[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/1] Help wanted grafting Expat (CVE-2016-0718)
|
From: |
Leo Famulari |
|
Subject: |
[PATCH 0/1] Help wanted grafting Expat (CVE-2016-0718) |
|
Date: |
Wed, 18 May 2016 12:36:50 -0400 |
I've attached my attempt at fixing CVE-2016-0718 in Expat [0]. The
grafted expat updates to 2.1.1 and applies the patch from [1].
The problem is that, when trying build something that depends on expat,
I seem to have to rebuild *many* things.
Any advice?
By the way, there are some other caveats with this change.
First, I don't yet know the relationship of the patch from oss-sec to
upstream. It's not in their git repo. It might be a squashed
representation of the branch 'cve-2016-0718-fix-2-2-1' that they merged
yesterday [2]. I changed the line endings from DOS to Unix.
Second, I updated the grafted expat to 2.1.1 since the patch did not
apply to 2.1.0. I don't know if 2.1.1 is binary compatible with 2.1.0,
so I don't know if it's even suitable for grafting.
[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
[1]
http://seclists.org/oss-sec/2016/q2/360
[2]
https://sourceforge.net/p/expat/code_git/ci/be4b1c06daba1849b8ff5e00bae5caf47f6c39fd/
Leo Famulari (1):
gnu: expat: Fix CVE-2016-0718.
gnu/local.mk | 1 +
gnu/packages/patches/expat-CVE-2016-0718.patch | 755 +++++++++++++++++++++++++
gnu/packages/xml.scm | 25 +-
3 files changed, 779 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/expat-CVE-2016-0718.patch
--
2.8.2
- [PATCH 0/1] Help wanted grafting Expat (CVE-2016-0718),
Leo Famulari <=