Hello! Leo Famulari <l...@famulari.name> skribis:
> On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote: >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354. >> >> * gnu/packages/flex.scm (flex)[replacement]: New field. >> (flex/fixed): New variable. >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Add it. > > As Mark pointed out on #guix, bugs in flex's generated code can not be > addressed with a graft. Indeed. We should add this patch to ‘core-updates’ and start building it (I haven’t checked the status of the various branches, though.) > Also, the upstream tarballs that we build from often contain code > generated by flex. Yes, and finding out which tarballs contain vulnerable lexers (or contain Flex-generated stuff at all) sounds difficult. Maybe people have developed scripts to help with that? Thanks, Ludo’.
