Moritz Muehlenhoff <j...@inutil.org> writes: > On Tue, Mar 12, 2019 at 10:19:00AM +0100, wf...@niif.hu wrote: > >> The resulting packages works fine in my setup. However, I failed to >> reproduce the original issue under stretch. After consulting upstream, >> it turns out that the old Xerces library actually helps somewhat in this >> case, please see Scott Cantor's reply below. So the known exploit >> (using an invalid XML declaration) does not work on stable, but if >> somebody finds a way to trigger a DOMException in Xerces 3.1, any >> xmltooling users will crash all the same. See also his comment on >> https://issues.apache.org/jira/browse/XERCESC-2016. > > I think we can still fix this via stretch-security
OK, uploaded. > it's better to fix the root cause nonetheless. Even though the Xerces change is suspicious, the documentation allows the parser to throw DOMExceptions, so they must be handled by the callers, which this fix achieves. -- Regards, Feri
