From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/1] Libxml2 CVE-2016-4658 and CVE-2016-5131 Date: Sat, 24 Dec 2016 19:25:58 -0500 Message-ID: <20161225002558.GA26822@jasmine> References: <87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58465) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cKwdY-0003H4-Ni for guix-devel@gnu.org; Sat, 24 Dec 2016 19:26:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cKwdV-0000YP-GK for guix-devel@gnu.org; Sat, 24 Dec 2016 19:26:04 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:38686) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cKwdV-0000Xu-6t for guix-devel@gnu.org; Sat, 24 Dec 2016 19:26:01 -0500 Content-Disposition: inline In-Reply-To: <87eg0xo0gg.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 24, 2016 at 03:39:43PM +0100, Marius Bakke wrote: > Leo Famulari writes: >=20 > > This patch fixes CVE-2016-4658 and CVE-2016-5131 in libxml2. > > > > I noticed that Debian applied several more upstream changes to their > > package: > > > > https://anonscm.debian.org/cgit/debian-xml-sgml/libxml2.git/tree/debian= /patches > > > > Here is the upstream repository: > > > > https://git.gnome.org/browse/libxml2/log/ > > > > Your thoughts? >=20 > The patches LGTM. I'm confused by CVE-2016-4658, the only "affected > products" seem to be Apple-based platforms, yet the code itself does > not seem platform-specific. And it looks like a serious vulnerability. >=20 > The other patch is less severe, but at least has some references in free > software circles. I'd say push them. Should it be grafted, or can we > wait for the next 'core-updates' evaluation? I pushed these specific fixes, using grafts. > I did not look into the other Debian patches. I'll look into this over the next few days if nobody beats me to it. --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhfEhYACgkQJkb6MLrK fwhpsQ/+Im5/Q9QzdtjPt+1jU4RG2JTijpOWKVZIgAfbX1zCqYoiVfXKwPK0Sf+M 98F50Kj6i7EUW00AVThrgsq+xArFqAt52Z6Sbd3h95btJ2WgstOMfiXVTyn5Oxma uswajY7hMiHIgkznnJOQ6BTjc7EzZMmBPb0iOtKVm2sWvf8UzYd7JCapyWHZdOM/ BptmjykLlCsYLAQlIZQvzzzqxo4e7vG4KRUgHFf+uNljQOWfvuGP/2W51JwXqTYV E2DVt/UVksGVh4P2xmx14x4rL/NTOCK/L1isdzle9gKeYYXBIWtDgDlIiC9qLwsc iR/JC/DpKMAu6HK/uugwtlXw/yakNJat4YCfxRylMwWSNlSkWVDsr8JEee1RzgSn 9jT24wNl6ewtW3FS+uOTU9xFKy9rGQ1SdlzLMkGDvgTyXvnUyrAbDhRb+RZ0F9zN vXqgWovqWEDo2ZRqrZyn7fkwza7SzvtWuPN/nCzrRHIZ1AoFcLKivdbzkhqPCabA ibi9KoE1E1p5G3Cq9iB3I/PP9vQPGlOrJ09H7FaAm12q7FYN/B48c2nvKg0uRSo6 DP9+bYjHPn8361fu4rvOfC9Se29Otz/kIJyYGvMfS2dGB1P6DC//uK+U8Z/hfbQd pNqALiCxQUvHnUMbyeaAJEz+Z7G8FZEEgG853Fkc+MhfRN7vnuI= =3Z2n -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z--