Python uses a bundled expat

DoneSubmitted by Marius Bakke.
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Severity
important
M
M
Marius Bakke wrote on 6 Oct 2018 16:58
(address . bug-guix@gnu.org)
87o9c7i0l6.fsf@fastmail.com
Python 2 and 3 are using a bundled Expat (residing under Modules/).
This has been the cause of security vulnerabilities in the past andshould be changed to use Expat from Guix.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu4zYUACgkQoqBt8qM6VPo2UAgAzKQ8+SbMxzNFx4YEEOM/Mm0XKo+20DMBZHlqI+Gg0Q+9VVCNfwttbAzwzdEYr5Zw5FEWIe30/97Dw0BdmaK+17rREcSrc6b4UZESgIPF9R1NHzcxwZWjRWj7PuOI6pHdADHzraMN1afgyGg2jVVc8zPmLCimNcHUpJIvJH+kFVPauEetl/ONcC7GmOtNL1d3pHmpSAgCEHQ+iC7KoPJDDJBM0aKLtDNTYK69VaOY8L3K2b/5DgHW+jCERcA6tlE37Cjen+L64fPmvlMqPSD5GT5nAwn5/PwPaXWJG6FaVW5FVo6OGdn/EKI75kHqiuLZm2yr/fBY7xWlOhqPajHEyg===dmT8-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 8 Oct 2018 15:27
control message for bug #32957
(address . control@debbugs.gnu.org)
87efd0zhzj.fsf@gnu.org
tags 32957 security
L
L
Ludovic Courtès wrote on 8 Oct 2018 15:27
(address . control@debbugs.gnu.org)
87d0skzhzd.fsf@gnu.org
severity 32957 important
L
L
Leo Famulari wrote on 10 Oct 2018 21:27
Re: bug#32957: Python uses a bundled expat
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32957@debbugs.gnu.org)
20181010192714.GC22832@jasmine.lan
On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
Toggle quote (5 lines)> Python 2 and 3 are using a bundled Expat (residing under Modules/).> > This has been the cause of security vulnerabilities in the past and> should be changed to use Expat from Guix.
Looks like Debian uses an external Expat to fill the dependency, so itshould be possible:
https://packages.debian.org/stretch/python3.5-minimal
We should look into the difference between the bundled Expat andupstream Expat.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+UpIACgkQJkb6MLrKfwgOaQ/7BWBph+EUCzDA64XayEu4voEnWKB/NWbD4bbVge3wo2bTAjemKg3hQRMtVxntWISU56rnln9PEq5ZZ+apnC8U91CGuAoum5ydgADJMUPjzmzcw1g/CVivT2ss5DfMWSC23AtYQQrJ9OuV8ofXERbwAtJzVCGumt0mK9uuVZ4A+I3Kv5SzPzL5eLkkV384R7uOWFJXP6PFxHFG5ZMTUvOHJNTujQwfTx9lEBccaFHXyy28/nJjZ3t315yzh4Sy/iCCzGlROnJGjqDWOOpQdYx5N2KuhX14NW5woGLRK8nAej9COgFFRjD+iECunQonNS1VaoIDrZpgijdAGAjqhkn9zJuS6fL1IbinJDIeMlVXkvNZyq2dLp5eUE8LWpJVOnt+pk5w25l1CYu1ZSYL7UEO8jkCkPPcxrukXItKLQOecPDIGWd1ynx5FLquYLIa/VTWnmZlHUZep6tvz2rYH6QqZyMSMVUrQZxjTNuNRlEJ5ylgzHRWz80hzs9zpV/ql+LHRNb3GlJcBpKNAdGxe/QJ6UIsZV7SlwDIuOicqaEtQN8q/fVSNNPr5/XCTgfmR3n1SbUOwd8vrVf7TDzF58NwjH/BXUX+nv96RPmuyCma7i8VXvVUQgv/ORo2NKqKHE+q3s7ykIF5GG2Te3WsH9KspqA5fY7E8cxuJly5XQ//of0==Jgba-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 23 Mar 2019 23:34
(name . Leo Famulari)(address . leo@famulari.name)(address . 32957-done@debbugs.gnu.org)
874l7t1aqt.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:
Toggle quote (14 lines)> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:>> Python 2 and 3 are using a bundled Expat (residing under Modules/).>> >> This has been the cause of security vulnerabilities in the past and>> should be changed to use Expat from Guix.>> Looks like Debian uses an external Expat to fill the dependency, so it> should be possible:>> https://packages.debian.org/stretch/python3.5-minimal>> We should look into the difference between the bundled Expat and> upstream Expat.
Looking at the Debian package did help me figure out how to make it usesystem Expat. We needed this patch:https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/setup-modules.diff.
That patch only works *after* the configure step and requiresregenerating some files (see the rules file around PyExpat), so I took asimpler approach.
Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlyWtFoACgkQoqBt8qM6VPofDgf/WzwcJMChtSroskjXIDJRIqVfOdqv4epmBDIYCCohH0h/BHzmpUoq9A5m52YfqxTjPKmzsRUbyazd88andVej6AmnosDarkCWH3sDr/MJgHOawk7l6bsjEV8adfQSrC57X2I6qQSwvlEHskPhS4vAy4LeVIccGOiSyBrPVZbzNpe70FoILPOiMNICopf8xB56KacuNh7ZRsNBmKZHdSassVn5QvdKhGhuJmVhsFqlm7bP9j4npq0/OhGvY302hIwh8JoAUkAcWlWj9iaY5uYi7pzwU8TyMj1T+LjuvyjilBc80/k3HBgsXWB8x8fRP5kFJc69JAYed6rDbHZD/EcxoA===zaky-----END PGP SIGNATURE-----
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 32957@debbugs.gnu.org