[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix
From: |
Ludovic Courtès |
Subject: |
[bug#29797] [PATCH] gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738. |
Date: |
Thu, 21 Dec 2017 11:15:46 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> This is a followup to commit 2663c38826cd6c2ef0c5119f8072fac8e89b2e9b.
>
> * gnu/packages/xml.scm (libxslt)[replacement]: New field.
> (libxslt/fixed): New variable.
> * gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
[...]
> --- a/gnu/packages/xml.scm
> +++ b/gnu/packages/xml.scm
> @@ -188,6 +188,7 @@ project (but it is usable outside of the Gnome
> platform).")
> (define-public libxslt
> (package
> (name "libxslt")
> + (replacement libxslt/fixed)
> (version "1.1.29")
> (source (origin
> (method url-fetch)
> @@ -197,6 +198,9 @@ project (but it is usable outside of the Gnome
> platform).")
> (sha256
> (base32
> "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
> + ;; XXX Oops, a redefinition of the patches field, which means
> the
> + ;; patch for CVE-2016-4738 is not used. Fixed in the definition
> of
> + ;; libxslt-fixed below.
> (patches (search-patches "libxslt-generated-ids.patch"))))
Oops, indeed! You can remove the unused ‘patches’ line while you’re at it.
> (build-system gnu-build-system)
> (home-page "http://xmlsoft.org/XSLT/index.html")
> @@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome
> platform).")
> based on libxml for XML parsing, tree manipulation and XPath support.")
> (license license:x11)))
>
> +(define libxslt/fixed
> + (package
> + (inherit libxslt)
> + (source (origin
> + (inherit (package-source libxslt))
> + (patches (search-patches "libxslt-CVE-2016-4738.patch"
> + "libxslt-CVE-2017-5029.patch"
> + "libxslt-generated-ids.patch"))))))
LGTM, thanks!
Ludo’.