guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/3] Expat and libxslt changes for core-updates


From: Ludovic Courtès
Subject: Re: [PATCH 0/3] Expat and libxslt changes for core-updates
Date: Fri, 10 Jun 2016 14:59:49 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Leo Famulari <address@hidden> skribis:

> On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote:
>> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote:
>> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied.
>> 
>> I looked at the expat Git repo and the original fix for CVE-2015-1283
>> was part of 2.1.1. The improvement to the fix must be backported. I will
>> take the upstream commit that applies the improvement.
>
> We adopt Debian's patch for CVE-2012-6702 and CVE-2016-5300 (already
> sent for review for the master branch).
>
> We also adapt the CVE-2015-1283 "re-fix" patch to apply to upstream's
> fix for CVE-2015-1283. The Debian "re-fix" patch had some context
> (comments) that did not exist in the upstream 2.1.1 release.
>
> And as before, we patch for CVE-2016-0718.
>
> It's not possible for me test this on core-updates (too much to build).
> On master, I made a new expat-2.1.1 package that inherited from expat
> and built that with the patches.
>
> The merge will probably be messy...

We should leave it to you, to minimize breakage.

> Off-topic: A regular package and a grafted package on master, and an
> updated version of the package on core-updates... this is getting very
> complicated and we should try our best to avoid such tangled situations
> in the future.

Do you think it would help to delay such upgrades in ‘core-updates’
until the time where ‘core-updates’ is getting ready for merge?

> From a4a3a09b40c5f98b2c2a3d15458ab086ce867c3d Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Tue, 7 Jun 2016 20:26:41 -0400
> Subject: [v2 1/2] gnu: expat: Fix CVE-2012-6702, CVE-2016-0718, and
>  CVE-2016-5300.
>
> * gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Adapt to upstream
> changes.
> * gnu/packages/xml.scm (expat)[source]: Use patches.

LGTM, thank you!

Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]