GNU bug report logs - #32957
Python uses a bundled expat

Previous Next

Package: guix;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Sat, 6 Oct 2018 14:59:01 UTC

Severity: important

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Marius Bakke <mbakke <at> fastmail.com>
Subject: bug#32957: closed (Re: bug#32957: Python uses a bundled expat)
Date: Sat, 23 Mar 2019 22:35:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#32957: Python uses a bundled expat

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 32957 <at> debbugs.gnu.org.

-- 
32957: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=32957
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 32957-done <at> debbugs.gnu.org
Subject: Re: bug#32957: Python uses a bundled expat
Date: Sat, 23 Mar 2019 23:34:02 +0100

[Message part 3 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>> 
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.

Looking at the Debian package did help me figure out how to make it use
system Expat.  We needed this patch:
<https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/setup-modules.diff>.

That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.

Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Marius Bakke <mbakke <at> fastmail.com>
To: bug-guix <at> gnu.org
Subject: Python uses a bundled expat
Date: Sat, 06 Oct 2018 16:58:13 +0200

[Message part 6 (text/plain, inline)]
Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 62 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.