From a quick look I see * Expat 2.0.1 in the cbits/ folder * No dev-libs/expat in ebuild dependencies Please have a closer look and bypass / remove it, if possible. Thanks! Related upstream ticket: https://github.com/the-real-blackh/hexpat/issues/2
Seems fixed by 0.20.13 ebuild introducing use flag bundled-expat. Shall we ask for stabilization of 0.20.13 to close this bug?
Closing as fixed because 0.20.13 is the only ebuild left in Gentoo as of today.
(In reply to Sebastian Pipping from comment #2) > Closing as fixed because 0.20.13 is the only ebuild left in Gentoo as of > today. I guess that was to fast: I realize now that use flag bundled-libs will still get you an outdated vulnerable copy of Expat. So re-opening, sorry.
I just opened an issue about updating the bundled copy, upstream.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99fef3753769f1195b74c27d208e2e35b351920b commit 99fef3753769f1195b74c27d208e2e35b351920b Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-05-24 04:58:04 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-05-24 04:58:14 +0000 dev-haskell/hexpat: drop USE=bundled-expat Reported-by: Sebastian Pipping Closes: https://bugs.gentoo.org/591136 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> dev-haskell/hexpat/hexpat-0.20.13.ebuild | 19 ++++++----- dev-haskell/hexpat/metadata.xml | 55 +------------------------------- 2 files changed, 10 insertions(+), 64 deletions(-)