On Sun, Sep 25, 2016 at 07:18:11PM -0400, Leo Famulari wrote:
> On Mon, Sep 12, 2016 at 05:35:15PM -0400, Leo Famulari wrote:
> > This patch applies an upstream patch for a regression caused by the fix 
> > for CVE-2016-0718.
> > 
> > Apparently, the bug only manifests when building with -DXML_UNICODE,
> > which I don't think our package does.
> 
> Sebastian Pipping (the Expat maintainer) contacted me to recommend that
> we apply the patch on the master branch.
> 
> He says that the faulty code path can be reached even when XML_UNICODE
> is not defined. Apparently, building with -DXML_UNICODE merely makes it
> easier to reach the faulty code.
> 
> I think we should take Sebastian's advice. What does everyone think?


Seems to me that as the Expat maintainer he would know best.


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted