Bug#762864: marked as done (libxml2 patch for CVE-2014-0191 wrongly applied)

Debian Bug Tracking System Wed, 05 Nov 2014 15:52:11 -0800

Your message dated Wed, 05 Nov 2014 23:47:06 +0000
with message-id <[email protected]>
and subject line Bug#762864: fixed in libxml2 2.8.0+dfsg1-7+wheezy2
has caused the Debian Bug report #762864,
regarding libxml2 patch for CVE-2014-0191 wrongly applied
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
762864: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762864
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libxml2
Version: 2.7.8.dfsg-2+squeeze9 2.8.0+dfsg1-7+wheezy1
Severity: important
Tags: security

Hi,

The patch applied to libxml2 for wheezy and squeeze-lts for CVE-2014-0191
seems to be applied wrong. A line is duplicated in xmlSAXParseDTD:

@@ -12324,6 +12341,12 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const
xmlChar *ExternalID,
        return(NULL);
     }

+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
     /*
      * Set-up the SAX context
      */

while the upstream patch applies that line twice, but once each for two
different functions as seen in
https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825

Can you look into fixes for this?

Cheers,
Thijs

--- End Message ---

--- Begin Message ---

Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy2

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Oct 2014 12:39:34 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg 
libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy2
Distribution: stable-security
Urgency: high
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Aron Xu <[email protected]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 762864 765722 765770
Changes: 
 libxml2 (2.8.0+dfsg1-7+wheezy2) stable-security; urgency=high
 .
   * Fix buggy patch (Closes: #765770)
   * Fix wrongly applied patch for CVE-2014-0191 (Closes: #762864)
   * Add patch for CVE-2014-3660 (Closes: #765722)
Checksums-Sha1: 
 51107b8fce5d168575e1cf9e497e2e9e428eb86b 2515 libxml2_2.8.0+dfsg1-7+wheezy2.dsc
 0e1bdef385ac71a065f9e082565e42e428de9e4b 39792 
libxml2_2.8.0+dfsg1-7+wheezy2.debian.tar.gz
 f516c2bc62c71ef56eb9a98ae6e9c7b4d281359c 904014 
libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
 5ec9596ce925f90762d2cf6e2be6ae63464bce64 96650 
libxml2-utils_2.8.0+dfsg1-7+wheezy2_amd64.deb
 4ac4a26b651be006613fe54a1bd31d498e686db8 127194 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
 535f12d0508faa3b7f11e6533bf787b4f3cd4030 900586 
libxml2-dev_2.8.0+dfsg1-7+wheezy2_amd64.deb
 ef2f6289b0ceca7b1b3550d93c6e5a7e8ed562ea 1402368 
libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
 ce2c9c10f34168429151ad81e4d0b8b190788d2c 1356592 
libxml2-doc_2.8.0+dfsg1-7+wheezy2_all.deb
 c38e04a1f527c972b3df0b72c1139b0f72a3fd9b 345872 
python-libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
 3ef46a1558ec65c75dd0ee912d21309acb06df7f 727890 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
Checksums-Sha256: 
 0acf14b87187b18d2a73d6e75f362ebdc9a00c93a873ce41bc8b2c63456a7ecf 2515 
libxml2_2.8.0+dfsg1-7+wheezy2.dsc
 68ea9779c7ae6553d263cf5ac02652ce9937525fef56011e36c0149cd64a26e9 39792 
libxml2_2.8.0+dfsg1-7+wheezy2.debian.tar.gz
 23b31dd57be8acfff05d6a0805b5a2ef76b82d5be46a1ba5dde64f049c56f28d 904014 
libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
 632a040db162747f045dcc773868c9452b499e247475b1169602d23e79c012c2 96650 
libxml2-utils_2.8.0+dfsg1-7+wheezy2_amd64.deb
 def1f6fa25ebcc8098c1c28f9ec33498a95c44d2ab24a0b21b3f90529e5a7daf 127194 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
 d9440868cc6dd9da5629836e26199525f5b0f2fafe31e1510319a4d4b6b6c79c 900586 
libxml2-dev_2.8.0+dfsg1-7+wheezy2_amd64.deb
 9b57a91425a4f50ddc720855e1b37b044b083367361cade34600220a379c5d28 1402368 
libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
 5e13f0a2957b761b844a5fb2b276d111f780f3dd38b6dbe5b1c37912b5340c5a 1356592 
libxml2-doc_2.8.0+dfsg1-7+wheezy2_all.deb
 0d2a773bd708bb380b1561a3b812a2f6be90ef600fd5f56d7aa0d37d505a3557 345872 
python-libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
 ba7d9d124e539ce634445b966a05d0ca002865640a5ef8f85d9a048ef015fe06 727890 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
Files: 
 151af1c37262ba30f412e0daf5642b2e 2515 libs optional 
libxml2_2.8.0+dfsg1-7+wheezy2.dsc
 45f65a383bc7cd449fae45d1920adbf1 39792 libs optional 
libxml2_2.8.0+dfsg1-7+wheezy2.debian.tar.gz
 158928748ac3d71e08e43ed1e715cd28 904014 libs standard 
libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
 a2a49fa622f08bbc4992cbb9eb673592 96650 text optional 
libxml2-utils_2.8.0+dfsg1-7+wheezy2_amd64.deb
 f4e55e397696b7f34946cdb011bda201 127194 debug extra 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
 b8190a5205b6e8330b8dec7c537eb691 900586 libdevel optional 
libxml2-dev_2.8.0+dfsg1-7+wheezy2_amd64.deb
 7a9f940bf35514b425c6d476eed22d4d 1402368 debug extra 
libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb
 88a2f71f2228d35c91c6760821972c5a 1356592 doc optional 
libxml2-doc_2.8.0+dfsg1-7+wheezy2_all.deb
 1a3f747add9d184da0109516de1f0e02 345872 python optional 
python-libxml2_2.8.0+dfsg1-7+wheezy2_amd64.deb
 142d9e533d4355718b9f5f2e61721d89 727890 debug extra 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJUTOVfAAoJEMOOgWCheEH+DUEP/1wiSio6nEQ3uUO9ofVoxtfZ
zbDJCfAEtQ8kG5G5nOV+uUsaL9cn35WF75CmHRfni8ExZy6Xf52tcoU8v26zyMh3
KRSJNjd9FYRrS5cKrJvUZV4+BiD0AdVHLbwnCiEQXxwP7h/J2WyKaE31YiNrDUbY
KDH5e9MYDrXNLCZFWdxL0dwTvOIPphTl1oEmT3lgu6chAcYlB5I3dsIIcvpd9LPM
BQfrSz75FcBEXFwEvOUlGvtWcTf4IJFXrcv8NVtHaluRs9WH1IAI2StMf4K19tcG
QKlgJVpTAOKd7Lj9tcn+9jj+BSGlJfhnJuvrwszJ7vwK39eXYpRBw7dRaX6Qr+2+
D8W/xoTSskbZAT03hQ/ckJX33pP/szBCFKmyp+rLaYaiYD9syPHChcZNvW3WfkJW
bdYXMhnGrPSvJulJ2AwOgzsHGE1r9Y8ppMh8H/nLJHr/1Rat3ubLhIbpov7KaoTZ
rIdyVpiCZsPmpVaw3+rcmIbQg4DLsuCFtxKhxGPgNOXvhcJYfHSF1rrYzcW41NjJ
sLOqRr+2z2GKs5nMaD3igas6q9Bd20aWgMvobqtRlAhmumt6ipssOEErD0XzTDmW
DKOFXcJ2SmW3wCPENC7hlwEQ2myNV+JVJ/pd7w7VjXQhXblQd5e6BjZFdpiZlLa6
6aOCRFizjFfFuMWFCBEf
=LsH5
-----END PGP SIGNATURE-----

--- End Message ---

Bug#762864: marked as done (libxml2 patch for CVE-2014-0191 wrongly applied)

Reply via email to