On Wed, Jun 13, 2012 at 11:41:22PM +0530, Ashwin Sinha wrote:
Hi Daniel, list
Firstly thanks for this wonderful piece of software which we have been
using for a number of years now. Its super! :)
I write chiefly to get some information regarding CVE2008-3281. We are
currently using version 2.6.28, and wanted to merge the patch for
3281,however the patch solution and the latest libxml versions seem to have
some differences. Specifically with the use of ctxt->owner in the patch,
while the latest version does not use it. I tried to search on the list but
could gather nothing conclusive :(.
I would be really grateful if someone could point me in the right direction
or give some background for the same.
Chiefly i wanted to know if the patch merge as is of 3281 is sufficient, or
does the latest version fix some problems in the patch.
I am referring to the following links
http://svn.gnome.org/viewvc/libxml2/trunk/parser.c?r1=3762&r2=3772
https://mail.gnome.org/archives/xml/2008-August/msg00034.html
On top of this following seems to have been added
http://svn.gnome.org/viewvc/libxml2/trunk/parser.c?r1=3772&r2=3773
Any help would be greatly appreciated
Please note that SVN use is deprecated, we use git as GNOME SCM for a few years now ! Yes, the patch needs to be backported and it may not be trivial. I did so for version 2.6.26 and I assume it will apply to 2.6.28 without much troubles. Give it a try, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel veillard com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Attachment:
libxml2-2.6.26-CVE2008-3281.patch
Description: Text document