about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md8
-rw-r--r--loftix/bugs.scm23
2 files changed, 31 insertions, 0 deletions
diff --git a/README.md b/README.md
index 1e56790..f96e02e 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,13 @@ Then run `guix pull`.
 
     guix shell jasper@1.900.19 -- imginfo -f bugs/cve-2016-9557/reproducer
 
+### CVE-2017-5969
+
+[libxml2: null pointer derefence][oss-sec-20161105-3]
+
+    guix shell libxml2@2.9.4 --\
+      xmllint --recover bugs/cve-2017-5969/reproducer.xml
+
 ### CVE-2017-14745
 
 [binutils: integer overflow][sourceware-22148]
@@ -82,6 +89,7 @@ Then run `guix pull`.
 [python-pacfix]: https://github.com/hsh814/pacfix-python
 [redhat-955808]: https://bugzilla.redhat.com/show_bug.cgi?id=955808
 [jasper-d42b238]: https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
+[oss-sec-20161105-3]: https://www.openwall.com/lists/oss-security/2016/11/05/3
 [sourceware-22148]: https://sourceware.org/bugzilla/show_bug.cgi?id=22148
 [sourceware-22186]: https://sourceware.org/bugzilla/show_bug.cgi?id=22186
 [mozjpeg-268]: https://github.com/mozilla/mozjpeg/issues/268
diff --git a/loftix/bugs.scm b/loftix/bugs.scm
index b435176..ee61288 100644
--- a/loftix/bugs.scm
+++ b/loftix/bugs.scm
@@ -20,6 +20,7 @@
   #:use-module (gnu packages base)
   #:use-module (gnu packages fontutils)
   #:use-module (gnu packages image)
+  #:use-module (gnu packages xml)
   #:use-module (guix build-system gnu)
   #:use-module (guix download)
   #:use-module (guix packages))
@@ -66,6 +67,28 @@
     (build-system gnu-build-system)
     (arguments '(#:test-target "test"))))
 
+(define-public libxml2-2.9.4
+  (package
+    (inherit libxml2)
+    (name "libxml2")
+    (version "2.9.4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))
+    ;; $XML_CATALOG_FILES lists 'catalog.xml' files found in under the 'xml'
+    ;; sub-directory of any given package.
+    (native-search-paths (list (search-path-specification
+                                (variable "XML_CATALOG_FILES")
+                                (separator " ")
+                                (files '("xml"))
+                                (file-pattern "^catalog\\.xml$")
+                                (file-type 'regular))))
+    (search-paths native-search-paths)))
+
 (define-public potrace-1.11
   (package
     (inherit potrace)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-03-20 20:37:30 +0000