newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is
being applied to, so if you are interested or a user of those packages please
finish the work, otherwise well CVE-2021-3420 will probably remain unfixed.
The versions of newlib are too old and too specific for it to be
maintainable security-wise, especially considering upstream does not seem to
maintain older versions at all. I don't think GNU Guix should take that role,
but of course the people who depend on these packages can ensure they are good
enough for themselves, otherwise contribute changes.
Léo Le Bouter (1):
gnu: newlib: Fix CVE-2021-3420.
gnu/local.mk | 1 +
gnu/packages/embedded.scm | 6 +-
.../patches/newlib-CVE-2021-3420.patch | 105 ++++++++++++++++++
3 files changed, 110 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch