From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: 29797@debbugs.gnu.org
Subject: [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.
Date: Thu, 21 Dec 2017 11:15:46 +0100 [thread overview]
Message-ID: <87bmis8jzh.fsf@gnu.org> (raw)
In-Reply-To: <05090ab6990a05b6e1a3d3ae30999b6df2e666e2.1513840757.git.leo@famulari.name> (Leo Famulari's message of "Thu, 21 Dec 2017 02:19:17 -0500")
Leo Famulari <leo@famulari.name> skribis:
> This is a followup to commit 2663c38826cd6c2ef0c5119f8072fac8e89b2e9b.
>
> * gnu/packages/xml.scm (libxslt)[replacement]: New field.
> (libxslt/fixed): New variable.
> * gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
[...]
> --- a/gnu/packages/xml.scm
> +++ b/gnu/packages/xml.scm
> @@ -188,6 +188,7 @@ project (but it is usable outside of the Gnome platform).")
> (define-public libxslt
> (package
> (name "libxslt")
> + (replacement libxslt/fixed)
> (version "1.1.29")
> (source (origin
> (method url-fetch)
> @@ -197,6 +198,9 @@ project (but it is usable outside of the Gnome platform).")
> (sha256
> (base32
> "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
> + ;; XXX Oops, a redefinition of the patches field, which means the
> + ;; patch for CVE-2016-4738 is not used. Fixed in the definition of
> + ;; libxslt-fixed below.
> (patches (search-patches "libxslt-generated-ids.patch"))))
Oops, indeed! You can remove the unused ‘patches’ line while you’re at it.
> (build-system gnu-build-system)
> (home-page "http://xmlsoft.org/XSLT/index.html")
> @@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome platform).")
> based on libxml for XML parsing, tree manipulation and XPath support.")
> (license license:x11)))
>
> +(define libxslt/fixed
> + (package
> + (inherit libxslt)
> + (source (origin
> + (inherit (package-source libxslt))
> + (patches (search-patches "libxslt-CVE-2016-4738.patch"
> + "libxslt-CVE-2017-5029.patch"
> + "libxslt-generated-ids.patch"))))))
LGTM, thanks!
Ludo’.
next prev parent reply other threads:[~2017-12-21 10:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-21 7:19 [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738 Leo Famulari
2017-12-21 10:15 ` Ludovic Courtès [this message]
2017-12-21 17:30 ` bug#29797: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bmis8jzh.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=29797@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.