Hi,

On 30.12.23 16:06, Guilhem Moulin wrote:
Control: tag -1 + patch

Hi,

I had a look at these issues for Buster (LTS).  Unfortunately the
upstream project appears to be inactive.

On Fri, 22 Dec 2023 at 14:50:57 +0100, Moritz Mühlenhoff wrote:
CVE-2023-34194[0]:
| StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in
| TinyXML through 2.6.2 has a reachable assertion (and application
| exit) via a crafted XML document with a '\0' located after
| whitespace.

I attach a patch for this.  Felix, I can upload an NMU for sid if you'd
like.

Thanks for working on this!

There are some minor changes staged in the salsa git repo. It would be good
to include them as well. Feel free to push the patch to git and upload.
Alternatively a merge request works as well of course.

Cheers,
Felix

Reply via email to