gnu: expat: Add replacement for [security fixes].

Fixes CVE-2021-45960, CVE-2021-46143, and CVE-2022-22822…22827. * gnu/packages/xml.scm (expat/fixed): New variable. (expat)[replacement]: Use it.
2022-01-16 01:00:00 +01:00 · 2022-01-16 01:00:00 +01:00 · 2045852b09
commit 2045852b09
parent bd19671f8a
1 changed files with 18 additions and 0 deletions
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@ -119,6 +119,7 @@ the entire document.")
  (package
    (name "expat")
    (version "2.4.1")
+    (replacement expat/fixed)
    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
              (origin
                (method url-fetch)
@ -154,6 +155,23 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
    (license license:expat)))

+(define expat/fixed
+  (package
+    (inherit expat)
+    (version "2.4.3")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "12kp4h40cpyqqpjqaldag0xq4ig1ljzpkzy9i2marc7blnqz3ydi")))))))
+
 (define-public libebml
  (package
    (name "libebml")