From 6db23c61704686016a57fb9557240dd83a79bea6 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Fri, 28 Jun 2019 15:47:35 -0400

This fixes CVE-2018-20843.

* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat-2.2.7): New public variable.
---
  gnu/packages/xml.scm | 17 +++++++++++++++++
  1 file changed, 17 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..1be2a58d2e 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
  ;;; Copyright © 2017 Petter <petter@mykolab.ch>
  ;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
  ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2019 Jack Hill <jackhill@jackhill.us>
  ;;;
  ;;; This file is part of GNU Guix.
  ;;;
@@ -65,6 +66,7 @@
  (define-public expat
    (package
      (name "expat")
+    (replacement expat-2.2.7)
      (version "2.2.6")
      (source (origin
               (method url-fetch)
@@ -82,6 +84,21 @@ stream-oriented parser in which an application registers handlers for
  things the parser might find in the XML document (like start tags).")
      (license license:expat)))

+(define-public expat-2.2.7
+  (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+    (package
+      (inherit expat)
+      (version "2.2.7")
+      (source
+       (origin
+         (method url-fetch)
+         (uri (string-append "https://github.com/libexpat/libexpat/releases/download/R_"
+                             (string-map dot->underscore version)
+                             "/expat-" version ".tar.xz"))
+         (sha256
+          (base32
+           "1y5yax6bq8p9xk49zqkd62pxk8bq266wrgbrqgaxp3wsrw5g9qrh")))))))
+
  (define-public libebml
    (package
      (name "libebml")
-- 
2.22.0