From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:39871) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hlJcG-00082o-Uq for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hlJcF-0000w3-Cv for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:56116) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hlJcF-0000vt-65 for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hlJcE-0007wu-41 for guix-patches@gnu.org; Wed, 10 Jul 2019 16:55:02 -0400 Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843 Resent-Message-ID: Date: Wed, 10 Jul 2019 16:54:12 -0400 (EDT) From: Jack Hill In-Reply-To: <87tvc0qedh.fsf@devup.no> Message-ID: References: <87o92fv0u1.fsf@devup.no> <87tvc0qedh.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1990263252-1562792053=:17508" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Marius Bakke Cc: 36424@debbugs.gnu.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1990263252-1562792053=:17508 Content-Type: text/plain; format=flowed; charset=US-ASCII Please find updated patch files attached, that I think take into account Marius's suggestions (thanks Marius!) Best, Jack P.S. I'm afraid, I'm still struggling with alpine inserting carriage returns in the attachments. --925712948-1990263252-1562792053=:17508 Content-Type: text/x-diff; name=0001-gnu-expat-Add-additional-source-URI.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=0001-gnu-expat-Add-additional-source-URI.patch RnJvbSAwZTEzOTRlN2U0MTBlYzE5MmI2Yzg4M2I1NjdjZTQxNDg2NGNkYmIx IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogSmFjayBIaWxsIDxq YWNraGlsbEBqYWNraGlsbC51cz4NCkRhdGU6IFdlZCwgMTAgSnVsIDIwMTkg MTY6MDM6MTkgLTA0MDANClN1YmplY3Q6IFtQQVRDSCAxLzJdIGdudTogZXhw YXQ6IEFkZCBhZGRpdGlvbmFsIHNvdXJjZSBVUkkNCg0KVGhlIGV4cGF0IHNv dXJjZWZvcmdlIHBhZ2UgYW5ub3VuY2VzIHRoYXQgdGhlIHByb2plY3QgaXMg aW4gdGhlIHByb2Nlc3Mgb2YNCm1vdmluZyB0byBHaXRIdWIuDQoNCiogZ251 L3BhY2thZ2VzL3htbC5zY20gKGV4cGF0KVtzb3VyY2VdOiBBZGQgR2l0SHVi IFVSSS4NCi0tLQ0KIGdudS9wYWNrYWdlcy94bWwuc2NtIHwgMjAgKysrKysr KysrKysrKy0tLS0tLS0NCiAxIGZpbGUgY2hhbmdlZCwgMTMgaW5zZXJ0aW9u cygrKSwgNyBkZWxldGlvbnMoLSkNCg0KZGlmZiAtLWdpdCBhL2dudS9wYWNr YWdlcy94bWwuc2NtIGIvZ251L3BhY2thZ2VzL3htbC5zY20NCmluZGV4IGZj NjA3NTg3MjQuLmI2YTM3NmE0MDUgMTAwNjQ0DQotLS0gYS9nbnUvcGFja2Fn ZXMveG1sLnNjbQ0KKysrIGIvZ251L3BhY2thZ2VzL3htbC5zY20NCkBAIC0y MCw2ICsyMCw3IEBADQogOzs7IENvcHlyaWdodCDCqSAyMDE3IFBldHRlciA8 cGV0dGVyQG15a29sYWIuY2g+DQogOzs7IENvcHlyaWdodCDCqSAyMDE3IFN0 ZWZhbiBSZWljaMO2ciA8c3RlZmFuQHhzdGV2ZS5hdD4NCiA7OzsgQ29weXJp Z2h0IMKpIDIwMTggUGllcnJlIE5laWRoYXJkdCA8bWFpbEBhbWJyZXZhci54 eXo+DQorOzs7IENvcHlyaWdodCDCqSAyMDE4IEphY2sgSGlsbCA8amFja2hp bGxAamFja2hpbGwudXM+DQogOzs7DQogOzs7IFRoaXMgZmlsZSBpcyBwYXJ0 IG9mIEdOVSBHdWl4Lg0KIDs7Ow0KQEAgLTY2LDEzICs2NywxOCBAQA0KICAg KHBhY2thZ2UNCiAgICAgKG5hbWUgImV4cGF0IikNCiAgICAgKHZlcnNpb24g IjIuMi42IikNCi0gICAgKHNvdXJjZSAob3JpZ2luDQotICAgICAgICAgICAg IChtZXRob2QgdXJsLWZldGNoKQ0KLSAgICAgICAgICAgICAodXJpIChzdHJp bmctYXBwZW5kICJtaXJyb3I6Ly9zb3VyY2Vmb3JnZS9leHBhdC9leHBhdC8i DQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdmVyc2lvbiAi L2V4cGF0LSIgdmVyc2lvbiAiLnRhci5iejIiKSkNCi0gICAgICAgICAgICAg KHNoYTI1Ng0KLSAgICAgICAgICAgICAgKGJhc2UzMg0KLSAgICAgICAgICAg ICAgICIxd2wxeDkzYjV3NDU3ZGRzZGdqMGxoN3lqcTRxNmw3d2ZiZ3doYWdr YzhmbTJxa2tyZDBwIikpKSkNCisgICAgKHNvdXJjZSAobGV0ICgoZG90LT51 bmRlcnNjb3JlIChsYW1iZGEgKGMpIChpZiAoZXF1YWw/ICNcLiBjKSAjXF8g YykpKSkNCisgICAgICAgICAgICAgIChvcmlnaW4NCisgICAgICAgICAgICAg ICAgKG1ldGhvZCB1cmwtZmV0Y2gpDQorICAgICAgICAgICAgICAgICh1cmkg KGxpc3QgKHN0cmluZy1hcHBlbmQgIm1pcnJvcjovL3NvdXJjZWZvcmdlL2V4 cGF0L2V4cGF0LyINCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICB2ZXJzaW9uICIvZXhwYXQtIiB2ZXJzaW9uICIudGFyLmJ6 MiIpDQorICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1hcHBl bmQNCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgImh0dHBzOi8vZ2l0 aHViLmNvbS9saWJleHBhdC9saWJleHBhdC9yZWxlYXNlcy9kb3dubG9hZC9S XyINCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1tYXAg ZG90LT51bmRlcnNjb3JlIHZlcnNpb24pDQorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICIvZXhwYXQtIiB2ZXJzaW9uICIudGFyLmJ6MiIpKSkNCisg ICAgICAgICAgICAgICAgKHNoYTI1Ng0KKyAgICAgICAgICAgICAgICAgKGJh c2UzMg0KKyAgICAgICAgICAgICAgICAgICIxd2wxeDkzYjV3NDU3ZGRzZGdq MGxoN3lqcTRxNmw3d2ZiZ3doYWdrYzhmbTJxa2tyZDBwIikpKSkpDQogICAg IChidWlsZC1zeXN0ZW0gZ251LWJ1aWxkLXN5c3RlbSkNCiAgICAgKGhvbWUt cGFnZSAiaHR0cHM6Ly9saWJleHBhdC5naXRodWIuaW8vIikNCiAgICAgKHN5 bm9wc2lzICJTdHJlYW0tb3JpZW50ZWQgWE1MIHBhcnNlciBsaWJyYXJ5IHdy aXR0ZW4gaW4gQyIpDQotLSANCjIuMjIuMA0KDQo= --925712948-1990263252-1562792053=:17508 Content-Type: text/x-diff; name=0002-gnu-expat-fix-CVE-2018-20843.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=0002-gnu-expat-fix-CVE-2018-20843.patch RnJvbSBjNzllZmQ4M2VjYWEwYjU0MWRlMDUwZGEwMzVlZjY3ZDk3MmFjNDU4 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogSmFjayBIaWxsIDxq YWNraGlsbEBqYWNraGlsbC51cz4NCkRhdGU6IFdlZCwgMTAgSnVsIDIwMTkg MTY6MjM6MDMgLTA0MDANClN1YmplY3Q6IFtQQVRDSCAyLzJdIGdudTogZXhw YXQ6IGZpeCBDVkUtMjAxOC0yMDg0Mw0KDQoqIGdudS9wYWNrYWdlcy94bWwu c2NtIChleHBhdClbcmVwbGFjZW1lbnRdOiBOZXcgZmllbGQuDQooZXhwYXQv Zml4ZWQpOiBOZXcgdmFyaWFibGUuDQoqIGdudS9wYWNrYWdlcy9wYXRjaGVz L2V4cGF0LUNWRS0yMDE4LTIwODQzLnBhdGNoOiBOZXcgZmlsZS4NCiogZ251 L2xvY2FsLm1rIChkaXN0X3BhdGNoX0RBVEEpOiBBZGQgcGF0Y2ggZmlsZS4N Ci0tLQ0KIGdudS9sb2NhbC5tayAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICB8ICAxICsNCiAuLi4vcGF0Y2hlcy9leHBhdC1DVkUtMjAxOC0y MDg0My5wYXRjaCAgICAgICAgfCAyMSArKysrKysrKysrKysrKysrKysrDQog Z251L3BhY2thZ2VzL3htbC5zY20gICAgICAgICAgICAgICAgICAgICAgICAg IHwgIDkgKysrKysrKysNCiAzIGZpbGVzIGNoYW5nZWQsIDMxIGluc2VydGlv bnMoKykNCiBjcmVhdGUgbW9kZSAxMDA2NDQgZ251L3BhY2thZ2VzL3BhdGNo ZXMvZXhwYXQtQ1ZFLTIwMTgtMjA4NDMucGF0Y2gNCg0KZGlmZiAtLWdpdCBh L2dudS9sb2NhbC5tayBiL2dudS9sb2NhbC5taw0KaW5kZXggOWE3MGQ3Mzc1 OS4uMDU0YWE5M2ZkNSAxMDA2NDQNCi0tLSBhL2dudS9sb2NhbC5taw0KKysr IGIvZ251L2xvY2FsLm1rDQpAQCAtNzg1LDYgKzc4NSw3IEBAIGRpc3RfcGF0 Y2hfREFUQSA9CQkJCQkJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZXZp bHdtLWxvc3QtZm9jdXMtYnVnLnBhdGNoCQlcDQogICAlRCUvcGFja2FnZXMv cGF0Y2hlcy9leGl2Mi1DVkUtMjAxNy0xNDg2MC5wYXRjaAkJXA0KICAgJUQl L3BhY2thZ2VzL3BhdGNoZXMvZXhpdjItQ1ZFLTIwMTctMTQ4NTktMTQ4NjIt MTQ4NjQucGF0Y2gJXA0KKyAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvZXhwYXQt Q1ZFLTIwMTgtMjA4NDMucGF0Y2gJCVwNCiAgICVEJS9wYWNrYWdlcy9wYXRj aGVzL2V4dHVuZGVsZXRlLWUyZnNwcm9ncy0xLjQ0LnBhdGNoCQlcDQogICAl RCUvcGFja2FnZXMvcGF0Y2hlcy9mYXN0Y2FwLW11bEdsb2JhbC5wYXRjaAkJ CVwNCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2Zhc3RjYXAtbXVsU2V0dXAu cGF0Y2gJCQlcDQpkaWZmIC0tZ2l0IGEvZ251L3BhY2thZ2VzL3BhdGNoZXMv ZXhwYXQtQ1ZFLTIwMTgtMjA4NDMucGF0Y2ggYi9nbnUvcGFja2FnZXMvcGF0 Y2hlcy9leHBhdC1DVkUtMjAxOC0yMDg0My5wYXRjaA0KbmV3IGZpbGUgbW9k ZSAxMDA2NDQNCmluZGV4IDAwMDAwMDAwMDAuLjIxNmZiZTk2NjcNCi0tLSAv ZGV2L251bGwNCisrKyBiL2dudS9wYWNrYWdlcy9wYXRjaGVzL2V4cGF0LUNW RS0yMDE4LTIwODQzLnBhdGNoDQpAQCAtMCwwICsxLDIxIEBADQorRml4IGV4 dHJhY3Rpb24gb2YgbmFtZXNwYWNlIHByZWZpeCBmcm9tIFhNTCBuYW1lLg0K K0ZpeGVzIENWRS0yMDE4LTIwODQzDQorDQorVGhpcyBwYXRjaCBjb21lcyBm cm9tIHVwc3RyZWFtIGNvbW1pdCAxMWY4ODM4YmY5OWVhMGE2ZjBiNzZmOTc2 MGM0MzcwNGQwMGM0ZmY2DQoraHR0cHM6Ly9naXRodWIuY29tL2xpYmV4cGF0 L2xpYmV4cGF0L2NvbW1pdC8xMWY4ODM4YmY5OWVhMGE2ZjBiNzZmOTc2MGM0 MzcwNGQwMGM0ZmY2DQorDQorQ1ZFIGlzIGh0dHBzOi8vY3ZlLm1pdHJlLm9y Zy9jZ2ktYmluL2N2ZW5hbWUuY2dpP25hbWU9Q1ZFLTIwMTgtMjA4NDMNCisN CitkaWZmIC0tZ2l0IGEvZXhwYXQvbGliL3htbHBhcnNlLmMgYi9leHBhdC9s aWIveG1scGFyc2UuYw0KK2luZGV4IDMwZDU1YzUuLjczN2Q3Y2QgMTAwNjQ0 DQorLS0tIGEvbGliL3htbHBhcnNlLmMNCisrKysgYi9saWIveG1scGFyc2Uu Yw0KK0BAIC02MDcxLDcgKzYwNzEsNyBAQCBzZXRFbGVtZW50VHlwZVByZWZp eChYTUxfUGFyc2VyIHBhcnNlciwgRUxFTUVOVF9UWVBFICplbGVtZW50VHlw ZSkNCisgICAgICAgZWxzZQ0KKyAgICAgICAgIHBvb2xEaXNjYXJkKCZkdGQt PnBvb2wpOw0KKyAgICAgICBlbGVtZW50VHlwZS0+cHJlZml4ID0gcHJlZml4 Ow0KKy0NCisrICAgICAgYnJlYWs7DQorICAgICB9DQorICAgfQ0KKyAgIHJl dHVybiAxOw0KZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy94bWwuc2NtIGIv Z251L3BhY2thZ2VzL3htbC5zY20NCmluZGV4IGI2YTM3NmE0MDUuLmZiZDBm ZjI4NGIgMTAwNjQ0DQotLS0gYS9nbnUvcGFja2FnZXMveG1sLnNjbQ0KKysr IGIvZ251L3BhY2thZ2VzL3htbC5zY20NCkBAIC02Niw2ICs2Niw3IEBADQog KGRlZmluZS1wdWJsaWMgZXhwYXQNCiAgIChwYWNrYWdlDQogICAgIChuYW1l ICJleHBhdCIpDQorICAgIChyZXBsYWNlbWVudCBleHBhdC9maXhlZCkNCiAg ICAgKHZlcnNpb24gIjIuMi42IikNCiAgICAgKHNvdXJjZSAobGV0ICgoZG90 LT51bmRlcnNjb3JlIChsYW1iZGEgKGMpIChpZiAoZXF1YWw/ICNcLiBjKSAj XF8gYykpKSkNCiAgICAgICAgICAgICAgIChvcmlnaW4NCkBAIC04OCw2ICs4 OSwxNCBAQCBzdHJlYW0tb3JpZW50ZWQgcGFyc2VyIGluIHdoaWNoIGFuIGFw cGxpY2F0aW9uIHJlZ2lzdGVycyBoYW5kbGVycyBmb3INCiB0aGluZ3MgdGhl IHBhcnNlciBtaWdodCBmaW5kIGluIHRoZSBYTUwgZG9jdW1lbnQgKGxpa2Ug c3RhcnQgdGFncykuIikNCiAgICAgKGxpY2Vuc2UgbGljZW5zZTpleHBhdCkp KQ0KIA0KKyhkZWZpbmUgZXhwYXQvZml4ZWQNCisgIChwYWNrYWdlDQorICAg IChpbmhlcml0IGV4cGF0KQ0KKyAgICAoc291cmNlDQorICAgICAob3JpZ2lu DQorICAgICAgIChpbmhlcml0IChwYWNrYWdlLXNvdXJjZSBleHBhdCkpDQor ICAgICAgIChwYXRjaGVzIChzZWFyY2gtcGF0Y2hlcyAiZXhwYXQtQ1ZFLTIw MTgtMjA4NDMucGF0Y2giKSkpKSkpDQorDQogKGRlZmluZS1wdWJsaWMgbGli ZWJtbA0KICAgKHBhY2thZ2UNCiAgICAgKG5hbWUgImxpYmVibWwiKQ0KLS0g DQoyLjIyLjANCg0K --925712948-1990263252-1562792053=:17508--