Bug#762864: marked as done (libxml2 patch for CVE-2014-0191 wrongly applied)

Wed, 29 Oct 2014 12:37:59 -0700 

Your message dated Wed, 29 Oct 2014 19:34:50 +0000
with message-id <[email protected]>
and subject line Bug#762864: fixed in libxml2 2.7.8.dfsg-2+squeeze10
has caused the Debian Bug report #762864,
regarding libxml2 patch for CVE-2014-0191 wrongly applied
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
762864: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762864
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libxml2
Version: 2.7.8.dfsg-2+squeeze9 2.8.0+dfsg1-7+wheezy1
Severity: important
Tags: security

Hi,

The patch applied to libxml2 for wheezy and squeeze-lts for CVE-2014-0191
seems to be applied wrong. A line is duplicated in xmlSAXParseDTD:

@@ -12324,6 +12341,12 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const
xmlChar *ExternalID,
        return(NULL);
     }

+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
     /*
      * Set-up the SAX context
      */

while the upstream patch applies that line twice, but once each for two
different functions as seen in
https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825

Can you look into fixes for this?

Cheers,
Thijs

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.7.8.dfsg-2+squeeze10

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Oct 2014 18:00:28 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc 
python-libxml2 python-libxml2-dbg
Architecture: source i386 all
Version: 2.7.8.dfsg-2+squeeze10
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 762864 765722
Changes: 
 libxml2 (2.7.8.dfsg-2+squeeze10) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Fix wrongly applied patch for CVE-2014-0191 (Closes: #762864)
   * Add patch for CVE-2014-3660 (Closes: #765722)
Checksums-Sha1: 
 a3e519ddeb9fdbe342cc4a5db1fa20edb84b0521 2311 
libxml2_2.7.8.dfsg-2+squeeze10.dsc
 bf481743478da6899a65507a34b67731466960dd 3509930 libxml2_2.7.8.dfsg.orig.tar.gz
 e57d4ca4635f7d652f241332cc5e51e3eef79eff 124159 
libxml2_2.7.8.dfsg-2+squeeze10.diff.gz
 7936822eafd70dbb3d5ca244e695d5fa0ca2121d 829480 
libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
 1be0736c4d5f3c08ff70beccb65635a5cd91cedb 90910 
libxml2-utils_2.7.8.dfsg-2+squeeze10_i386.deb
 107133b4ebf8bfca5c4a0d5a6b33feca47183042 753492 
libxml2-dev_2.7.8.dfsg-2+squeeze10_i386.deb
 be561dddffa0afb47516c08ce6b22f8f954bb9e1 991394 
libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
 29527627f5b593a47dc0060722c85b50c04adbcd 1382264 
libxml2-doc_2.7.8.dfsg-2+squeeze10_all.deb
 f69baf3d4f5e1abb55224238d3b04f40f171d0cd 310586 
python-libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
 f2f3f70fb7be9dd8b4dacaeea7f6b1fe42d38470 823254 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
Checksums-Sha256: 
 a7eac158f88480083b15cb05c5879ec4c2346d8beebb694cf256dfc489cf42a4 2311 
libxml2_2.7.8.dfsg-2+squeeze10.dsc
 9f5262963fda356708903b42ff862a816c714582d0cf41477a8b3839945f0e43 3509930 
libxml2_2.7.8.dfsg.orig.tar.gz
 9579fe3a12d3ed3f90e62fe304bad6813cc1462ad4cdaa7e15f7dd23b4f33eb6 124159 
libxml2_2.7.8.dfsg-2+squeeze10.diff.gz
 0450ea20ef210affd223d55418906cb1efb31874040730de5f96bfeebba5ef51 829480 
libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
 d3c35c1ecc4d6f3ef7030ce0821aa218678980a380684afa1292b70d75b3d29d 90910 
libxml2-utils_2.7.8.dfsg-2+squeeze10_i386.deb
 175833cf5cf4f27804ec6e5bb556f22580ad03ef108c56d3052f792eace7fb8f 753492 
libxml2-dev_2.7.8.dfsg-2+squeeze10_i386.deb
 31b9f3e087c5d202a6de5012371a70f6e485b92bf72b388aef90afa20c64f1e4 991394 
libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
 cba40d11d807c73916062e7e4cc929f36b7eb938e1412d8fe1facab92f5e5527 1382264 
libxml2-doc_2.7.8.dfsg-2+squeeze10_all.deb
 c189d03eac971c2c1193bc6c7092a542498d5a68b2181f222f22304e643801f1 310586 
python-libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
 00266eba79e4462dd2463c4e1765c929c442c873bbf6841c5adfaa69464ce5df 823254 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
Files: 
 d2c8572c6ef2d33d1822f50b67a90bab 2311 libs optional 
libxml2_2.7.8.dfsg-2+squeeze10.dsc
 116fd86aa1b392dfe38d6b17613deebb 3509930 libs optional 
libxml2_2.7.8.dfsg.orig.tar.gz
 c0947d08db8e293a0c7434fd213d3eb8 124159 libs optional 
libxml2_2.7.8.dfsg-2+squeeze10.diff.gz
 e95375e728e5e7b3530db39cc0917d33 829480 libs standard 
libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
 8ce8da27e6c9ae4189f21ddfc0b4e1b6 90910 text optional 
libxml2-utils_2.7.8.dfsg-2+squeeze10_i386.deb
 b2a87a4ee5ba84f69775e69a36ece736 753492 libdevel optional 
libxml2-dev_2.7.8.dfsg-2+squeeze10_i386.deb
 ab2b1eea99b9d6acc8041130964eb999 991394 debug extra 
libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb
 e0b8dd8dd54d69e254fb25a741f356df 1382264 doc optional 
libxml2-doc_2.7.8.dfsg-2+squeeze10_all.deb
 53f5a1f198312d550ba45313e9ad6f9e 310586 python optional 
python-libxml2_2.7.8.dfsg-2+squeeze10_i386.deb
 6ddd57ca7e9a7d4409916da580b0ec64 823254 debug extra 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze10_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUUT1BXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH56AP/3ykJiuFWkc2G9ESju+8c7on
6SyZnqIK264bZ3ZWrj0noNpC4S3HdsRnX4SQkck6KyaBSOZ6W9KmxRNeCppvmtSn
adtnug1F7dk4u8p+We2BAkE7wINmRpYqloezPjcOH36C9jGxJeK1+UdVCGOhvGzP
be2VNk6cmZbl9HB+qsijdV+wBx3A1Wu4OwfKQFz5f2vibwpI5Uve+RIIcYliHChm
BOuq2/npRfKsZ7Vss/tomPHVeCwY8x9qHfM5HLa742QG4E2bGFGlyjIkDy1XUbEf
tuW8sFw6DXMKaT2CUd1g1+Ch6wMznjWS39VHSyW4dwQmqpMMp3k+2JERYGf7iEZK
6/VBJJGK6gPfCAidIsHsEf2KDO/LuBAjAmQKCptF1nQsnF6Oor0TeVArm3c4be3T
PmWw9aeguDHYPyOpsVbZE5L8BBb9Ayj6zjUO8fJ7Su9LSmXTHNQNwPNsoQ51XvAB
iJkoI+7y9xDuCG4CrtXjZ+RLwBab+yVAHfBhD3jYWmqQoMlTE1ScmEyfaKL/Oas3
A1BZ70zVnNzW8Tbm/z7p0lbvjaz7cPVVP/iaP49aMzr9EUIIE5D/G1+sEELcz/Qs
0rdm2fHkosJWb/qELtlsjD5WgUmTPEXIhgL89rYVL2NRtNdg9h3bAnShZPTahbxv
TFK9vLxtRs2DcQGJ7s2O
=LFGW
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to