On Wed, May 18, 2016 at 12:36:50PM -0400, Leo Famulari wrote:
> I've attached my attempt at fixing CVE-2016-0718 in Expat [0]. The
> grafted expat updates to 2.1.1 and applies the patch from [1].
> 
> The problem is that, when trying build something that depends on expat,
> I seem to have to rebuild *many* things.

Of course this would happen, since I had removed the CVE-2015-1283 patch
from expat package definition. D'oh.

I've attached an updated patch that seems to work as expected.

This patch uses the CVE-2016-0718 patch from Debian [0], which has the
same diffs but does not require use of (patch-flags).

It also includes an update to the patch for CVE-2015-1283 [1], which
apparently relied on undefined behavior.

Finally, it does not upgrade to 2.1.1. This patch series does apply to
2.1.0.

Your feedback is requested!

[0] Found here while their VCS appears to be offline...
https://packages.debian.org/source/stable/expat

[1] Some mention of it here. Copied from the tarball in [0]
https://www.debian.org/security/2016/dsa-3582