guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#36424] expat-2.2.7 for CVE-2018-20843

From: Jack Hill
Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843
Date: Thu, 4 Jul 2019 19:49:57 -0400 (EDT)
User-agent: Alpine 2.20 (DEB 67 2015-01-07) 
On Tue, 2 Jul 2019, Jack Hill wrote:


Apparently these symbols were never supposed to be exported:
<https://github.com/libexpat/libexpat/pull/197>.  However, there could
be packages "in the wild" that uses these symbols and would silently
break with the grafted Expat.

IIUC the fix for CVE-2018-20843 is this commit:
<https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.

I think it's better to graft a variant with only this patch to be on the
safe side.  Can you try that?


Good idea. I didn't think to check. Yes, I can try to do that.


Could you also submit a second patch that adds GitHub as an additional
download location for the regular Expat package?  :-)


I'll try that as well.
I've prepared the two attached patches that I believe implement Marius's proposed solution. 

Thanks,
Jack

Attachment: 0001-gnu-expat-Add-additional-source-URI.patch
Description: Text Data

Attachment: 0002-gnu-expat-fix-CVE-2018-20843.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]