GNU bug report logs - #74199
[PATCH] gnu: zlib: Update to version 1.3.1

Previous Next

Package: guix-patches;

Reported by: Aaron Covrig <aaron.covrig.us <at> ieee.org>

Date: Mon, 4 Nov 2024 02:53:02 UTC

Severity: normal

Tags: moreinfo, patch

To reply to this bug, email your comments to 74199 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#74199; Package guix-patches. (Mon, 04 Nov 2024 02:53:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Aaron Covrig <aaron.covrig.us <at> ieee.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 04 Nov 2024 02:53:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Aaron Covrig <aaron.covrig.us <at> ieee.org>
To: guix-patches <at> gnu.org
Cc: Aaron Covrig <aaron.covrig.us <at> ieee.org>
Subject: [PATCH] gnu: zlib: Update to version 1.3.1
Date: Sun,  3 Nov 2024 21:48:50 -0500

* gnu/packages/compression.scm (zlib): Update to version 1.3.1
---

The zlib version 1.3.1 update addresses CVE-2023-45853,
see issue: https://github.com/madler/zlib/issues/868

 gnu/packages/compression.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..f39cbca84e 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -112,7 +112,7 @@ (define-module (gnu packages compression)
 (define-public zlib
   (package
     (name "zlib")
-    (version "1.3")
+    (version "1.3.1")
     (source
      (origin
        (method url-fetch)
@@ -122,7 +122,7 @@ (define-public zlib
                                  version "/zlib-" version ".tar.gz")))
        (sha256
         (base32
-         "0gjrz8p70mgkic7mxjh1vqwws4x8z7hq2fhbackvqg81jb1a82zz"))))
+         "08yzf8xz0q7vxs8mnn74xmpxsrs6wy0aan55lpmpriysvyvv54ws"))))
     (build-system gnu-build-system)
     (outputs '("out" "static"))
     (arguments

base-commit: 8964dfdb84f7d21dbc89c217ca4f4546a15990af
-- 
2.46.0
Information forwarded to guix-patches <at> gnu.org:
bug#74199; Package guix-patches. (Mon, 04 Nov 2024 06:14:01 GMT) Full text and rfc822 format available.

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Aaron Covrig via Guix-patches via <guix-patches <at> gnu.org>,
 74199 <at> debbugs.gnu.org
Cc: Aaron Covrig <aaron.covrig.us <at> ieee.org>
Subject: Re: [bug#74199] [PATCH] gnu: zlib: Update to version 1.3.1
Date: Mon, 04 Nov 2024 07:13:45 +0100

On 2024-11-03 21:48, Aaron Covrig via Guix-patches via wrote:

> * gnu/packages/compression.scm (zlib): Update to version 1.3.1
> ---
>
> The zlib version 1.3.1 update addresses CVE-2023-45853,
> see issue: https://github.com/madler/zlib/issues/868

Hi Aaron,

This is true, but rebuilding zlib will rebuild more than 30000 packages.
You can see that with  guix refresh -l zlib | cut -d : -f 1 
That's why we can't simply merge a patch like that.  There are two
solutions in this case, to my knowledge: 
- use a graft (see the manual, or packages with a "replacement" field)
- wait for core-updates to pick up this commit

In the meantime, marking this commit as moreinfo, we don't want to
compute the revision for this.

-- 
Best regards,
Nicolas Graves
Information forwarded to guix-patches <at> gnu.org:
bug#74199; Package guix-patches. (Mon, 04 Nov 2024 06:14:02 GMT) Full text and rfc822 format available.
Added tag(s) moreinfo. Request was from Nicolas Graves <ngraves <at> ngraves.fr> to control <at> debbugs.gnu.org. (Mon, 04 Nov 2024 06:19:02 GMT) Full text and rfc822 format available.
Information forwarded to guix-patches <at> gnu.org:
bug#74199; Package guix-patches. (Mon, 04 Nov 2024 13:02:01 GMT) Full text and rfc822 format available.

Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Aaron Covrig <aaron.covrig.us <at> ieee.org>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 74199 <at> debbugs.gnu.org,
 Aaron Covrig via Guix-patches via <guix-patches <at> gnu.org>
Subject: Re: [bug#74199] [PATCH] gnu: zlib: Update to version 1.3.1
Date: Mon, 4 Nov 2024 08:00:23 -0500

[Message part 1 (text/plain, inline)]
Hello Nicolas,

Ok, should I resubmit against ‘core-updates’ or is this automatically done
via the marking for more info?

v/r,

Aaron Covrig

On Mon, Nov 4, 2024 at 01:13 Nicolas Graves <ngraves <at> ngraves.fr> wrote:

> On 2024-11-03 21:48, Aaron Covrig via Guix-patches via wrote:
>
> > * gnu/packages/compression.scm (zlib): Update to version 1.3.1
> > ---
> >
> > The zlib version 1.3.1 update addresses CVE-2023-45853,
> > see issue: https://github.com/madler/zlib/issues/868
>
> Hi Aaron,
>
> This is true, but rebuilding zlib will rebuild more than 30000 packages.
> You can see that with  guix refresh -l zlib | cut -d : -f 1
> That's why we can't simply merge a patch like that.  There are two
> solutions in this case, to my knowledge:
> - use a graft (see the manual, or packages with a "replacement" field)
> - wait for core-updates to pick up this commit
>
> In the meantime, marking this commit as moreinfo, we don't want to
> compute the revision for this.
>
> --
> Best regards,
> Nicolas Graves
>

[Message part 2 (text/html, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#74199; Package guix-patches. (Mon, 04 Nov 2024 13:02:02 GMT) Full text and rfc822 format available.
This bug report was last modified 227 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.