GNU bug report logs - #29797
[PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 21 Dec 2017 07:20:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 29797 <at> debbugs.gnu.org
Subject: [bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.
Date: Thu, 21 Dec 2017 11:15:46 +0100

Leo Famulari <leo <at> famulari.name> skribis:

> This is a followup to commit 2663c38826cd6c2ef0c5119f8072fac8e89b2e9b.
>
> * gnu/packages/xml.scm (libxslt)[replacement]: New field.
> (libxslt/fixed): New variable.
> * gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

[...]

> --- a/gnu/packages/xml.scm
> +++ b/gnu/packages/xml.scm
> @@ -188,6 +188,7 @@ project (but it is usable outside of the Gnome platform).")
>  (define-public libxslt
>    (package
>      (name "libxslt")
> +    (replacement libxslt/fixed)
>      (version "1.1.29")
>      (source (origin
>               (method url-fetch)
> @@ -197,6 +198,9 @@ project (but it is usable outside of the Gnome platform).")
>               (sha256
>                (base32
>                 "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
> +             ;; XXX Oops, a redefinition of the patches field, which means the
> +             ;; patch for CVE-2016-4738 is not used. Fixed in the definition of
> +             ;; libxslt-fixed below.
>               (patches (search-patches "libxslt-generated-ids.patch"))))

Oops, indeed!  You can remove the unused ‘patches’ line while you’re at it.

>      (build-system gnu-build-system)
>      (home-page "http://xmlsoft.org/XSLT/index.html")
> @@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome platform).")
>  based on libxml for XML parsing, tree manipulation and XPath support.")
>      (license license:x11)))
>  
> +(define libxslt/fixed
> +  (package
> +    (inherit libxslt)
> +    (source (origin
> +              (inherit (package-source libxslt))
> +              (patches (search-patches "libxslt-CVE-2016-4738.patch"
> +                                       "libxslt-CVE-2017-5029.patch"
> +                                       "libxslt-generated-ids.patch"))))))

LGTM, thanks!

Ludo’.
This bug report was last modified 7 years and 231 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.