Léo Le Bouter via Guix-patches via writes: > newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is > being applied to, so if you are interested or a user of those packages please > finish the work, otherwise well CVE-2021-3420 will probably remain unfixed. > > The versions of newlib are too old and too specific for it to be > maintainable security-wise, especially considering upstream does not seem to > maintain older versions at all. I don't think GNU Guix should take that role, > but of course the people who depend on these packages can ensure they are good > enough for themselves, otherwise contribute changes. > > Léo Le Bouter (1): > gnu: newlib: Fix CVE-2021-3420. > > gnu/local.mk | 1 + > gnu/packages/embedded.scm | 6 +- > .../patches/newlib-CVE-2021-3420.patch | 105 ++++++++++++++++++ > 3 files changed, 110 insertions(+), 2 deletions(-) > create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch Hey, Looking at [1] and following through the "View comparison" links, it seems that there's some problems applying the patch added here, I can't see a case where it's applied successfully. 1: https://patches.guix-patches.cbaines.net/project/guix-patches/patch/20210306050521.11571-1-lle-bout@zaclys.net/ Unfortunately this data is still a bit hidden, but if you click on "Compare package derivations", get all the results, then find newlib@3.0.0-0.3ccfb40 and look at the build for x86_64-linux, you should get to this page [2] and from the "Required failed builds", I'm guessing the source part of the package build has failed. 2: https://data.guix-patches.cbaines.net/build-server/5/build?build_server_build_id=dd289414-7653-4b63-8b3c-7a55cdf55820 Any ideas? What packages should build with this change? Thanks, Chris