Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131
Date: Sat, 24 Dec 2016 11:24:49 -0500	[thread overview]
Message-ID: <20161224162449.GA6659@jasmine> (raw)
In-Reply-To: <87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>

[-- Attachment #1: Type: text/plain, Size: 972 bytes --]

On Sat, Dec 24, 2016 at 03:39:43PM +0100, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> > This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2.

> The patches LGTM. I'm confused by CVE-2016-4658, the only "affected
> products" seem to be Apple-based platforms, yet the code itself does
> not seem platform-specific. And it looks like a serious vulnerability.

I've noticed this sort of report before. The bugs are found by a vendor
like Apple or Google, and the bug descriptions end up only referring to
the vulnerable component (e.g. libxml2) in the context of how it is used
in the vendor's application.

It's confusing and makes it difficult for the rest of the community to
know where the bugs are, in my opinion.

> The other patch is less severe, but at least has some references in free
> software circles. I'd say push them. Should it be grafted, or can we
> wait for the next 'core-updates' evaluation?

It should definitely be grafted.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2016-12-24 16:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-23 21:24 [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131 Leo Famulari
2016-12-23 21:24 ` [PATCH 1/1] gnu: libxml: Fix CVE-2016-{4658,5131} Leo Famulari
2016-12-24 14:39 ` [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131 Marius Bakke
2016-12-24 16:24   ` Leo Famulari [this message]
2016-12-25  0:25   ` Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161224162449.GA6659@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    --cc=mbakke@fastmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.