From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41365) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eRxta-0001VX-52 for guix-patches@gnu.org; Thu, 21 Dec 2017 05:16:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eRxtV-0001jF-Rv for guix-patches@gnu.org; Thu, 21 Dec 2017 05:16:10 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:36561) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eRxtV-0001hI-OH for guix-patches@gnu.org; Thu, 21 Dec 2017 05:16:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eRxtS-00074M-5J for guix-patches@gnu.org; Thu, 21 Dec 2017 05:16:02 -0500 Subject: [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738. Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <05090ab6990a05b6e1a3d3ae30999b6df2e666e2.1513840757.git.leo@famulari.name> Date: Thu, 21 Dec 2017 11:15:46 +0100 In-Reply-To: <05090ab6990a05b6e1a3d3ae30999b6df2e666e2.1513840757.git.leo@famulari.name> (Leo Famulari's message of "Thu, 21 Dec 2017 02:19:17 -0500") Message-ID: <87bmis8jzh.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari Cc: 29797@debbugs.gnu.org Leo Famulari skribis: > This is a followup to commit 2663c38826cd6c2ef0c5119f8072fac8e89b2e9b. > > * gnu/packages/xml.scm (libxslt)[replacement]: New field. > (libxslt/fixed): New variable. > * gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. [...] > --- a/gnu/packages/xml.scm > +++ b/gnu/packages/xml.scm > @@ -188,6 +188,7 @@ project (but it is usable outside of the Gnome platfo= rm).") > (define-public libxslt > (package > (name "libxslt") > + (replacement libxslt/fixed) > (version "1.1.29") > (source (origin > (method url-fetch) > @@ -197,6 +198,9 @@ project (but it is usable outside of the Gnome platfo= rm).") > (sha256 > (base32 > "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm")) > + ;; XXX Oops, a redefinition of the patches field, which mea= ns the > + ;; patch for CVE-2016-4738 is not used. Fixed in the defini= tion of > + ;; libxslt-fixed below. > (patches (search-patches "libxslt-generated-ids.patch")))) Oops, indeed! You can remove the unused =E2=80=98patches=E2=80=99 line whi= le you=E2=80=99re at it. > (build-system gnu-build-system) > (home-page "http://xmlsoft.org/XSLT/index.html") > @@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome platf= orm).") > based on libxml for XML parsing, tree manipulation and XPath support.") > (license license:x11))) >=20=20 > +(define libxslt/fixed > + (package > + (inherit libxslt) > + (source (origin > + (inherit (package-source libxslt)) > + (patches (search-patches "libxslt-CVE-2016-4738.patch" > + "libxslt-CVE-2017-5029.patch" > + "libxslt-generated-ids.patch"))))= )) LGTM, thanks! Ludo=E2=80=99.