GNU bug report logs -
#32957
Python uses a bundled expat
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Sat, 6 Oct 2018 14:59:01 UTC
Severity: important
Tags: security
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
Full log
Message #17 received at 32957-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>>
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.
Looking at the Debian package did help me figure out how to make it use
system Expat. We needed this patch:
<https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/setup-modules.diff>.
That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.
Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 116 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.