GNU bug report logs - #32957
Python uses a bundled expat

Previous Next

Package: guix;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Sat, 6 Oct 2018 14:59:01 UTC

Severity: important

Tags: security

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32957 in the body.
You can then email your comments to 32957 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#32957; Package guix. (Sat, 06 Oct 2018 14:59:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sat, 06 Oct 2018 14:59:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: bug-guix <at> gnu.org
Subject: Python uses a bundled expat
Date: Sat, 06 Oct 2018 16:58:13 +0200

[Message part 1 (text/plain, inline)]
Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.

[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Mon, 08 Oct 2018 13:28:01 GMT) Full text and rfc822 format available.
Severity set to 'important' from 'normal' Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Mon, 08 Oct 2018 13:28:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#32957; Package guix. (Wed, 10 Oct 2018 19:28:02 GMT) Full text and rfc822 format available.

Message #12 received at 32957 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 32957 <at> debbugs.gnu.org
Subject: Re: bug#32957: Python uses a bundled expat
Date: Wed, 10 Oct 2018 15:27:14 -0400

[Message part 1 (text/plain, inline)]
On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
> Python 2 and 3 are using a bundled Expat (residing under Modules/).
> 
> This has been the cause of security vulnerabilities in the past and
> should be changed to use Expat from Guix.

Looks like Debian uses an external Expat to fill the dependency, so it
should be possible:

https://packages.debian.org/stretch/python3.5-minimal

We should look into the difference between the bundled Expat and
upstream Expat.

[signature.asc (application/pgp-signature, inline)]
Reply sent to Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility. (Sat, 23 Mar 2019 22:35:02 GMT) Full text and rfc822 format available.
Notification sent to Marius Bakke <mbakke <at> fastmail.com>:
bug acknowledged by developer. (Sat, 23 Mar 2019 22:35:02 GMT) Full text and rfc822 format available.

Message #17 received at 32957-done <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 32957-done <at> debbugs.gnu.org
Subject: Re: bug#32957: Python uses a bundled expat
Date: Sat, 23 Mar 2019 23:34:02 +0100

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>> 
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.

Looking at the Debian package did help me figure out how to make it use
system Expat.  We needed this patch:
<https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/setup-modules.diff>.

That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.

Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 21 Apr 2019 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 5 years and 5 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.