From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131 Date: Sat, 24 Dec 2016 11:24:49 -0500 Message-ID: <20161224162449.GA6659@jasmine> References: <87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57106) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cKp7w-0001pI-5w for guix-devel@gnu.org; Sat, 24 Dec 2016 11:24:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cKp7t-00081p-1B for guix-devel@gnu.org; Sat, 24 Dec 2016 11:24:56 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:44014) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cKp7s-00081d-OM for guix-devel@gnu.org; Sat, 24 Dec 2016 11:24:52 -0500 Content-Disposition: inline In-Reply-To: <87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Dec 24, 2016 at 03:39:43PM +0100, Marius Bakke wrote: > Leo Famulari writes: > > This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2. > The patches LGTM. I'm confused by CVE-2016-4658, the only "affected > products" seem to be Apple-based platforms, yet the code itself does > not seem platform-specific. And it looks like a serious vulnerability. I've noticed this sort of report before. The bugs are found by a vendor like Apple or Google, and the bug descriptions end up only referring to the vulnerable component (e.g. libxml2) in the context of how it is used in the vendor's application. It's confusing and makes it difficult for the rest of the community to know where the bugs are, in my opinion. > The other patch is less severe, but at least has some references in free > software circles. I'd say push them. Should it be grafted, or can we > wait for the next 'core-updates' evaluation? It should definitely be grafted. --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlheoU4ACgkQJkb6MLrK fwhkthAAoadMg7+lQVu3ci1IKXxjiiIASkfwpOpsrcso2wXphSK7ceI+IprPr3z9 3MbCEexl2ZR6MMMnBVQ4ApMaOQFwwLR7jU3G8iDXjRthBMPxStUanL6W6B8ptvcT 2uhSsdwCViPbiS+lb8OBpjr1E48BTwvKZfDdPyFa/HuCMPLcTdIegHNDwzHWoVBC vr6iRj9zHo3L1avpdBlJoGgAA0NFoKE+Xc2mzKzACDHWM8gafOs1SpfeSKZGn0zm hbCOVtEhogX/2qTHc+Gwsao7bo7brgPv+G9h0YjVBxzxYoYWbCla4EaWdmxxBIQ4 QI1G857NGoTJD54itaaCcRSQBQxbu0ZlBmCeJxZo6kT2MBeJpOHW3xqr2/NYiYcG Zx5U+yzduA7IFZ3iynY4tBftiGzRTETTBIKWEdSKe9bu8nz0ILU3yDAcJDMlftYO 7PkRvCV2a5/sS8pWQvHTMWo1FOgUj/asrMENge80qTrOrmNFtRBYapwXXY37PDSj teauacyNQozoO8YGKuDvgC8EYUJFl8YW5p7ihqD1pgdg8es950nVbrZrzjrcLHxo EDFCHxOKf0KnkuuQGYQLL4xfR9XtCZmZPW3024BfEuC+qsCM8HuiL4HBmtmLxV7w 5D/lBC4WozI7uXGsEpgudJNZkmazrSiOvVOI0+lLm68f3hlfFpM= =7aox -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--