From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Fri, 26 Aug 2016 18:49:59 -0400
Message-ID: <20160826224959.GA8478@jasmine>
References: <20160826221426.GA29432@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41001)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bdPx1-00085q-Gt
	for guix-devel@gnu.org; Fri, 26 Aug 2016 18:50:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bdPww-0003Vn-Ih
	for guix-devel@gnu.org; Fri, 26 Aug 2016 18:50:15 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:41620)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bdPwv-0003QG-96
	for guix-devel@gnu.org; Fri, 26 Aug 2016 18:50:10 -0400
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 17B1FCCDCC
	for <guix-devel@gnu.org>; Fri, 26 Aug 2016 18:50:01 -0400 (EDT)
Content-Disposition: inline
In-Reply-To: <20160826221426.GA29432@jasmine>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--FL5UXtIhxfXey3p5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
>=20
> * gnu/packages/flex.scm (flex)[replacement]: New field.
> (flex/fixed): New variable.
> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

As Mark pointed out on #guix, bugs in flex's generated code can not be
addressed with a graft. Also, the upstream tarballs that we build from
often contain code generated by flex.

--FL5UXtIhxfXey3p5
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXwMeUAAoJECZG+jC6yn8INhQQALAltTz9l15vC31DHHqq4v7P
p0hX7TyGV6oUTnvqy5vJ5cQr9kuBF3mfN6kjQijGNujibUZfKhuPxC9g3WEQOG2Q
S0dAOvy4IkqOrb9lQ18ycFL/Xd2C/+8o15XF7HiNPxlNLKrT5cnlnTie9CjKz28h
Xr0IVmFUkbUqKOusSbFd9s0HZSL38WWY4q6jqsPTg4zMK2r2wUeD1YSyzPEJk9qL
Y2Te+jx+76KC8e9DNKT6EJ4d5d/vpJ8qBmI3ZEAeN1zqHSkS6m2/v67aoLJMZC9a
xKp91SjpAxWIaMLesntHrpK1PAmKKFPanzHHxw4HVZ74RvYLwfIHhRhLr5gBke9H
FJEqhJNcsVsmDrPa/fDcKC5N/soaYXl+F9vGwU76T8elnffO7LvtDBZtf1mNDmNw
XwPU5L9LbDIrJc+hWUeuNFu5g9GRfKEMEqH0VLOZQPlqvqYWSxv1MzP9NZm8Cgvk
iqTDbBV369621U0GxHZiDRAOMLMrud5EbesS6IsAq9YDMVbm4ZLu9bA9MsjyH/h5
8eR0d+Ki2+JfX2ZaEGW7cLbECCxsmnWpWd6tk8VjsUBN1wArBaLiPSSBHsZZxDq1
31uZwSl/oc0XRCjC8OF5ODoSl/mgXxYHsmNAnFdeNZsOvdOtJHsKy9/tLEMOvkzY
em4XusggPDCNc6BhFRJr
=oATf
-----END PGP SIGNATURE-----

--FL5UXtIhxfXey3p5--