Re: [xml] Release of libxml2-2.9.9

From: Nick Wellnhofer <wellnhofer aevum de>
To: Alexander Dahl <ada thorsis com>, xml gnome org
Subject: Re: [xml] Release of libxml2-2.9.9
Date: Wed, 30 Jan 2019 11:27:36 +0100

On 30/01/2019 10:36, Alexander Dahl wrote:

What about CVE-2017-8872?

Debian (and SuSE) have a patch:

https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/

https://security-tracker.debian.org/tracker/CVE-2017-8872

According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by
accident with git commit v2.9.8-26-g123234f2?

The Debian patch still applies on 2.9.9, but I don't understand libxml2 well
enough to say if it is harmful now and should be dropped?


The Debian patch is basically the same as commit 123234f2, so it can be dropped.

https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407

I also can not say
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?

Yes, it's the same issue. I just verified that the POC document in bug 775200doesn't trigger ASan anymore.


Nick

References:
- [xml] Release of libxml2-2.9.9
  - From: Daniel Veillard
- Re: [xml] Release of libxml2-2.9.9
  - From: Alexander Dahl

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]