From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 0/3] Expat and libxslt changes for core-updates Date: Fri, 10 Jun 2016 14:59:49 +0200 Message-ID: <87bn3919oa.fsf@gnu.org> References: <20160608101016.GA20565@debian-netbook> <20160609164317.GA5540@jasmine> <20160609231935.GA14894@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49495) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bBM2X-0004Qx-5H for guix-devel@gnu.org; Fri, 10 Jun 2016 08:59:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bBM2S-0007kG-UD for guix-devel@gnu.org; Fri, 10 Jun 2016 08:59:56 -0400 In-Reply-To: <20160609231935.GA14894@jasmine> (Leo Famulari's message of "Thu, 9 Jun 2016 19:19:35 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote: >> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote: >> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. >>=20 >> I looked at the expat Git repo and the original fix for CVE-2015-1283 >> was part of 2.1.1. The improvement to the fix must be backported. I will >> take the upstream commit that applies the improvement. > > We adopt Debian's patch for CVE-2012-6702 and CVE-2016-5300 (already > sent for review for the master branch). > > We also adapt the CVE-2015-1283 "re-fix" patch to apply to upstream's > fix for CVE-2015-1283. The Debian "re-fix" patch had some context > (comments) that did not exist in the upstream 2.1.1 release. > > And as before, we patch for CVE-2016-0718. > > It's not possible for me test this on core-updates (too much to build). > On master, I made a new expat-2.1.1 package that inherited from expat > and built that with the patches. > > The merge will probably be messy... We should leave it to you, to minimize breakage. > Off-topic: A regular package and a grafted package on master, and an > updated version of the package on core-updates... this is getting very > complicated and we should try our best to avoid such tangled situations > in the future. Do you think it would help to delay such upgrades in =E2=80=98core-updates= =E2=80=99 until the time where =E2=80=98core-updates=E2=80=99 is getting ready for me= rge? > From a4a3a09b40c5f98b2c2a3d15458ab086ce867c3d Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Tue, 7 Jun 2016 20:26:41 -0400 > Subject: [v2 1/2] gnu: expat: Fix CVE-2012-6702, CVE-2016-0718, and > CVE-2016-5300. > > * gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New f= ile. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Adapt to upstream > changes. > * gnu/packages/xml.scm (expat)[source]: Use patches. LGTM, thank you! Ludo=E2=80=99.