Marius, Thanks for looking at this. On Sun, 30 Jun 2019, Marius Bakke wrote: > I tried running `abidiff` (from libabigail) on the new and old Expat: > > $ abidiff /gnu/store/79a7p4fjh564czghfzfm1yn8b3r42rbi-expat-2.2.6/lib/libexpat.so /gnu/store/khy5yzn5fgipsfvcchqyhkg56d68wd2k-expat-2.2.7/lib/libexpat.so > Functions changes summary: 0 Removed, 0 Changed, 0 Added function > Variables changes summary: 0 Removed, 0 Changed, 0 Added variable > Function symbols changes summary: 15 Removed, 0 Added function symbols not referenced by debug info > Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info > > 15 Removed function symbols not referenced by debug info: > > XmlGetUtf16InternalEncoding > XmlGetUtf16InternalEncodingNS > XmlGetUtf8InternalEncoding > XmlGetUtf8InternalEncodingNS > XmlInitEncoding > XmlInitEncodingNS > XmlInitUnknownEncoding > XmlInitUnknownEncodingNS > XmlParseXmlDecl > XmlParseXmlDeclNS > XmlPrologStateInit > XmlPrologStateInitExternalEntity > XmlSizeOfUnknownEncoding > XmlUtf16Encode > XmlUtf8Encode > > Apparently these symbols were never supposed to be exported: > . However, there could > be packages "in the wild" that uses these symbols and would silently > break with the grafted Expat. > > IIUC the fix for CVE-2018-20843 is this commit: > . > > I think it's better to graft a variant with only this patch to be on the > safe side. Can you try that? Good idea. I didn't think to check. Yes, I can try to do that. > Could you also submit a second patch that adds GitHub as an additional > download location for the regular Expat package? :-) I'll try that as well. I'll also try to not let my mail client mangle them :) Best, Jack