Re: [xml] Release of libxml2-2.9.9



On 30/01/2019 10:36, Alexander Dahl wrote:
What about CVE-2017-8872?

Debian (and SuSE) have a patch:

https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/

https://security-tracker.debian.org/tracker/CVE-2017-8872

According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by
accident with git commit v2.9.8-26-g123234f2?

The Debian patch still applies on 2.9.9, but I don't understand libxml2 well
enough to say if it is harmful now and should be dropped?

The Debian patch is basically the same as commit 123234f2, so it can be dropped.

https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407

I also can not say
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?

Yes, it's the same issue. I just verified that the POC document in bug 775200 doesn't trigger ASan anymore.

Nick


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]