Re: [xml] Release of libxml2-2.9.9

On 30/01/2019 10:36, Alexander Dahl wrote:
What about CVE-2017-8872?

Debian (and SuSE) have a patch:

According to and that might have been fixed by
accident with git commit v2.9.8-26-g123234f2?

The Debian patch still applies on 2.9.9, but I don't understand libxml2 well
enough to say if it is harmful now and should be dropped?

The Debian patch is basically the same as commit 123234f2, so it can be dropped.

I also can not say
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?

Yes, it's the same issue. I just verified that the POC document in bug 775200 doesn't trigger ASan anymore.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]