GNU bug report logs - #36424
expat-2.2.7 for CVE-2018-20843

Previous Next

Package: guix-patches;

Reported by: Jack Hill <jackhill <at> jackhill.us>

Date: Fri, 28 Jun 2019 19:57:02 UTC

Severity: normal

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jack Hill <jackhill <at> jackhill.us>
To: 36424 <at> debbugs.gnu.org
Subject: [bug#36424] gnu: expat: Replace with 2.2.7 [security fixes]
Date: Fri, 28 Jun 2019 15:57:58 -0400 (EDT)

[Message part 1 (text/plain, inline)]
From 6db23c61704686016a57fb9557240dd83a79bea6 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill <at> jackhill.us>
Date: Fri, 28 Jun 2019 15:47:35 -0400

This fixes CVE-2018-20843.

* gnu/packages/xml.scm (expat)[replacement]: New field.
(expat-2.2.7): New public variable.
---
 gnu/packages/xml.scm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index fc60758724..1be2a58d2e 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -20,6 +20,7 @@
 ;;; Copyright © 2017 Petter <petter <at> mykolab.ch>
 ;;; Copyright © 2017 Stefan Reichör <stefan <at> xsteve.at>
 ;;; Copyright © 2018 Pierre Neidhardt <mail <at> ambrevar.xyz>
+;;; Copyright © 2019 Jack Hill <jackhill <at> jackhill.us>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -65,6 +66,7 @@
 (define-public expat
   (package
     (name "expat")
+    (replacement expat-2.2.7)
     (version "2.2.6")
     (source (origin
              (method url-fetch)
@@ -82,6 +84,21 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))

+(define-public expat-2.2.7
+  (let ((dot->underscore (lambda (c) (if (equal? #\. c) #\_ c))))
+    (package
+      (inherit expat)
+      (version "2.2.7")
+      (source
+       (origin
+         (method url-fetch)
+         (uri (string-append "https://github.com/libexpat/libexpat/releases/download/R_"
+                             (string-map dot->underscore version)
+                             "/expat-" version ".tar.xz"))
+         (sha256
+          (base32
+           "1y5yax6bq8p9xk49zqkd62pxk8bq266wrgbrqgaxp3wsrw5g9qrh")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.22.0
This bug report was last modified 5 years and 318 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.