[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#36424] expat-2.2.7 for CVE-2018-20843

From: Jack Hill
Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843
Date: Thu, 4 Jul 2019 19:49:57 -0400 (EDT)
User-agent: Alpine 2.20 (DEB 67 2015-01-07)

On Tue, 2 Jul 2019, Jack Hill wrote:

Apparently these symbols were never supposed to be exported:
<>.  However, there could
be packages "in the wild" that uses these symbols and would silently
break with the grafted Expat.

IIUC the fix for CVE-2018-20843 is this commit:

I think it's better to graft a variant with only this patch to be on the
safe side.  Can you try that?

Good idea. I didn't think to check. Yes, I can try to do that.

Could you also submit a second patch that adds GitHub as an additional
download location for the regular Expat package?  :-)

I'll try that as well.

I've prepared the two attached patches that I believe implement Marius's proposed solution.


Attachment: 0001-gnu-expat-Add-additional-source-URI.patch
Description: Text Data

Attachment: 0002-gnu-expat-fix-CVE-2018-20843.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]