guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Flex security update: RCE in generated code (CVE-2016-6354)

From: Leo Famulari
Subject: Re: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Sat, 27 Aug 2016 20:54:34 -0400
User-agent: Mutt/1.7.0 (2016-08-17) 
On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Courtès wrote:
> Hello!
> 
> Leo Famulari <address@hidden> skribis:
> 
> > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> >> 
> >> * gnu/packages/flex.scm (flex)[replacement]: New field.
> >> (flex/fixed): New variable.
> >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Add it.
> >
> > As Mark pointed out on #guix, bugs in flex's generated code can not be
> > addressed with a graft.
> 
> Indeed.  We should add this patch to ‘core-updates’ and start building
> it (I haven’t checked the status of the various branches, though.)

Done as eba7fab890.

I'm not sure of the overall health of the branch, but I have built some
packages from it locally on x86_64. So, the base system seems to be
working.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]