gnu: libxslt: Fix CVE-2017-5029 and re-apply the fix for CVE-2016-4738.

This is a followup to commit 2663c38826. * gnu/packages/xml.scm (libxslt)[replacement]: New field. (libxslt/fixed): New variable. * gnu/packages/patches/libxslt-CVE-2017-5029.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.
2025-10-02 02:15:12 +00:00 · 2017-12-21 02:12:55 -05:00 · 2017-12-21 02:12:55 -05:00 · 0c9c9526bb
commit 0c9c9526bb
parent 2a0e3d1635
3 changed files with 97 additions and 1 deletions
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@ -188,12 +188,16 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
  (package
    (name "libxslt")
+    (replacement libxslt/fixed)
    (version "1.1.29")
    (source (origin
             (method url-fetch)
             (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
                                 version ".tar.gz"))
-             (patches (search-patches "libxslt-CVE-2016-4738.patch"))
+             ;; XXX Oops, the patches field is redefined below, which means the
+             ;; patch for CVE-2016-4738 was not used. Fixed in the definition of
+             ;; libxslt/fixed below.
+             ;(patches (search-patches "libxslt-CVE-2016-4738.patch"))
             (sha256
              (base32
               "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
@ -210,6 +214,15 @@ project (but it is usable outside of the Gnome platform).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
    (license license:x11)))

+(define libxslt/fixed
+  (package
+    (inherit libxslt)
+    (source (origin
+              (inherit (package-source libxslt))
+              (patches (search-patches "libxslt-CVE-2016-4738.patch"
+                                       "libxslt-CVE-2017-5029.patch"
+                                       "libxslt-generated-ids.patch"))))))
+
 (define-public perl-graph-readwrite
  (package
    (name "perl-graph-readwrite")