GNU bug report logs - #36424
expat-2.2.7 for CVE-2018-20843

Previous Next

Package: guix-patches;

Reported by: Jack Hill <jackhill <at> jackhill.us>

Date: Fri, 28 Jun 2019 19:57:02 UTC

Severity: normal

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#36424: closed (expat-2.2.7 for CVE-2018-20843)
Date: Thu, 11 Jul 2019 23:01:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Fri, 12 Jul 2019 01:00:32 +0200
with message-id <87ftncmb1r.fsf <at> devup.no>
and subject line Re: [bug#36424] expat-2.2.7 for CVE-2018-20843
has caused the debbugs.gnu.org bug report #36424,
regarding expat-2.2.7 for CVE-2018-20843
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
36424: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=36424
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Jack Hill <jackhill <at> jackhill.us>
To: guix-patches <at> gnu.org
Subject: expat-2.2.7 for CVE-2018-20843
Date: Fri, 28 Jun 2019 15:56:42 -0400 (EDT)

Hi Guix,

Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which 
fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a 
replacement for expat with expat-2.2.7. I also changed the origin to use 
the GitHub hosted tarball as upstream is moving in that direction.

[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Best,
Jack



[Message part 3 (message/rfc822, inline)]
From: Marius Bakke <mbakke <at> fastmail.com>
To: Jack Hill <jackhill <at> jackhill.us>
Cc: 36424-done <at> debbugs.gnu.org
Subject: Re: [bug#36424] expat-2.2.7 for CVE-2018-20843
Date: Fri, 12 Jul 2019 01:00:32 +0200

[Message part 4 (text/plain, inline)]
Jack Hill <jackhill <at> jackhill.us> writes:

> Please find updated patch files attached, that I think take into account 
> Marius's suggestions (thanks Marius!)

Thank you!  I made a tiny tweak to use char=? instead of equal=? for the
character comparison.

Pushed as 5a836ce38c9c29e9c2bd306007347486b90c5064.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 317 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.