From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: [PATCH 0/1] Help wanted grafting Expat (CVE-2016-0718)
Date: Wed, 18 May 2016 12:36:50 -0400
Message-ID: <cover.1463589188.git.leo@famulari.name>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45802)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b34TB-0000uH-0q
	for guix-devel@gnu.org; Wed, 18 May 2016 12:37:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b34T5-0000qg-0J
	for guix-devel@gnu.org; Wed, 18 May 2016 12:37:11 -0400
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:50111)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b34T3-0000pC-Q8
	for guix-devel@gnu.org; Wed, 18 May 2016 12:37:06 -0400
Received: from jasmine.lan (c-73-188-17-148.hsd1.pa.comcast.net
	[73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id D041BC00020
	for <guix-devel@gnu.org>; Wed, 18 May 2016 12:36:54 -0400 (EDT)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

I've attached my attempt at fixing CVE-2016-0718 in Expat [0]. The
grafted expat updates to 2.1.1 and applies the patch from [1].

The problem is that, when trying build something that depends on expat,
I seem to have to rebuild *many* things.

Any advice?

By the way, there are some other caveats with this change.

First, I don't yet know the relationship of the patch from oss-sec to
upstream. It's not in their git repo. It might be a squashed
representation of the branch 'cve-2016-0718-fix-2-2-1' that they merged
yesterday [2]. I changed the line endings from DOS to Unix.

Second, I updated the grafted expat to 2.1.1 since the patch did not
apply to 2.1.0. I don't know if 2.1.1 is binary compatible with 2.1.0,
so I don't know if it's even suitable for grafting.

[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718

[1]
http://seclists.org/oss-sec/2016/q2/360

[2]
https://sourceforge.net/p/expat/code_git/ci/be4b1c06daba1849b8ff5e00bae5caf47f6c39fd/

Leo Famulari (1):
  gnu: expat: Fix CVE-2016-0718.

 gnu/local.mk                                   |   1 +
 gnu/packages/patches/expat-CVE-2016-0718.patch | 755 +++++++++++++++++++++++++
 gnu/packages/xml.scm                           |  25 +-
 3 files changed, 779 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/expat-CVE-2016-0718.patch

-- 
2.8.2