GNU bug report logs - #32957
Python uses a bundled expat

Previous Next

Package: guix;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Sat, 6 Oct 2018 14:59:01 UTC

Severity: important

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#32957: closed (Python uses a bundled expat)
Date: Sat, 23 Mar 2019 22:35:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Sat, 23 Mar 2019 23:34:02 +0100
with message-id <874l7t1aqt.fsf <at> fastmail.com>
and subject line Re: bug#32957: Python uses a bundled expat
has caused the debbugs.gnu.org bug report #32957,
regarding Python uses a bundled expat
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
32957: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=32957
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Marius Bakke <mbakke <at> fastmail.com>
To: bug-guix <at> gnu.org
Subject: Python uses a bundled expat
Date: Sat, 06 Oct 2018 16:58:13 +0200

[Message part 3 (text/plain, inline)]
Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 32957-done <at> debbugs.gnu.org
Subject: Re: bug#32957: Python uses a bundled expat
Date: Sat, 23 Mar 2019 23:34:02 +0100

[Message part 6 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>> 
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.

Looking at the Debian package did help me figure out how to make it use
system Expat.  We needed this patch:
<https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/setup-modules.diff>.

That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.

Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 62 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.