From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id 0neOO7ov5mGEawAAgWs5BA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 18 Jan 2022 04:10:50 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id 8DTuN7ov5mGzmgAA9RJhRA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 18 Jan 2022 04:10:50 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 8C98C154A3
	for <larch@yhetil.org>; Tue, 18 Jan 2022 04:10:50 +0100 (CET)
Received: from localhost ([::1]:38784 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1n9etV-0007AP-Kb
	for larch@yhetil.org; Mon, 17 Jan 2022 22:10:49 -0500
Received: from eggs.gnu.org ([209.51.188.92]:34072)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1n9esv-0007A8-Ma
 for guix-patches@gnu.org; Mon, 17 Jan 2022 22:10:13 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:55629)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1n9esl-00026F-KZ
 for guix-patches@gnu.org; Mon, 17 Jan 2022 22:10:12 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1n9esl-0000tO-9t
 for guix-patches@gnu.org; Mon, 17 Jan 2022 22:10:03 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#53335] [PATCH] gnu: expat: Add replacement for [security fixes].
Resent-From: Tobias Geerinckx-Rice <me@tobias.gr>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 18 Jan 2022 03:10:03 +0000
Resent-Message-ID: <handler.53335.B.16424754023422@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 53335
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 53335@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.16424754023422
 (code B ref -1); Tue, 18 Jan 2022 03:10:03 +0000
Received: (at submit) by debbugs.gnu.org; 18 Jan 2022 03:10:02 +0000
Received: from localhost ([127.0.0.1]:48532 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1n9esj-0000t0-Ew
 for submit@debbugs.gnu.org; Mon, 17 Jan 2022 22:10:01 -0500
Received: from lists.gnu.org ([209.51.188.17]:40440)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1n9esi-0000ss-1O
 for submit@debbugs.gnu.org; Mon, 17 Jan 2022 22:10:00 -0500
Received: from eggs.gnu.org ([209.51.188.92]:34050)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1n9esh-00079s-Tw
 for guix-patches@gnu.org; Mon, 17 Jan 2022 22:09:59 -0500
Received: from [2a02:c205:2020:6054::1] (port=41924 helo=tobias.gr)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1n9esf-0001uT-Ic
 for guix-patches@gnu.org; Mon, 17 Jan 2022 22:09:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=AVe6HEDxvLDtP
 +X5HmC5JWfI5Wty0nZA10tb/jTnJjA=; h=date:subject:to:from;
 d=tobias.gr; 
 b=Oy6tzLN75BZzmdZdEhKVrf6m+08JO9QRHoGwq/pXTHckb4MnfFL2TXfpkyL+14fPf0Lp
 +4Hjty9jCrCJZFGavOCehXA/ophQEDOoXRlCrSSpAdjqcmccbS31BR5/uYHUQbyhXbnB8Y
 thy9ibTrmyad9S9ro7KY3/r1L3EoREAjJpyvqyKdcdEmlcQJox1mw9jlsaDOSkv8G7UvpI
 iB3VSfHycrbZjr7rbCQOrXPhp3h9h0PUm40FMlAYyDbo2pQJq/iZWf7+bnRm8lSKr22YF9
 vBlWRxBgPOnrfZMBa/PDo6nuL9i4REa02xiOyDBvUtIyseoFuatWbIaC0Z/72o/w==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 35475071
 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for <guix-patches@gnu.org>;
 Tue, 18 Jan 2022 03:09:51 +0000 (UTC)
Date: Sun, 16 Jan 2022 01:00:04 +0100
Message-Id: <20220116000004.2398-1-me@tobias.gr>
X-Mailer: git-send-email 2.34.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a02:c205:2020:6054::1
 (failed)
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-Spam_score_int: -12
X-Spam_score: -1.3
X-Spam_bar: -
X-Spam_report: (-1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
Reply-to:  Tobias Geerinckx-Rice <me@tobias.gr>
X-ACL-Warn: ,  Tobias Geerinckx-Rice via Guix-patches <guix-patches@gnu.org>
From:  Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1642475450;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=AVe6HEDxvLDtP+X5HmC5JWfI5Wty0nZA10tb/jTnJjA=;
	b=Jqc8jxlmNByW03qt1h6QpkdQJjlwMG1Iy3liV1YnbJJGNbaBKCXtj1MWnlFu92v7ld9sb0
	9ZLEdpOuuAOFiaAeJ9jkAmZAg61lmOFMPPtvX+TJJzXn5OEQdc4tJu4dA0fR/XzYm99T5P
	4gKgSPv5tTmHfaYjQ6EBxG8j0cwnM8IYtMvloKSV0ZxHBwIgYrdROGw6tXVahTCZVYBpAo
	kb1t5hZ1h+UD0RwOUDVZc4UGcz7EVY+LtC+QAEKF88DTdSqmFTeWi+9s1eaQqxFUlJHfKN
	DUwBneL6OjYoK8+9o9yQH1IBLAd00BvMophJ+t7Qyj6dJi6K2i75PGnqj8MZKw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1642475450; a=rsa-sha256; cv=none;
	b=Wf+mhl8D4IgMYWQ9Ur/vI+oRlB3MDKUY8Pie0OWL8XMwxUqbUJEokhbT927jj8+tOniH4n
	ZO0uzNEjAPa8gEQffBa2G2apKsGcW8LxU52vKVzKS5fZ9QwWsyvnNJsZPabrCXRkMY0F0/
	W0FP94eyy0YgQ1PicYchRNvFLWXjIWe1ZxopcrGuOH+kFyo6NlDeycXsLAJsX2FRZFYLxQ
	YYamGsYfFRXeUVAOW4W5FFLg9LIy/52dGIdyR89uXZmmU/bK6+1EdkWHjNF5kHU0fm6kOP
	gl7VDksSGfwSD9fPklTPRtM2sRM8FvdSItQqbo923S7jzyXiDABrf2eAStxfKg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=Oy6tzLN7;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -2.82
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=Oy6tzLN7;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 8C98C154A3
X-Spam-Score: -2.82
X-Migadu-Scanner: scn1.migadu.com
X-TUID: bXSYhvaZLWam

Fixes CVE-2021-45960, CVE-2021-46143, and CVE-2022-22822…22827.

* gnu/packages/xml.scm (expat/fixed): New variable.
(expat)[replacement]: Use it.
---
 gnu/packages/xml.scm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index b89115a051..771c577618 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -119,6 +119,7 @@ (define-public expat
   (package
     (name "expat")
     (version "2.4.1")
+    (replacement expat/fixed)
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -154,6 +155,23 @@ (define-public expat
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+(define expat/fixed
+  (package
+    (inherit expat)
+    (version "2.4.3")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "12kp4h40cpyqqpjqaldag0xq4ig1ljzpkzy9i2marc7blnqz3ydi")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.34.0