Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2019-12900 #5

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

@hasufell
Copy link
Contributor Author

hasufell commented Mar 8, 2024

This unfortunately requires windows users to set -f-system-bzlib to get the bundled sources, because we don't have pkg-config stanza, which cabal could use to change automatic flags.

I'm contemplating what to do about it.

@hasufell
Copy link
Contributor Author

hasufell commented Mar 8, 2024

Well, given that bzip2 is available via msys2 and system libs are to be preferred, I think the current circumstances make sense: https://packages.msys2.org/package/mingw-w64-x86_64-bzip2

@hasufell
Copy link
Contributor Author

hasufell commented Mar 8, 2024

My idea is actually to provide one single project independent bzip2-clib library: https://github.com/hasufell/bzip2-clib

Unfortunately, we're stuck thanks to Haskell tooling again: haskell/hackage-server#1294

Unless we want to lie about the actual license.

@gbaz
Copy link

gbaz commented Mar 8, 2024

"we don't have pkg-config stanza, which cabal could use to change automatic flags" ?

@hasufell
Copy link
Contributor Author

hasufell commented Mar 9, 2024

"we don't have pkg-config stanza, which cabal could use to change automatic flags" ?

haskell/cabal#7621

@gbaz
Copy link

gbaz commented Mar 9, 2024

Right, and that pr was merged, so if thats the feature you're referring to, it exists.

@hasufell
Copy link
Contributor Author

hasufell commented Mar 9, 2024

Right, and that pr was merged, so if thats the feature you're referring to, it exists.

Ah. bzip2 has no .pc file. So we can't use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants