Bug#782985: marked as done (libxml2: parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access)

[Debian Bug Tracking System]

Your message dated Tue, 30 Jun 2015 19:34:15 +0000
with message-id <e1za1in-0007oo...@franck.debian.org>
and subject line Bug#782985: fixed in libxml2 2.7.8.dfsg-2+squeeze12
has caused the Debian Bug report #782985,
regarding libxml2: parsing an unclosed comment can result in `Conditional jump 
or move depends on uninitialised value(s)` and unsafe memory access
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
782985: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782985
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libxml2
Version: 2.9.2+dfsg1-3
Severity: important
Tags: security upstream

Hi

See http://www.openwall.com/lists/oss-security/2015/04/19/4 and
https://bugzilla.gnome.org/show_bug.cgi?id=746048 .

(There is no CVE assigned yet.)

Could you adjust the affected version in the BTS? I only verified the
issue in unstable.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libxml2
Source-Version: 2.7.8.dfsg-2+squeeze12

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 29 May 2015 13:37:58 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc 
python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.7.8.dfsg-2+squeeze12
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 782782 782985 783010
Changes: 
 libxml2 (2.7.8.dfsg-2+squeeze12) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * debian/patches:
     + Fix CVE-2015-1819:  Enforce the reader to run in constant memory.
       (Closes: #782782).
     + Fix out-of-bounds memory access when parsing an unclosed HTML comment.
       (Closes: #782985).
     + Fix out-of-bound memory access during read operations. (Closes: #783010).
   * debian/rules:
     + Disable updating of config.sub and config.guess during
       override_dh_auto_clean to avoid .debdiff pollution.
Checksums-Sha1: 
 cad07b9ed1d82af6e9c5a4a850f770979d75b4f9 2426 
libxml2_2.7.8.dfsg-2+squeeze12.dsc
 32dae94c8586d2d2b541a3d559119005a85931ad 129695 
libxml2_2.7.8.dfsg-2+squeeze12.diff.gz
 f35c5c06b9308b92b10ce9b4e1f8a273e8033d77 875920 
libxml2_2.7.8.dfsg-2+squeeze12_amd64.deb
 d3e0281f9b1d5b48a02c3cd13459fda1376dbf8e 94448 
libxml2-utils_2.7.8.dfsg-2+squeeze12_amd64.deb
 2a8489136144332e365754f359fcf6f81836f702 832468 
libxml2-dev_2.7.8.dfsg-2+squeeze12_amd64.deb
 d1c7f883bf8db616987fa4e16937730a0ad62107 991698 
libxml2-dbg_2.7.8.dfsg-2+squeeze12_amd64.deb
 90a09f4461f687316afa3794b58fe6becb1fbfb8 1378304 
libxml2-doc_2.7.8.dfsg-2+squeeze12_all.deb
 752cf8de68974634e485278bd66b47c094f6ee83 341358 
python-libxml2_2.7.8.dfsg-2+squeeze12_amd64.deb
 62a56ed5540c0d7afe84a00a1e22d7d41777fe6f 873454 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze12_amd64.deb
Checksums-Sha256: 
 caed369c39b9f938487dd9ad9a882885b88197f75038da3a203807f07f8d2b73 2426 
libxml2_2.7.8.dfsg-2+squeeze12.dsc
 1b200e219a9c5c99d9206403a8ed7c2b9a1c7071e5d007e1efd7ebc3bfaf4888 129695 
libxml2_2.7.8.dfsg-2+squeeze12.diff.gz
 f6fb97455ce972248eaaedc219cf2860736709d0fb386ffb4ce40d000fe724f8 875920 
libxml2_2.7.8.dfsg-2+squeeze12_amd64.deb
 f252922bb86e0fcac3bd2081929b0f4b4f35b3f45ce2822e5af81ead3f797b73 94448 
libxml2-utils_2.7.8.dfsg-2+squeeze12_amd64.deb
 2ee8beca3f509ef235dbd618d546e4d646576b18205425e7763a187a8c052f6f 832468 
libxml2-dev_2.7.8.dfsg-2+squeeze12_amd64.deb
 c69727af30bdca658bccf1bb56e97d7cb89b7f125912dbec149cac1cde2a7f0c 991698 
libxml2-dbg_2.7.8.dfsg-2+squeeze12_amd64.deb
 eabcc505adb9414a2d59bb8f5216ab64911e25a8411a99adb7b78f0d19155f44 1378304 
libxml2-doc_2.7.8.dfsg-2+squeeze12_all.deb
 8f39e1b49f7a8ccbac349c9df51c8863d34ec1d92e1f781deb5fb74722b56df1 341358 
python-libxml2_2.7.8.dfsg-2+squeeze12_amd64.deb
 b823a6133e23e80e36e2258d1f40691264ab6543545c230ea8c0e4436157ed31 873454 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze12_amd64.deb
Files: 
 1fea8792ff13982cb91d1d2e980df6eb 2426 libs optional 
libxml2_2.7.8.dfsg-2+squeeze12.dsc
 a30d6731f2d386fa732c37adc9df39f3 129695 libs optional 
libxml2_2.7.8.dfsg-2+squeeze12.diff.gz
 049693d2d1463d4c1d54705526d772f2 875920 libs standard 
libxml2_2.7.8.dfsg-2+squeeze12_amd64.deb
 4471805189f4968271ab6d8c38655242 94448 text optional 
libxml2-utils_2.7.8.dfsg-2+squeeze12_amd64.deb
 b8a915afb3c42bc27dc86c29806ba730 832468 libdevel optional 
libxml2-dev_2.7.8.dfsg-2+squeeze12_amd64.deb
 a5b563f663875996422b552ade779647 991698 debug extra 
libxml2-dbg_2.7.8.dfsg-2+squeeze12_amd64.deb
 148d69ed482b8104a2bc106cd87fa3e2 1378304 doc optional 
libxml2-doc_2.7.8.dfsg-2+squeeze12_all.deb
 2953603d24f56a3f700f1042c37d4de2 341358 python optional 
python-libxml2_2.7.8.dfsg-2+squeeze12_amd64.deb
 43f08b8aa94017c105b336abb737dd66 873454 debug extra 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVkuqRAAoJEJr0azAldxsx/sYP/RfomfpVAfBJuJzqYlsJflYX
HfTJfFcvQQ1BD49eYJAjk3WUBUfYm3cKiRCJppMl8TOI1VolXHUr0LOF1Hf32Acf
kJys9mDIBO6fKEZ4fNqZYAqcgkiott5MRXsQEm6HO4JTNdNVcdymTp8kPnZYaNEQ
UA1Zg3smzjpeANgrBCca292svoEtz+gOHm3ZvD/dUUkXROiMIaHf42NKDyqVvE1F
c85Nu+WGiulrwRVXXD/Toai1qoLV0AEvWCHHMUWXbTEyoS4DBbkVqxWIEVZURiKX
rtT5RnkTcUmLLrIWUB/khCgltEno3ARpi1TTbMquc6i+/12Oh6C17e0HKNJSblVu
X3Owmrb23OledtAj1Lhu5Uu3ofOgOVKEHkZrGC7A418Qcw8x0GZw1d4b9VilK+cG
YXr+Y+b9NrEZ714TpmZPuu5W3tGVxyF5Xg5q8vYjYAwJEXOqKexu4UllSzqwUPcr
0UF7lAyJJoCXFlSvORCSaxlXiP4uykXIrNOYZLgc30xuEYWaxDVF9oaK1kj+Ae0F
n/tXZlCXxYAjIXjRjWd06Ulz6JLVN9MkFyFO6ZMxixmgjJbQ9hBSliNgw13Eg9Hh
rQVyDk0TRubYqMtZ9FLRhbYFTQcq/s5lIlXipn4A0R+ZL+rlERiGVcFxdWTl6/EP
u73vr5wy+i7ly5vCIxcc
=H7GX
-----END PGP SIGNATURE-----

--- End Message ---