GNU bug report logs

#32957 Python uses a bundled expat

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Marius Bakke <mbakke@fastmail.com>
Date 2018-10-06T14:59:01
Severity important
Tags security
Done Marius Bakke <mbakke@fastmail.com>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#32957; Package guix. (Sat, 06 Oct 2018 14:59:02 GMT) (full text, mbox, link).

Acknowledgement sent to Marius Bakke <mbakke@fastmail.com>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Sat, 06 Oct 2018 14:59:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from ludo@gnu.org (Ludovic Courtès) to control@debbugs.gnu.org. (Mon, 08 Oct 2018 13:28:01 GMT) (full text, mbox, link).

Severity set to 'important' from 'normal' Request was from ludo@gnu.org (Ludovic Courtès) to control@debbugs.gnu.org. (Mon, 08 Oct 2018 13:28:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#32957; Package guix. (Wed, 10 Oct 2018 19:28:02 GMT) (full text, mbox, link).

Message #12 received at 32957@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
> Python 2 and 3 are using a bundled Expat (residing under Modules/).
> 
> This has been the cause of security vulnerabilities in the past and
> should be changed to use Expat from Guix.

Looks like Debian uses an external Expat to fill the dependency, so it
should be possible:

https://packages.debian.org/stretch/python3.5-minimal

We should look into the difference between the bundled Expat and
upstream Expat.

[signature.asc (application/pgp-signature, inline)]

Reply sent to Marius Bakke <mbakke@fastmail.com>:
You have taken responsibility. (Sat, 23 Mar 2019 22:35:02 GMT) (full text, mbox, link).

Notification sent to Marius Bakke <mbakke@fastmail.com>:
bug acknowledged by developer. (Sat, 23 Mar 2019 22:35:02 GMT) (full text, mbox, link).

Message #17 received at 32957-done@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>> 
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.

Looking at the Debian package did help me figure out how to make it use
system Expat.  We needed this patch:
<https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/setup-modules.diff>.

That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.

Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.

[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Sun, 21 Apr 2019 11:24:04 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 05:31:02 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.