Leo Famulari <l...@famulari.name> skribis: > On Thu, Jun 09, 2016 at 12:43:17PM -0400, Leo Famulari wrote: >> On Wed, Jun 08, 2016 at 01:10:16PM +0300, Efraim Flashner wrote: >> > FWIW debian's expat-2.1.1(-3) still has the cve-2015-1283 applied. >> >> I looked at the expat Git repo and the original fix for CVE-2015-1283 >> was part of 2.1.1. The improvement to the fix must be backported. I will >> take the upstream commit that applies the improvement. > > We adopt Debian's patch for CVE-2012-6702 and CVE-2016-5300 (already > sent for review for the master branch). > > We also adapt the CVE-2015-1283 "re-fix" patch to apply to upstream's > fix for CVE-2015-1283. The Debian "re-fix" patch had some context > (comments) that did not exist in the upstream 2.1.1 release. > > And as before, we patch for CVE-2016-0718. > > It's not possible for me test this on core-updates (too much to build). > On master, I made a new expat-2.1.1 package that inherited from expat > and built that with the patches. > > The merge will probably be messy...
We should leave it to you, to minimize breakage. > Off-topic: A regular package and a grafted package on master, and an > updated version of the package on core-updates... this is getting very > complicated and we should try our best to avoid such tangled situations > in the future. Do you think it would help to delay such upgrades in ‘core-updates’ until the time where ‘core-updates’ is getting ready for merge? > From a4a3a09b40c5f98b2c2a3d15458ab086ce867c3d Mon Sep 17 00:00:00 2001 > From: Leo Famulari <l...@famulari.name> > Date: Tue, 7 Jun 2016 20:26:41 -0400 > Subject: [v2 1/2] gnu: expat: Fix CVE-2012-6702, CVE-2016-0718, and > CVE-2016-5300. > > * gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/patches/expat-CVE-2015-1283-refix.patch: Adapt to upstream > changes. > * gnu/packages/xml.scm (expat)[source]: Use patches. LGTM, thank you! Ludo’.