Comment # 3 on bug 1232608 from Konstantin Voinov 
(In reply to Dave Plater from comment #2)
> @kill_it
> Konstantin this CVE refers to the VST addon, there's no mention of xpat in
> the audacity sources.
> find . -iname "*xpat*"
> ./cmake-proxies/cmake-modules/dependencies/expat.cmake
> ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat
> ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat.h
> ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat_external.h
> 
> Can you fix it or should we remove it from the build? Either an updated xpat
> without the vulnerability or a patch should do.

We need to patch this vstgui/uidescription/expat/ files manually, because the
upstream patch won't apply nicely, is it Ok? Or we can disable VST3 plugins for
now as it's GUI is not really working.

You are receiving this mail because: