[PATCH] gnu: zlib: Update to version 1.3.1

  • Open
  • quality assurance status badge
Details
2 participants
  • Aaron Covrig
  • Nicolas Graves
Owner
unassigned
Submitted by
Aaron Covrig
Severity
normal
A
A
Aaron Covrig wrote on 4 Nov 03:48 +0100
(address . guix-patches@gnu.org)(name . Aaron Covrig)(address . aaron.covrig.us@ieee.org)
20241104025149.1380320-1-aaron.covrig.us@ieee.org
* gnu/packages/compression.scm (zlib): Update to version 1.3.1
---

The zlib version 1.3.1 update addresses CVE-2023-45853,

gnu/packages/compression.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..f39cbca84e 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -112,7 +112,7 @@ (define-module (gnu packages compression)
(define-public zlib
(package
(name "zlib")
- (version "1.3")
+ (version "1.3.1")
(source
(origin
(method url-fetch)
@@ -122,7 +122,7 @@ (define-public zlib
version "/zlib-" version ".tar.gz")))
(sha256
(base32
- "0gjrz8p70mgkic7mxjh1vqwws4x8z7hq2fhbackvqg81jb1a82zz"))))
+ "08yzf8xz0q7vxs8mnn74xmpxsrs6wy0aan55lpmpriysvyvv54ws"))))
(build-system gnu-build-system)
(outputs '("out" "static"))
(arguments

base-commit: 8964dfdb84f7d21dbc89c217ca4f4546a15990af
--
2.46.0
N
N
Nicolas Graves wrote on 4 Nov 07:13 +0100
(name . Aaron Covrig)(address . aaron.covrig.us@ieee.org)
87cyjbwmp2.fsf@ngraves.fr
On 2024-11-03 21:48, Aaron Covrig via Guix-patches via wrote:

Toggle quote (6 lines)
> * gnu/packages/compression.scm (zlib): Update to version 1.3.1
> ---
>
> The zlib version 1.3.1 update addresses CVE-2023-45853,
> see issue: https://github.com/madler/zlib/issues/868

Hi Aaron,

This is true, but rebuilding zlib will rebuild more than 30000 packages.
You can see that with guix refresh -l zlib | cut -d : -f 1
That's why we can't simply merge a patch like that. There are two
solutions in this case, to my knowledge:
- use a graft (see the manual, or packages with a "replacement" field)
- wait for core-updates to pick up this commit

In the meantime, marking this commit as moreinfo, we don't want to
compute the revision for this.

--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 4 Nov 07:17 +0100
tag 74199 moreinfo
(address . control@debbugs.gnu.org)
878qtzwmi4.fsf@ngraves.fr
tags 74199 + moreinfo
quit

--
Best regards,
Nicolas Graves
A
A
Aaron Covrig wrote on 4 Nov 14:00 +0100
Re: [bug#74199] [PATCH] gnu: zlib: Update to version 1.3.1
(name . Nicolas Graves)(address . ngraves@ngraves.fr)
CAK7qAcSKfY+3E1BJWRVoGuWudCcFDy8i0Lhb49Auk0buvp_O7A@mail.gmail.com
Hello Nicolas,

Ok, should I resubmit against ‘core-updates’ or is this automatically done
via the marking for more info?

v/r,

Aaron Covrig

On Mon, Nov 4, 2024 at 01:13 Nicolas Graves <ngraves@ngraves.fr> wrote:

Toggle quote (24 lines)
> On 2024-11-03 21:48, Aaron Covrig via Guix-patches via wrote:
>
> > * gnu/packages/compression.scm (zlib): Update to version 1.3.1
> > ---
> >
> > The zlib version 1.3.1 update addresses CVE-2023-45853,
> > see issue: https://github.com/madler/zlib/issues/868
>
> Hi Aaron,
>
> This is true, but rebuilding zlib will rebuild more than 30000 packages.
> You can see that with guix refresh -l zlib | cut -d : -f 1
> That's why we can't simply merge a patch like that. There are two
> solutions in this case, to my knowledge:
> - use a graft (see the manual, or packages with a "replacement" field)
> - wait for core-updates to pick up this commit
>
> In the meantime, marking this commit as moreinfo, we don't want to
> compute the revision for this.
>
> --
> Best regards,
> Nicolas Graves
>
Attachment: file
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74199@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74199
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch