[
https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17057899#comment-17057899
]
Scott Cantor commented on XERCESC-2188:
---------------------------------------
I branched this morning, so master is now open for 3.3 commits if necessary.
Before anything else, I wanted to clarify that I believe this patch is
sufficient to warrant either an Apache license attached or a contribution
agreement from the patch author. If neither of those is practical than I would
advise that such a patch not actually be written and that it be left to the
existing committers, but unfortunately there are none at the moment able to
work on the issue. That's a catch-22, but the IPR is what it is. Hopefully
slapping the license on would be ok.
Aside from that issue, my advice would be to eventually apply a patch to master
and then if the team decides the patch is safe to apply to 3.2, we can always
cherry-pick it back.
> Use-after-free on external DTD scan
> -----------------------------------
>
> Key: XERCESC-2188
> URL: https://issues.apache.org/jira/browse/XERCESC-2188
> Project: Xerces-C++
> Issue Type: Bug
> Components: Validating Parser (DTD)
> Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3,
> 3.1.4, 3.2.1, 3.2.2
> Reporter: Scott Cantor
> Priority: Major
> Attachments: Apache-496067-disclosure-report.pdf
>
>
> This is a record of an unfixed bug reported in 2018 in the DTD scanner, per
> the attached PDF, corresponding to CVE-2018-1311.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org
