Leo Famulari writes: > On Mon, Jul 24, 2017 at 02:31:44PM -0400, Kei Kebreau wrote: >> * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Add it. >> * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it. > > Thanks! > >> diff --git >> a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch >> b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch >> new file mode 100644 >> index 000000000..344f2d803 >> --- /dev/null >> +++ b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch >> @@ -0,0 +1,51 @@ >> +From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001 >> +From: Pali >> +Date: Sun, 25 Jun 2017 10:07:39 +0200 >> +Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close() >> + >> +Ignore return value from mysql_stmt_close() and also its error message >> +because it points to freed memory after mysql_stmt_close() was called. > > Can you add a link to the MITRE page for this CVE (and any other pages > you think are relevant) and to the source of this patch? > Done! FYI, this patch is tentative (i.e. not merged upstream as of yet). It seems to do the right thing, but I'm not quite sure, as I'm not an experienced C programmer, nor am I a user of this package. > Check 'gnu/packages/patches/wget-CVE-2017-6508.patch' for an example if > you are unsure. > > There is also CVE-2017-10789. I'm not sure if there is a fix merged > upstream yet: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789 There was a fix that was merged and later reverted in the latest version, 4.043. How does the attached patch look?