From: Marius Bakke <mbakke@fastmail.com>
To: Leo Famulari <leo@famulari.name>, guix-devel@gnu.org
Subject: Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131
Date: Sat, 24 Dec 2016 15:39:43 +0100 [thread overview]
Message-ID: <87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (raw)
In-Reply-To: <cover.1482528245.git.leo@famulari.name>
[-- Attachment #1: Type: text/plain, Size: 1403 bytes --]
Leo Famulari <leo@famulari.name> writes:
> This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2.
>
> I noticed that Debian applied several more upstream changes to their
> package:
>
> https://anonscm.debian.org/cgit/debian-xml-sgml/libxml2.git/tree/debian/patches
>
> Here is the upstream repository:
>
> https://git.gnome.org/browse/libxml2/log/
>
> Your thoughts?
The patches LGTM. I'm confused by CVE-2016-4658, the only "affected
products" seem to be Apple-based platforms, yet the code itself does
not seem platform-specific. And it looks like a serious vulnerability.
The other patch is less severe, but at least has some references in free
software circles. I'd say push them. Should it be grafted, or can we
wait for the next 'core-updates' evaluation?
I did not look into the other Debian patches.
>
> Leo Famulari (1):
> gnu: libxml: Fix CVE-2016-{4658,5131}.
>
> gnu/local.mk | 2 +
> gnu/packages/patches/libxml2-CVE-2016-4658.patch | 257 +++++++++++++++++++++++
> gnu/packages/patches/libxml2-CVE-2016-5131.patch | 218 +++++++++++++++++++
> gnu/packages/xml.scm | 2 +
> 4 files changed, 479 insertions(+)
> create mode 100644 gnu/packages/patches/libxml2-CVE-2016-4658.patch
> create mode 100644 gnu/packages/patches/libxml2-CVE-2016-5131.patch
>
> --
> 2.11.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2016-12-24 14:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-23 21:24 [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131 Leo Famulari
2016-12-23 21:24 ` [PATCH 1/1] gnu: libxml: Fix CVE-2016-{4658,5131} Leo Famulari
2016-12-24 14:39 ` Marius Bakke [this message]
2016-12-24 16:24 ` [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131 Leo Famulari
2016-12-25 0:25 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me \
--to=mbakke@fastmail.com \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).