On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
> >> 
> >> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Use it.
> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
> >
> > Thank you for looking into this!
> >
> > Something like this patch is in CHICKEN 4.11.1:
> >
> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
> >
> > And there is a patch for the IrRegex bug after the latest tag:
> >
> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
> >
> > Can you try updating CHICKEN and applying that IrRegex patch?
> 
> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
> binary due to its build system requirements. Do we have any objection to
> bootstrapping CHICKEN 4.11.1 from version 4.11.0?

Interesting!

I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.

Changing the build system like that seems unusual for a minor point
release, and I don't see it documented in the 4.11.1 NEWS file:

https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3

One way or another, we should fix these bugs in our package. Thanks for
taking care of it :)