From mboxrd@z Thu Jan  1 00:00:00 1970
From: Efraim Flashner <efraim@flashner.co.il>
Subject: Re: [PATCH 0/3] Expat and libxslt changes for core-updates
Date: Wed, 8 Jun 2016 13:10:16 +0300
Message-ID: <20160608101016.GA20565@debian-netbook>
References: <cover.1465347219.git.leo@famulari.name>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43601)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1bAaRT-0001Ym-9M
	for guix-devel@gnu.org; Wed, 08 Jun 2016 06:10:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1bAaRP-0006fU-36
	for guix-devel@gnu.org; Wed, 08 Jun 2016 06:10:31 -0400
Received: from flashner.co.il ([178.62.234.194]:50162)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1bAaRO-0006eO-O9
	for guix-devel@gnu.org; Wed, 08 Jun 2016 06:10:27 -0400
Content-Disposition: inline
In-Reply-To: <cover.1465347219.git.leo@famulari.name>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org


--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 07, 2016 at 08:54:05PM -0400, Leo Famulari wrote:
> It was not that simple to make these changes for core-updates, so I'm
> sending the patches for review.
>=20
> For expat, I "re-fix" a bug that was fixed on master already. This
> bug-fix is actually reachable from the HEAD of core-updates, but for
> some reason doesn't exist at HEAD. According to MITRE the bug does
> affect all currently released versions of expat:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-0718
>=20
> I noticed a "left-over" patch for a bug that is apparently fixed in the
> version of expat on core-updates (2.1.1), so it is deleted:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-1283
>=20
> For libxslt, I update to the latest version and remove patches that are
> no longer needed. The timestamp issue was addressed upstream [0] and the
> bug has been fixed in this version. These patches were strangely no
> longer listed in 'gnu/local.mk'.
>=20
> [0]
> https://git.gnome.org/browse/libxslt/commit/?id=3De57df303eca25a2a3f9e062=
5c29f4b20177858cc
>=20
> Leo Famulari (3):
>   gnu: expat: Fix CVE-2016-0718.
>   gnu: Remove unused patch.
>   gnu: libxslt: Update to 1.1.29.
>=20
>  gnu/local.mk                                       |  1 -
>  .../patches/expat-CVE-2015-1283-refix.patch        | 42 --------------
>  gnu/packages/patches/libxslt-CVE-2015-7995.patch   | 29 ----------
>  .../patches/libxslt-remove-date-timestamps.patch   | 66 ----------------=
------
>  gnu/packages/xml.scm                               |  9 ++-
>  5 files changed, 4 insertions(+), 143 deletions(-)
>  delete mode 100644 gnu/packages/patches/expat-CVE-2015-1283-refix.patch
>  delete mode 100644 gnu/packages/patches/libxslt-CVE-2015-7995.patch
>  delete mode 100644 gnu/packages/patches/libxslt-remove-date-timestamps.p=
atch
>=20
> --=20
> 2.8.3
>=20

FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. Also,
there's 2 new cves, cve-2012-6702 and cve-2016-5300
https://www.debian.org/security/2016/dsa-3597
https://sources.debian.net/src/expat/2.1.1-3/debian/patches/

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXV+8EAAoJEPTB05F+rO6Tn6sQAJsNK5WDkk9oWhj8DeektudE
QP3JFTz4Sp/FtMzxSnZm+Qwyzy4rq8NRfuUiFwixZIEDSCIU+rxsBzIy0JDp0LKl
jvqR2Xn+2+gXEJd4GJYf/ow9coXsrpwhDvdhXEC/x3hbjf7w6i2JxWiyA+0FS3Iy
ixcQdHW25kHwTKWlHAUEgKT9nYhNongBS8H/dh3egFyyvhi3UyOcrKcrc1z6BXFU
6sj/UasjLSsTyn11YGsnhTCNzzofX0yC3xm4DmBUAKy1bRL9dP0+HsphSr+ALc0u
246dzTVkHoirIqk7iEWIT7z2RGLqht06Y6pKdraaJfycYPu2gbuXaod9Ga3HFy7b
j+VTR099CduTCI5porS4FOm6//0FGWGnqulNHlT0TvmRYctgPF43qBUAUZOCD3ng
2CXKeLtwn+D25XepNQFEhs7CBM5shDeVS/JZW17JYTfg7+e9474zD9VaK0gAsFmU
w+ZNsYepEOQJ7RJflRA65q3BJPKfIOCXhIglDkdcBEcn0XfvUop4yeQZJJTKonlk
etSFK6NjqHmENJf/fjIB3Z2uVUVCRUc8nC2fwYes8lJU7DVxOt7c8RAYDahsWAtV
JMemtq3avL1vS0pgCNRUSJApxzMlhlPl0fwbSPxGLOXseTVLtW0O04UzqZtLE9br
8WkGZUZMjKwmIIzBqoKV
=ZIt/
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--