gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.

* gnu/packages/patches/libxml2-CVE-2016-3627.patch,
gnu/packages/patches/libxml2-CVE-2016-3705.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[replacement]: New field.
(libxml2/fixed): New variable.

1 files changed, 10 insertions, 1 deletions

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 9eaf71aefa..96bb8b76c6 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
@@ -77,6 +77,7 @@ things the parser might find in the XML document (like start tags).")
   (package
     (name "libxml2")
     (version "2.9.3")
+    (replacement libxml2/fixed)                   ;multiple CVEs
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
@@ -103,6 +104,14 @@ things the parser might find in the XML document (like start tags).")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
 
+(define libxml2/fixed
+  (package
+    (inherit libxml2)
+    (source (origin
+              (inherit (package-source libxml2))
+              (patches (search-patches "libxml2-CVE-2016-3627.patch"
+                                       "libxml2-CVE-2016-3705.patch"))))))
+
 (define-public python-libxml2
   (package (inherit libxml2)
     (name "python-libxml2")