On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> 
> * gnu/packages/flex.scm (flex)[replacement]: New field.
> (flex/fixed): New variable.
> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

As Mark pointed out on #guix, bugs in flex's generated code can not be
addressed with a graft. Also, the upstream tarballs that we build from
often contain code generated by flex.