Hi Jack, Jack Hill writes: > Hi Guix, > > Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which > fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a > replacement for expat with expat-2.2.7. I also changed the origin to use > the GitHub hosted tarball as upstream is moving in that direction. > > [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 Thank you very much for this patch! It did not apply cleanly on my end, perhaps it got mangled by your mail user agent? I tried running `abidiff` (from libabigail) on the new and old Expat: $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 15 Removed function symbols not referenced by debug info: XmlGetUtf16InternalEncoding XmlGetUtf16InternalEncodingNS XmlGetUtf8InternalEncoding XmlGetUtf8InternalEncodingNS XmlInitEncoding XmlInitEncodingNS XmlInitUnknownEncoding XmlInitUnknownEncodingNS XmlParseXmlDecl XmlParseXmlDeclNS XmlPrologStateInit XmlPrologStateInitExternalEntity XmlSizeOfUnknownEncoding XmlUtf16Encode XmlUtf8Encode Apparently these symbols were never supposed to be exported: . However, there could be packages "in the wild" that uses these symbols and would silently break with the grafted Expat. IIUC the fix for CVE-2018-20843 is this commit: . I think it's better to graft a variant with only this patch to be on the safe side. Can you try that? Could you also submit a second patch that adds GitHub as an additional download location for the regular Expat package? :-) Thanks in advance, Marius