From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: [PATCH 0/3] Expat and libxslt changes for core-updates Date: Wed, 8 Jun 2016 13:10:16 +0300 Message-ID: <20160608101016.GA20565@debian-netbook> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43601) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bAaRT-0001Ym-9M for guix-devel@gnu.org; Wed, 08 Jun 2016 06:10:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bAaRP-0006fU-36 for guix-devel@gnu.org; Wed, 08 Jun 2016 06:10:31 -0400 Received: from flashner.co.il ([178.62.234.194]:50162) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bAaRO-0006eO-O9 for guix-devel@gnu.org; Wed, 08 Jun 2016 06:10:27 -0400 Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote: > It was not that simple to make these changes for core-updates, so I'm > sending the patches for review. >=20 > For expat, I "re-fix" a bug that was fixed on master already. This > bug-fix is actually reachable from the HEAD of core-updates, but for > some reason doesn't exist at HEAD. According to MITRE the bug does > affect all currently released versions of expat: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-0718 >=20 > I noticed a "left-over" patch for a bug that is apparently fixed in the > version of expat on core-updates (2.1.1), so it is deleted: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-1283 >=20 > For libxslt, I update to the latest version and remove patches that are > no longer needed. The timestamp issue was addressed upstream [0] and the > bug has been fixed in this version. These patches were strangely no > longer listed in 'gnu/local.mk'. >=20 > [0] > https://git.gnome.org/browse/libxslt/commit/?id=3De57df303eca25a2a3f9e062= 5c29f4b20177858cc >=20 > Leo Famulari (3): > gnu: expat: Fix CVE-2016-0718. > gnu: Remove unused patch. > gnu: libxslt: Update to 1.1.29. >=20 > gnu/local.mk | 1 - > .../patches/expat-CVE-2015-1283-refix.patch | 42 -------------- > gnu/packages/patches/libxslt-CVE-2015-7995.patch | 29 ---------- > .../patches/libxslt-remove-date-timestamps.patch | 66 ----------------= ------ > gnu/packages/xml.scm | 9 ++- > 5 files changed, 4 insertions(+), 143 deletions(-) > delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch > delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch > delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.p= atch >=20 > --=20 > 2.8.3 >=20 FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also, there's 2 new cves, cve-2012-6702 and cve-2016-5300 https://www.debian.org/security/2016/dsa-3597 https://sources.debian.net/src/expat/2.1.1-3/debian/patches/ --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXV+8EAAoJEPTB05F+rO6Tn6sQAJsNK5WDkk9oWhj8DeektudE QP3JFTz4Sp/FtMzxSnZm+Qwyzy4rq8NRfuUiFwixZIEDSCIU+rxsBzIy0JDp0LKl jvqR2Xn+2+gXEJd4GJYf/ow9coXsrpwhDvdhXEC/x3hbjf7w6i2JxWiyA+0FS3Iy ixcQdHW25kHwTKWlHAUEgKT9nYhNongBS8H/dh3egFyyvhi3UyOcrKcrc1z6BXFU 6sj/UasjLSsTyn11YGsnhTCNzzofX0yC3xm4DmBUAKy1bRL9dP0+HsphSr+ALc0u 246dzTVkHoirIqk7iEWIT7z2RGLqht06Y6pKdraaJfycYPu2gbuXaod9Ga3HFy7b j+VTR099CduTCI5porS4FOm6//0FGWGnqulNHlT0TvmRYctgPF43qBUAUZOCD3ng 2CXKeLtwn+D25XepNQFEhs7CBM5shDeVS/JZW17JYTfg7+e9474zD9VaK0gAsFmU w+ZNsYepEOQJ7RJflRA65q3BJPKfIOCXhIglDkdcBEcn0XfvUop4yeQZJJTKonlk etSFK6NjqHmENJf/fjIB3Z2uVUVCRUc8nC2fwYes8lJU7DVxOt7c8RAYDahsWAtV JMemtq3avL1vS0pgCNRUSJApxzMlhlPl0fwbSPxGLOXseTVLtW0O04UzqZtLE9br 8WkGZUZMjKwmIIzBqoKV =ZIt/ -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx--