Thanks Daniel!
-----Original Message-----
From: Daniel Veillard [mailto:veillard redhat com]
Sent: Sat 1/19/2008 6:48 AM
To: Fred Smith
Cc: xml gnome org
Subject: Re: [xml] Security flaw affecting all previous libxml2 releases
On Thu, Jan 17, 2008 at 10:34:19AM -0800, Fred Smith wrote:
> Trying to manually apply this patch to 2.4.25. I find that some parts of
> it match up well and others don't.
>
> There are three places in the file where similar code can be found. I'm
> guessing that the one we're concerned with here is the one beginning
> around line 1282, as that's the block where the "1-byte code" most
> closely resembles the bottom part of this patch.
>
> But I don't see a close match for the first change in the patch in any
> of those areas. Specifically, there is no line reading "if (c == 0xC0)".
> The place that most looks like the right place is:
>
> c = *cur;
> if (c & 0x80) { <====================
> if (cur[1] == 0)
> xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
> if ((cur[1] & 0xc0) != 0x80)
> goto encoding_error;
> if ((c & 0xe0) == 0xe0) {
>
> if (cur[2] == 0)
> xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
>
> see the line marked with arrow, it looks as if the patch wants to insert
> a couple of lines right below there??
>
> I'd be grateful if Daniel (or anyone else who has patched an ancient
> version) could advise me on the correct changes to make here.
Sure, i made the patches which were needed for RHEL 2.1/3/4 security fixes,
they went out as part of the source RPM updates for RHEL, attached !
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard redhat com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/