From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Flex security update: RCE in generated code (CVE-2016-6354) Date: Sat, 27 Aug 2016 20:54:34 -0400 Message-ID: <20160828005434.GA31891@jasmine> References: <20160826221426.GA29432@jasmine> <20160826224959.GA8478@jasmine> <87poot7ujp.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38279) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bdoNB-0005KU-Oz for guix-devel@gnu.org; Sat, 27 Aug 2016 20:54:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bdoN5-0007JI-QB for guix-devel@gnu.org; Sat, 27 Aug 2016 20:54:52 -0400 Content-Disposition: inline In-Reply-To: <87poot7ujp.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Courtès wrote: > Hello! > > Leo Famulari skribis: > > > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote: > >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354. > >> > >> * gnu/packages/flex.scm (flex)[replacement]: New field. > >> (flex/fixed): New variable. > >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file. > >> * gnu/local.mk (dist_patch_DATA): Add it. > > > > As Mark pointed out on #guix, bugs in flex's generated code can not be > > addressed with a graft. > > Indeed. We should add this patch to ‘core-updates’ and start building > it (I haven’t checked the status of the various branches, though.) Done as eba7fab890. I'm not sure of the overall health of the branch, but I have built some packages from it locally on x86_64. So, the base system seems to be working.