Fix CVE-2019-12900

[hasufell]

• [Security] Shipped source code is vulnerable to CVE-2019-12900  #4
• bzlib is vulnerable to CVE-2019-12900 haskell/security-advisories#155

[hasufell]

This unfortunately requires windows users to set -f-system-bzlib to get the bundled sources, because we don't have pkg-config stanza, which cabal could use to change automatic flags.

I'm contemplating what to do about it.

[hasufell]

Well, given that bzip2 is available via msys2 and system libs are to be preferred, I think the current circumstances make sense: https://packages.msys2.org/package/mingw-w64-x86_64-bzip2

[hasufell]

My idea is actually to provide one single project independent bzip2-clib library: https://github.com/hasufell/bzip2-clib

Unfortunately, we're stuck thanks to Haskell tooling again: haskell/hackage-server#1294

Unless we want to lie about the actual license.

[gbaz]

"we don't have pkg-config stanza, which cabal could use to change automatic flags" ?

[hasufell]

"we don't have pkg-config stanza, which cabal could use to change automatic flags" ?

haskell/cabal#7621

[gbaz]

Right, and that pr was merged, so if thats the feature you're referring to, it exists.

[hasufell]

Right, and that pr was merged, so if thats the feature you're referring to, it exists.

Ah. bzip2 has no .pc file. So we can't use it.