Python uses a bundled expat

  • Done
  • quality assurance status badge
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Marius Bakke
Severity
important
M
M
Marius Bakke wrote on 6 Oct 2018 16:58
(address . bug-guix@gnu.org)
87o9c7i0l6.fsf@fastmail.com
Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu4zYUACgkQoqBt8qM6
VPo2UAgAzKQ8+SbMxzNFx4YEEOM/Mm0XKo+20DMBZHlqI+Gg0Q+9VVCNfwttbAzw
zdEYr5Zw5FEWIe30/97Dw0BdmaK+17rREcSrc6b4UZESgIPF9R1NHzcxwZWjRWj7
PuOI6pHdADHzraMN1afgyGg2jVVc8zPmLCimNcHUpJIvJH+kFVPauEetl/ONcC7G
mOtNL1d3pHmpSAgCEHQ+iC7KoPJDDJBM0aKLtDNTYK69VaOY8L3K2b/5DgHW+jCE
RcA6tlE37Cjen+L64fPmvlMqPSD5GT5nAwn5/PwPaXWJG6FaVW5FVo6OGdn/EKI7
5kHqiuLZm2yr/fBY7xWlOhqPajHEyg==
=dmT8
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 8 Oct 2018 15:27
control message for bug #32957
(address . control@debbugs.gnu.org)
87efd0zhzj.fsf@gnu.org
tags 32957 security
L
L
Ludovic Courtès wrote on 8 Oct 2018 15:27
(address . control@debbugs.gnu.org)
87d0skzhzd.fsf@gnu.org
severity 32957 important
L
L
Leo Famulari wrote on 10 Oct 2018 21:27
Re: bug#32957: Python uses a bundled expat
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32957@debbugs.gnu.org)
20181010192714.GC22832@jasmine.lan
On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
Toggle quote (5 lines)
> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>
> This has been the cause of security vulnerabilities in the past and
> should be changed to use Expat from Guix.

Looks like Debian uses an external Expat to fill the dependency, so it
should be possible:


We should look into the difference between the bundled Expat and
upstream Expat.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+UpIACgkQJkb6MLrK
fwgOaQ/7BWBph+EUCzDA64XayEu4voEnWKB/NWbD4bbVge3wo2bTAjemKg3hQRMt
VxntWISU56rnln9PEq5ZZ+apnC8U91CGuAoum5ydgADJMUPjzmzcw1g/CVivT2ss
5DfMWSC23AtYQQrJ9OuV8ofXERbwAtJzVCGumt0mK9uuVZ4A+I3Kv5SzPzL5eLkk
V384R7uOWFJXP6PFxHFG5ZMTUvOHJNTujQwfTx9lEBccaFHXyy28/nJjZ3t315yz
h4Sy/iCCzGlROnJGjqDWOOpQdYx5N2KuhX14NW5woGLRK8nAej9COgFFRjD+iECu
nQonNS1VaoIDrZpgijdAGAjqhkn9zJuS6fL1IbinJDIeMlVXkvNZyq2dLp5eUE8L
WpJVOnt+pk5w25l1CYu1ZSYL7UEO8jkCkPPcxrukXItKLQOecPDIGWd1ynx5FLqu
YLIa/VTWnmZlHUZep6tvz2rYH6QqZyMSMVUrQZxjTNuNRlEJ5ylgzHRWz80hzs9z
pV/ql+LHRNb3GlJcBpKNAdGxe/QJ6UIsZV7SlwDIuOicqaEtQN8q/fVSNNPr5/XC
TgfmR3n1SbUOwd8vrVf7TDzF58NwjH/BXUX+nv96RPmuyCma7i8VXvVUQgv/ORo2
NKqKHE+q3s7ykIF5GG2Te3WsH9KspqA5fY7E8cxuJly5XQ//of0=
=Jgba
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 23 Mar 2019 23:34
(name . Leo Famulari)(address . leo@famulari.name)(address . 32957-done@debbugs.gnu.org)
874l7t1aqt.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (14 lines)
> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>>
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.

Looking at the Debian package did help me figure out how to make it use
system Expat. We needed this patch:

That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.

Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlyWtFoACgkQoqBt8qM6
VPofDgf/WzwcJMChtSroskjXIDJRIqVfOdqv4epmBDIYCCohH0h/BHzmpUoq9A5m
52YfqxTjPKmzsRUbyazd88andVej6AmnosDarkCWH3sDr/MJgHOawk7l6bsjEV8a
dfQSrC57X2I6qQSwvlEHskPhS4vAy4LeVIccGOiSyBrPVZbzNpe70FoILPOiMNIC
opf8xB56KacuNh7ZRsNBmKZHdSassVn5QvdKhGhuJmVhsFqlm7bP9j4npq0/OhGv
Y302hIwh8JoAUkAcWlWj9iaY5uYi7pzwU8TyMj1T+LjuvyjilBc80/k3HBgsXWB8
x8fRP5kFJc69JAYed6rDbHZD/EcxoA==
=zaky
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 32957@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 32957
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch