On Sat, Dec 24, 2016 at 03:39:43PM +0100, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> > This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2.

> The patches LGTM. I'm confused by CVE-2016-4658, the only "affected
> products" seem to be Apple-based platforms, yet the code itself does
> not seem platform-specific. And it looks like a serious vulnerability.

I've noticed this sort of report before. The bugs are found by a vendor
like Apple or Google, and the bug descriptions end up only referring to
the vulnerable component (e.g. libxml2) in the context of how it is used
in the vendor's application.

It's confusing and makes it difficult for the rest of the community to
know where the bugs are, in my opinion.

> The other patch is less severe, but at least has some references in free
> software circles. I'd say push them. Should it be grafted, or can we
> wait for the next 'core-updates' evaluation?

It should definitely be grafted.