Re: [xml] Release of libxml2-2.9.9
On 30/01/2019 10:36, Alexander Dahl wrote: What about CVE-2017-8872? Debian (and SuSE) have a patch: https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/ https://security-tracker.debian.org/tracker/CVE-2017-8872 According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by accident with git commit v2.9.8-26-g123234f2? The Debian patch still applies on 2.9.9, but I don't understand libxml2 well enough to say if it is harmful now and should be dropped? The Debian patch is basically the same as commit 123234f2, so it can be dropped. https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 I also can not say if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2? Yes, it's the same issue. I just verified that the POC document in bug 775200 doesn't trigger ASan anymore. Nick ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2-2.9.9
Hei hei, Am Donnerstag, 3. Januar 2019, 20:30:29 CET schrieb Daniel Veillard via xml: > Security: > - CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (Nick > Wellnhofer) - CVE-2018-14404 Fix nullptr deref with XPath logic ops (Nick > Wellnhofer) What about CVE-2017-8872? Debian (and SuSE) have a patch: https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/ https://security-tracker.debian.org/tracker/CVE-2017-8872 According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by accident with git commit v2.9.8-26-g123234f2? The Debian patch still applies on 2.9.9, but I don't understand libxml2 well enough to say if it is harmful now and should be dropped? I also can not say if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2? Anyone else? Greets Alex ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml