From patchwork Tue May 20 02:58:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-Patchwork-Id: 42764
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 576F827BC49; Tue, 20 May 2025 03:59:48 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No,
 score=-7.4 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED,
	RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,
	URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id BA70227BC4F
	for <patchwork@mira.cbaines.net>; Tue, 20 May 2025 03:59:45 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1uHDC6-0006DG-RU; Mon, 19 May 2025 22:59:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uHDC5-0006Co-Ao
 for guix-patches@gnu.org; Mon, 19 May 2025 22:59:05 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uHDC5-0005tK-21
 for guix-patches@gnu.org; Mon, 19 May 2025 22:59:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=N8R2cdNGlAfm/xZPZYFk77yKco3WVhCjmF279bpZD2I=;
 b=qTbw8LHuMg13OrLEuhiUTGYqPIspcxUvYnSdFX5BK/O0oGpH4zl6svXHDk2IXuka7ytzXkoLvN7EA7EZrvhQ223wyKDK6pjNcbcXJMQZTVuKWcL/VN3Y4JkkyqkXn6u+TOcycPI7D3BAggTncuE5mZkEmq/v8ZH6VaK3013eURbcKmVwzKHHnniiPsP0eV1Im8UsIFdmpCaSkV6CqEAd3WpE70wuxOwiiYG0e0mcMOZEAof6le0k24feGSVBPf22CZh6l3gWhVPq3EIwHweQYAVrdArmeI0YdeM2fIOSrLo1O1aN6k+kW0k3w42NdELEsOs4EWIWYbVbdlDsP/iztQ==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1uHDC4-0000Uw-SR; Mon, 19 May 2025 22:59:04 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#78337] [PATCH v2 6/6] gnu: expat: Update to 2.7.1.
Resent-From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: z572@z572.online, guix-patches@gnu.org
Resent-Date: Tue, 20 May 2025 02:59:04 +0000
Resent-Message-ID: <handler.78337.B78337.17477099411859@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 78337
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 78337@debbugs.gnu.org
Cc: Zheng Junjie <z572@z572.online>,
 Maxim Cournoyer <maxim.cournoyer@gmail.com>, Zheng Junjie <z572@z572.online>
X-Debbugs-Original-Xcc: Zheng Junjie <z572@z572.online>
Received: via spool by 78337-submit@debbugs.gnu.org id=B78337.17477099411859
 (code B ref 78337); Tue, 20 May 2025 02:59:04 +0000
Received: (at 78337) by debbugs.gnu.org; 20 May 2025 02:59:01 +0000
Received: from localhost ([127.0.0.1]:50178 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1uHDC0-0000Tl-Ez
 for submit@debbugs.gnu.org; Mon, 19 May 2025 22:59:01 -0400
Received: from mail-pj1-x102a.google.com ([2607:f8b0:4864:20::102a]:45302)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <maxim.cournoyer@gmail.com>)
 id 1uHDBw-0000SV-Cs
 for 78337@debbugs.gnu.org; Mon, 19 May 2025 22:58:57 -0400
Received: by mail-pj1-x102a.google.com with SMTP id
 98e67ed59e1d1-30e57a373c9so5053995a91.2
 for <78337@debbugs.gnu.org>; Mon, 19 May 2025 19:58:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1747709930; x=1748314730; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=N8R2cdNGlAfm/xZPZYFk77yKco3WVhCjmF279bpZD2I=;
 b=S2J/WbbITTrwLRl6P+EPGNtctl1zqaJft32ZT7s722h8vHUGd857/Mav1qNhufNJRX
 6fo3NRqv9m+4V3en96H8ySJ+N+VPBKrBEB+0mE2JYsSaTRCGKmMGxbM2HQHPEjbSNIYY
 luZeUSwc0DTCkCQzPGJo4q6XCbH8F6Bcj6mB0gRxmc46YEp0nHVWTvfpQC/zR6dvUnGJ
 /S5h5Yvw52VDhql+BCenaW28BPCpge3TV1ZzRu5XPNWyo57pDDQ756MP26Rp0H42KDfC
 vd79AiiZ8eLmHoaXtXmunrhQcj50Itq8BaBYZuF6Sf4D4VS3qet81E8va3VQOk87iKJq
 P98Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1747709930; x=1748314730;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=N8R2cdNGlAfm/xZPZYFk77yKco3WVhCjmF279bpZD2I=;
 b=Yw7nG2799Dg0HdKGrSnLtrsvI1iN+1m3U8mCzf+fyZNLtWHJFJne0Wek4TxvV0chdY
 z6qmllrRGEkvcABwUwjqdpf3hPSUJoPtiMca3ozwb3J2416sWFOzN44+Avk8NRgGUbM5
 oUcdu8pNGRSpgLACC3VDNHErb1V6Q2iVgFWOo5LESJxjkVMOivA4EqhjMLwG01ZSsptG
 2M8lF/xCq0AZJM29M/dYsGfMxMBfOJj5nrtab+Jm1sASrHc3Oe9mdsiYW70+u8soI7Yh
 DzUHEgpWkCjjx4zRKWC7IlZd57+kN2jzUKl4mhZZobclIJiJKweq5wqezdjVBw52gBq2
 ZuYw==
X-Gm-Message-State: AOJu0Yyiuzio1v6gdaCxV/HVJpwbhMQe2USj9KM6CeEYt3nnSvmX/SNh
 /tvEgVZGYg2sztU+widfTfUu5PFJLXBDzvH+xhqiHoVs1Z7Eab08Ch7kKXqlpw==
X-Gm-Gg: ASbGncutNgQfkAvfQmogC/C93Bo8DKEbVZRDHRPi8ngaIYQPmg+T1ToR9GKRTLtzeRi
 uySYGgetAtuSyCymZkWkhSN7PYBpxdKS+B/7CSplFPcRqwNAQ1/FloCXiJx0NjnxzZcoPWVMDhs
 WYyLycR6X4lf/iavstnpZSjeYIZggIyRxKRVOcHPSshztxP+FXJCTp8Ty07xmJdjCtl9pp85p3U
 08s6q5RGLF+gScK1bwL8jEu66+BYz5zo8lIJtTzlIrm3qLPZmHrzBtTAW89VF0n2tteyJdte3lR
 3nMI7FXBOYpvz6goPVt1Nob61ycjDEGepUAP1avQLVBvbKX5wGwuaOk0KkerzaEP+BkB/JE=
X-Google-Smtp-Source: 
 AGHT+IG4fSRsU20Ug3nI40fOO81SvFJfORCR2Oe/7I50Wh6/03UzcYCfIflfCwvglC/LBgqrhcjONQ==
X-Received: by 2002:a17:90b:1c05:b0:30c:5617:7475 with SMTP id
 98e67ed59e1d1-30e7d53ff83mr26599396a91.18.1747709929644;
 Mon, 19 May 2025 19:58:49 -0700 (PDT)
Received: from localhost.localdomain ([2405:6586:be0:0:83c8:d31d:2cec:f542])
 by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30f365d460fsm480078a91.23.2025.05.19.19.58.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 19 May 2025 19:58:49 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Tue, 20 May 2025 11:58:16 +0900
Message-ID: 
 <5b99b0aa419d655e4c376aef28b57f228f761cf5.1747709896.git.maxim.cournoyer@gmail.com>
X-Mailer: git-send-email 2.49.0
In-Reply-To: 
 <62f70621a69a09b7195dca52741ed454bec9b3d7.1747709896.git.maxim.cournoyer@gmail.com>
References: 
 <62f70621a69a09b7195dca52741ed454bec9b3d7.1747709896.git.maxim.cournoyer@gmail.com>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

From: Zheng Junjie <z572@z572.online>

* gnu/packages/xml.scm (expat): Update to 2.7.1.
(expat/fixed): Remove it.
* gnu/packages/patches/expat-CVE-2024-45490.patch: Remove it.
* gnu/packages/patches/expat-CVE-2024-45491.patch: Remove it.
* gnu/packages/patches/expat-CVE-2024-45492.patch: Remove it.
* gnu/local.mk (dist_patch_DATA): Unregister them.

Change-Id: Ia0bc5da202afba0636032e4f4e10051778214944
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
---
 gnu/local.mk                                  |  3 --
 .../patches/expat-CVE-2024-45490.patch        | 34 -------------------
 .../patches/expat-CVE-2024-45491.patch        | 34 -------------------
 .../patches/expat-CVE-2024-45492.patch        | 33 ------------------
 gnu/packages/xml.scm                          | 16 ++-------
 5 files changed, 2 insertions(+), 118 deletions(-)
 delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch
 delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch
 delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index d561d5ea5d..c9b70349ce 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1256,9 +1256,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/esmini-use-pkgconfig.patch		\
   %D%/packages/patches/esmtp-add-lesmtp.patch		\
   %D%/packages/patches/exercism-disable-self-update.patch	\
-  %D%/packages/patches/expat-CVE-2024-45490.patch	\
-  %D%/packages/patches/expat-CVE-2024-45491.patch	\
-  %D%/packages/patches/expat-CVE-2024-45492.patch	\
   %D%/packages/patches/extempore-unbundle-external-dependencies.patch	\
   %D%/packages/patches/extundelete-e2fsprogs-1.44.patch		\
   %D%/packages/patches/fail2ban-paths-guix-conf.patch		\
diff --git a/gnu/packages/patches/expat-CVE-2024-45490.patch b/gnu/packages/patches/expat-CVE-2024-45490.patch
deleted file mode 100644
index f876e78651..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45490.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch
-Fixed in 2.6.3.
-Takes only 1 of the 3 patches from
-https://github.com/libexpat/libexpat/pull/890 to take the fix and not the
-tests because that part doesn't apply cleanly.
-
-From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 19 Aug 2024 22:26:07 +0200
-Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
-
-Reported by TaiYou
-
----
- expat/lib/xmlparse.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..ba1038119 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
- 
-   if (parser == NULL)
-     return XML_STATUS_ERROR;
-+
-+  if (len < 0) {
-+    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
-+    return XML_STATUS_ERROR;
-+  }
-+
-   switch (parser->m_parsingStatus.parsing) {
-   case XML_SUSPENDED:
-     parser->m_errorCode = XML_ERROR_SUSPENDED;
diff --git a/gnu/packages/patches/expat-CVE-2024-45491.patch b/gnu/packages/patches/expat-CVE-2024-45491.patch
deleted file mode 100644
index 8ff10559bf..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45491.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch
-Fixed in 2.6.3.
-
-From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 19 Aug 2024 22:34:13 +0200
-Subject: [PATCH] lib: Detect integer overflow in dtdCopy
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..e2327bdcf 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
-     if (! newE)
-       return 0;
-     if (oldE->nDefaultAtts) {
-+      /* Detect and prevent integer overflow.
-+       * The preprocessor guard addresses the "always false" warning
-+       * from -Wtype-limits on platforms where
-+       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+      if ((size_t)oldE->nDefaultAtts
-+          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
-+        return 0;
-+      }
-+#endif
-       newE->defaultAtts
-           = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
-       if (! newE->defaultAtts) {
diff --git a/gnu/packages/patches/expat-CVE-2024-45492.patch b/gnu/packages/patches/expat-CVE-2024-45492.patch
deleted file mode 100644
index 852a9b3f59..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45492.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch
-Fixed in 2.6.3.
-
-From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 19 Aug 2024 22:37:16 +0200
-Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..f737575ea 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
-   int next;
- 
-   if (! dtd->scaffIndex) {
-+    /* Detect and prevent integer overflow.
-+     * The preprocessor guard addresses the "always false" warning
-+     * from -Wtype-limits on platforms where
-+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
-+      return -1;
-+    }
-+#endif
-     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
-     if (! dtd->scaffIndex)
-       return -1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 10cd6d98fa..33c409212f 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -127,8 +127,7 @@ (define-public libxmlb
 (define-public expat
   (package
     (name "expat")
-    (version "2.5.0")
-    (replacement expat/fixed)
+    (version "2.7.1")
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -140,7 +139,7 @@ (define-public expat
                             "/expat-" version ".tar.xz")))
                 (sha256
                  (base32
-                  "1gnwihpfz4x18rwd6cbrdggmfqjzwsdfh1gpmc0ph21c4gq2097g")))))
+                  "0c3w446jrrnss3ccgx9z590lpwbpxiqdbxv2a0p036cg9da54i9m")))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases (modify-phases %standard-phases
@@ -164,17 +163,6 @@ (define-public expat
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
-(define-public expat/fixed
- (hidden-package
-  (package
-    (inherit expat)
-    (replacement expat/fixed)
-    (source (origin
-              (inherit (package-source expat))
-              (patches (search-patches "expat-CVE-2024-45490.patch"
-                                       "expat-CVE-2024-45491.patch"
-                                       "expat-CVE-2024-45492.patch")))))))
-
 (define-public libebml
   (package
     (name "libebml")