Your message dated Mon, 30 Jan 2012 21:50:43 +0000 with message-id <e1rrz7b-0000a4...@franck.debian.org> and subject line Bug#656377: fixed in libxml2 2.6.32.dfsg-5+lenny5 has caused the Debian Bug report #656377, regarding libxml2: [PATCH] fix for CVE-2011-3919 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 656377: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656377 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libxml2 Version: 2.7.8.dfsg-5.1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu precise ubuntu-patch Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: denial of service via buffer overflow - parser.c: fix an allocation error when copying entities - 5bd3c061823a8499b27422aee04ea20aae24f03e - CVE-2011-3919 Thanks for considering the patch. References: http://git.gnome.org/browse/libxml2/commit/?id=5bd3c061823a8499b27422aee04ea20aae24f03e http://src.chromium.org/svn/trunk/src/third_party/libxml/README.chromium https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3919 http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-8-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -u libxml2-2.7.8.dfsg/parser.c libxml2-2.7.8.dfsg/parser.c --- libxml2-2.7.8.dfsg/parser.c +++ libxml2-2.7.8.dfsg/parser.c @@ -2709,7 +2709,7 @@ buffer[nbchars++] = '&'; if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); } for (;i > 0;i--) buffer[nbchars++] = *cur++; diff -u libxml2-2.7.8.dfsg/debian/changelog libxml2-2.7.8.dfsg/debian/changelog
--- End Message ---
--- Begin Message ---Source: libxml2 Source-Version: 2.6.32.dfsg-5+lenny5 We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive: libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb to main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb to main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb to main/libx/libxml2/libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb to main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb libxml2_2.6.32.dfsg-5+lenny5.diff.gz to main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny5.diff.gz libxml2_2.6.32.dfsg-5+lenny5.dsc to main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny5.dsc libxml2_2.6.32.dfsg-5+lenny5_amd64.deb to main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny5_amd64.deb python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb to main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 656...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aron Xu <a...@debian.org> (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Jan 2012 06:04:56 +0800 Source: libxml2 Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 Architecture: source all amd64 Version: 2.6.32.dfsg-5+lenny5 Distribution: oldstable-security Urgency: high Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Aron Xu <a...@debian.org> Description: libxml2 - GNOME XML library libxml2-dbg - Debugging symbols for the GNOME XML library libxml2-dev - Development files for the GNOME XML library libxml2-doc - Documentation for the GNOME XML library libxml2-utils - XML utilities python-libxml2 - Python bindings for the GNOME XML library Closes: 643648 652352 656377 Changes: libxml2 (2.6.32.dfsg-5+lenny5) oldstable-security; urgency=high . * Security update. * parser.c: Fix an allocation error when copying entities. CVE-2011-3919. Closes: #656377. * parser.c: Make sure parser returns when getting a Stop order. CVE-2011-3905. * encoding.c: Fix off by one error. CVE-2011-0216. Closes: 652352. * xpath.c: Fix for undefined namespaces. CVE-2011-2834. Closes: 643648. Checksums-Sha1: 04a90287debdfc7f7559f80e9e0dab808794e909 1647 libxml2_2.6.32.dfsg-5+lenny5.dsc 9db39d08996626ab5c584214ef70e5e307e8b9f7 86309 libxml2_2.6.32.dfsg-5+lenny5.diff.gz 20a9b17e35dcc7652f0e07ce0d54f0bfa79206a9 1307492 libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb 8e436f404235b31ad0c68c97d23c070ee02bb650 861080 libxml2_2.6.32.dfsg-5+lenny5_amd64.deb 903e7dc78c52ea8b49789957a188c81a44ffbc02 37326 libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb 99ba81e0ef39e2b679fc366c8b269da6acaadd4f 774076 libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb 39bebbe51e9a142297e85b55d26634fa1362b834 988562 libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb bd2b69a0f895fc93ff1e6d5f91311bd23d2ee550 295928 python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb Checksums-Sha256: 1232b8cd41cdf7f295a23af260a151da9e26b89bb1a271c435aaab2dd6857bed 1647 libxml2_2.6.32.dfsg-5+lenny5.dsc 1059796d4afa24699a5b59bcf9846ea215be06b2657298d526feda2bd3e3db84 86309 libxml2_2.6.32.dfsg-5+lenny5.diff.gz 3e74d6c1d54fbd068a0ea19a4fefca4ec244784e73e664080eedd049f1460171 1307492 libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb d81e76796ebac9f079e720765102a6ad0c6c5abd7ec6e88caf19a2725f020c6c 861080 libxml2_2.6.32.dfsg-5+lenny5_amd64.deb a44877fa3585934149ea1e756862dc0732296079e062200b537259e65212a23c 37326 libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb 8677a517f84435e99441e8b6a3cd58876b6233a8581648c9a065625e81c27212 774076 libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb 4afb005d1e38435d8dd180ab7a8c9cc491c141a442071516c94350a0e3091978 988562 libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb dcccd350a3e3f87f3a148a8af9cfa0940a9681d226b31653b653023396324c4a 295928 python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb Files: 86c24ecca29d1633dff0e7cccc285f06 1647 libs optional libxml2_2.6.32.dfsg-5+lenny5.dsc 9cdf129340dce255b2dfb450ca4e06fe 86309 libs optional libxml2_2.6.32.dfsg-5+lenny5.diff.gz 9826e7e6915ec8090e00d10483ad7031 1307492 doc optional libxml2-doc_2.6.32.dfsg-5+lenny5_all.deb c327a8e8849388d294d60f95b4d14326 861080 libs optional libxml2_2.6.32.dfsg-5+lenny5_amd64.deb 59fad6589fb7fd7f63bc796b7177ab89 37326 text optional libxml2-utils_2.6.32.dfsg-5+lenny5_amd64.deb dea37e4e8b0e568d81751524a193a401 774076 libdevel optional libxml2-dev_2.6.32.dfsg-5+lenny5_amd64.deb 873db597ec1a1cfaf16f87e992298c63 988562 libdevel extra libxml2-dbg_2.6.32.dfsg-5+lenny5_amd64.deb 53ffa695e87d37a6499b414d80f795ea 295928 python optional python-libxml2_2.6.32.dfsg-5+lenny5_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCgAGBQJPHpQ+AAoJEIAhAkTu07wNR5YH/3bk7aGqvpdFPMzWvUS6ks4m uqi+d7SzE2ZkvEelsYRZ5SjqyvjgSYRnG6wq0VhIMD96v72K5Lo81YxeZCwUvsO+ q1lXnmJaBD62bUOFavwLKALHhrKCrvpDREV5mdDdcCRcM+sbRocuJBwSPPD5Fdwf F+JLnAByVAAwqOL47ufxcOm2cr9wbuSDutbe5ond5tDHctfDMmVVHMDYK1Lwf4vN olb453FjQBSowmpAvBktjId0mGz7koMi9wedjLIWuWVoKVKx97OXgCGZEuz26+HP R3t93UDOWKs4qGeEdDi6Nne/Ve3HWaDHGR8H/adIJqlW3fZh0ejIL5kQUG5Etj4= =wMNG -----END PGP SIGNATURE-----
--- End Message ---
