Re: [xml] Redhat security update for libxml2

[Daniel Veillard <veillard redhat com>]

On Tue, Nov 18, 2008 at 08:28:49PM +0100, Mike Hommey wrote:
> On Tue, Nov 18, 2008 at 07:16:50PM +0000, Graham Bennett wrote:
> > Hi all,
> > 
> > I've been notified of a Redhat security update for libxml2:
> > https://rhn.redhat.com/errata/RHSA-2008-0988.html, and was hoping to
> > update my own builds with a version that doesn't suffer from these
> > vulnerabilities (I build from the standard source distribution, not the
> > Redhat source).  
> > 
> > It wasn't immediately obvious from the release notes and recent mailing
> > list traffic if these have been fixed in a released version of the
> > libxml distribution yet.  If they haven't, is a new released planned to
> > address them?

  Yeah sorry about that. Basically it was embargoed until monday, it's
not that easy to trigger the bugs, I didn't generate a new release for
this I will probably do one within a week or so including those and I
hope a solution for the PHP SAX problem.

> Speaking of which, the patch for the SAX2Characters issue seems strange
> to me. While it is okay on 32-bits architectures, it doesn't make much
> sense on 64-bits architectures, where the addition of 2 ints can hardly
> be greater than SIZE_T_MAX.
> FWIW, as SIZE_T_MAX was not defined on glibc, the patch I applied on
> debian replaces SIZE_T_MAX with UINT_MAX.

  Actually in SVN there is a define of SIZE_T_MAX as (size_t) -1 which
solves the pxprotability problem.

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/