Re: [xml] Release of libxml2-2.9.9
- From: Nick Wellnhofer <wellnhofer aevum de>
- To: Alexander Dahl <ada thorsis com>, xml gnome org
- Subject: Re: [xml] Release of libxml2-2.9.9
- Date: Wed, 30 Jan 2019 11:27:36 +0100
On 30/01/2019 10:36, Alexander Dahl wrote:
What about CVE-2017-8872?
Debian (and SuSE) have a patch:
https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/
https://security-tracker.debian.org/tracker/CVE-2017-8872
According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by
accident with git commit v2.9.8-26-g123234f2?
The Debian patch still applies on 2.9.9, but I don't understand libxml2 well
enough to say if it is harmful now and should be dropped?
The Debian patch is basically the same as commit 123234f2, so it can be dropped.
https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407
I also can not say
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?
Yes, it's the same issue. I just verified that the POC document in bug 775200
doesn't trigger ASan anymore.
Nick
[
Date Prev][Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]