd0VdrLfKTGREle5iuFc8YOTh4QiRT1aqnQkxePqURrQMGbBmzDHNM
qKgeGvTb/OSiqciJ3lZVfVRIy4FjCgJRKRgIp2o6c65Y9IjWmmOpQmgBsrhPipRj
hWWn3Dz/82qIT+2sE8T3HVqsUrofOCktCG4DP/NWBG3N+c+xy2/KcpuU5QTPqq6j
ponMZ8PsP13AqYLIYk6mdqqY55u7UKafUNiHB69dDsr9ZFimKQsQ3DkUnxEE0qHi
qL1GHTFzTJNpH8iSjLesy8KTXSADzUXRy7bT9sySkwPSd5p4lW5msGcKtsBTmarG
vBrTFJ/tdLr6JSR0M0tCB/zk2hLiSvStf/Ei9oo670es90SRCPAQrdr/+C+jNq6G
HGJ4eDhBtr28qpnzDqohe90LakzM7g2p8XsrTDkEgba1DI0yFeg=
=MbDa
-----END PGP SIGNATURE-----

--c5XPOlW05k7pye8d--