GNU bug report logs - #53335
[PATCH] gnu: expat: Add replacement for [security fixes].

Previous Next

Package: guix-patches;

Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>

Date: Tue, 18 Jan 2022 03:10:03 UTC

Severity: normal

Tags: patch

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Subject: bug#53335: closed ([PATCH] gnu: expat: Add replacement for
 [security fixes].)
Date: Wed, 19 Jan 2022 18:16:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#53335: [PATCH] gnu: expat: Add replacement for [security fixes].

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 53335 <at> debbugs.gnu.org.

-- 
53335: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=53335
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 53335-done <at> debbugs.gnu.org
Subject: [PATCH] gnu: expat: Add replacement for [security fixes].
Date: Wed, 19 Jan 2022 19:08:17 +0100

[Message part 3 (text/plain, inline)]
Pushed as 2045852b096131a714409aa0cc4fe17938f60b15.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: expat: Add replacement for [security fixes].
Date: Sun, 16 Jan 2022 01:00:04 +0100

Fixes CVE-2021-45960, CVE-2021-46143, and CVE-2022-22822…22827.

* gnu/packages/xml.scm (expat/fixed): New variable.
(expat)[replacement]: Use it.
---
 gnu/packages/xml.scm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index b89115a051..771c577618 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -119,6 +119,7 @@ (define-public expat
   (package
     (name "expat")
     (version "2.4.1")
+    (replacement expat/fixed)
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -154,6 +155,23 @@ (define-public expat
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+(define expat/fixed
+  (package
+    (inherit expat)
+    (version "2.4.3")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "12kp4h40cpyqqpjqaldag0xq4ig1ljzpkzy9i2marc7blnqz3ydi")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.34.0
This bug report was last modified 3 years and 124 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.