On Mon, Sep 12, 2016 at 05:35:15PM -0400, Leo Famulari wrote: > This patch applies an upstream patch for a regression caused by the fix > for CVE-2016-0718. > > Apparently, the bug only manifests when building with -DXML_UNICODE, > which I don't think our package does.
Sebastian Pipping (the Expat maintainer) contacted me to recommend that we apply the patch on the master branch. He says that the faulty code path can be reached even when XML_UNICODE is not defined. Apparently, building with -DXML_UNICODE merely makes it easier to reach the faulty code. I think we should take Sebastian's advice. What does everyone think?
signature.asc
Description: PGP signature
