From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131
Date: Sat, 24 Dec 2016 15:39:43 +0100
Message-ID: <87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
References: <cover.1482528245.git.leo@famulari.name>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38042)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cKnUE-0007Aj-5j
	for guix-devel@gnu.org; Sat, 24 Dec 2016 09:39:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cKnUA-0005YI-8F
	for guix-devel@gnu.org; Sat, 24 Dec 2016 09:39:50 -0500
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56034)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1cKnUA-0005YB-3e
	for guix-devel@gnu.org; Sat, 24 Dec 2016 09:39:46 -0500
In-Reply-To: <cover.1482528245.git.leo@famulari.name>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>, guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2.
>
> I noticed that Debian applied several more upstream changes to their
> package:
>
> https://anonscm.debian.org/cgit/debian-xml-sgml/libxml2.git/tree/debian/p=
atches
>
> Here is the upstream repository:
>
> https://git.gnome.org/browse/libxml2/log/
>
> Your thoughts?

The patches LGTM. I'm confused by CVE-2016-4658, the only "affected
products" seem to be Apple-based platforms, yet the code itself does
not seem platform-specific. And it looks like a serious vulnerability.

The other patch is less severe, but at least has some references in free
software circles. I'd say push them. Should it be grafted, or can we
wait for the next 'core-updates' evaluation?

I did not look into the other Debian patches.

>
> Leo Famulari (1):
>   gnu: libxml: Fix CVE-2016-{4658,5131}.
>
>  gnu/local.mk                                     |   2 +
>  gnu/packages/patches/libxml2-CVE-2016-4658.patch | 257 +++++++++++++++++=
++++++
>  gnu/packages/patches/libxml2-CVE-2016-5131.patch | 218 +++++++++++++++++=
++
>  gnu/packages/xml.scm                             |   2 +
>  4 files changed, 479 insertions(+)
>  create mode 100644 gnu/packages/patches/libxml2-CVE-2016-4658.patch
>  create mode 100644 gnu/packages/patches/libxml2-CVE-2016-5131.patch
>
> --=20
> 2.11.0

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlheiK8ACgkQoqBt8qM6
VPp+nwgAjXfJ02owPaP0M+9Ls20OSOdEuK8Z7gWQ0k9BGrTbAaTIWTPK83sxE1WF
Skd1fPeTzxtjFSaTDE99pV5OKt8BDqUFTU2aMM44Wc9WFOOM1kB2wfToep6GAdSe
QOuu8ptGDwYJg5nDbXRS+JPiwVDX1x0iYa8postkHbRetm+SBDqhrDrJVKK/aFNj
vSLH1+jBDdsXIhJFTaRT+tSF4Xg2b3K/9SyKg0+hl9KYVXxkuf2BYO8MJdm2SGbP
/zWl5WYAlJQ4KPE2cwVaF8UNhtFEPGybECNuw6rdnsWqdTtgtg7B8q+B331g7klz
JozOVAP0Mw19VBTzyjjDb0kTooarEA==
=N7F8
-----END PGP SIGNATURE-----
--=-=-=--