Your message dated Sun, 20 Aug 2017 08:50:13 +0000
with message-id <[email protected]>
and subject line Bug#870870: fixed in libxml2 2.9.4+dfsg1-3.1
has caused the Debian Bug report #870870,
regarding libxml2: CVE-2017-0663: Heap buffer overflow in xmlAddID
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
870870: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870870
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxml2
Version: 2.9.1+dfsg1-5
Severity: important
Tags: patch security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=780228
Hi,
the following vulnerability was published for libxml2.
CVE-2017-0663[0]:
| A remote code execution vulnerability in libxml2 could enable an
| attacker using a specially crafted file to execute arbitrary code
| within the context of an unprivileged process. This issue is rated as
| High due to the possibility of remote code execution in an application
| that uses this library. Product: Android. Versions: 4.4.4, 5.0.2,
| 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-0663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
[1] https://bugzilla.gnome.org/show_bug.cgi?id=780228
[2]
https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1462225
https://bugzilla.redhat.com/show_bug.cgi?id=1462225#c2
https://bugzilla.redhat.com/show_bug.cgi?id=1462225#c3
[4] https://bugzilla.novell.com/show_bug.cgi?id=1044337
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.9.4+dfsg1-3.1
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 Aug 2017 06:56:40 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc
python-libxml2 python-libxml2-dbg python3-libxml2 python3-libxml2-dbg
Architecture: source
Version: 2.9.4+dfsg1-3.1
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 863018 863019 863021 863022 870865 870867 870870
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug
extension)
python3-libxml2 - Python3 bindings for the GNOME XML library
python3-libxml2-dbg - Python3 bindings for the GNOME XML library (debug
extension)
Changes:
libxml2 (2.9.4+dfsg1-3.1) unstable; urgency=low
.
* Non-maintainer upload.
* Increase buffer space for port in HTTP redirect support (CVE-2017-7376)
Incorrect limit was used for port values. (Closes: #870865)
* Prevent unwanted external entity reference (CVE-2017-7375)
Missing validation for external entities in xmlParsePEReference.
(Closes: #870867)
* Fix handling of parameter-entity references (CVE-2017-9049, CVE-2017-9050)
- Heap-based buffer over-read in function xmlDictComputeFastKey
(CVE-2017-9049).
- Heap-based buffer over-read in function xmlDictAddString
(CVE-2017-9050).
(Closes: #863019, #863018)
* Fix buffer size checks in xmlSnprintfElementContent (CVE-2017-9047,
CVE-2017-9048)
- Buffer overflow in function xmlSnprintfElementContent (CVE-2017-9047).
- Stack-based buffer overflow in function xmlSnprintfElementContent
(CVE-2017-9048).
(Closes: #863022, #863021)
* Fix type confusion in xmlValidateOneNamespace (CVE-2017-0663)
Heap buffer overflow in xmlAddID. (Closes: #870870)
Checksums-Sha1:
f403fa424d24484734ac50e4f425fb20bbc8c0a4 3121 libxml2_2.9.4+dfsg1-3.1.dsc
2107cdd9a86fcced334e230c0570b8b9d4ffaef5 33852
libxml2_2.9.4+dfsg1-3.1.debian.tar.xz
Checksums-Sha256:
7b6dbd6cb82e44393436d1900ec37791002456eb53f17951d561b2b4f3a71bdf 3121
libxml2_2.9.4+dfsg1-3.1.dsc
9de354bf1315f0e631505789a6059fdbcef3fd2c262b1573935cdf6acf0ee976 33852
libxml2_2.9.4+dfsg1-3.1.debian.tar.xz
Files:
63f1bfc1415e09c79177978cce1f2f77 3121 libs optional libxml2_2.9.4+dfsg1-3.1.dsc
ae6b0290e64db9ccf1604938422de437 33852 libs optional
libxml2_2.9.4+dfsg1-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmZGH1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ei3MP/RrZvJrvv0dJ9f2ollRVL9hi3iqZ9pKN
xfOqEjQ2pOyDdiG/maJWvpJvMb+Jxm4yPJmPqBiWddUe69sBDK1V7svkh8PnuGK3
MjWZgS67UoIq7tN9rGflOhhJZ14E6YJniv3bq2F+uu3IpQCdoxDNFDGbEMZOXyt0
b6/fiw+8CYbswO+fe0UqGwnqBEfVF0ZEk2XRhPaldACOLgaiA5sJBqEiS/eV56+5
tRu+wI9PM2wg15Y3zVRWBygTwvKKDhbKU0W6UKbrfNz7x93OutHQp7N1tdHgch17
aP0gsSUTgx0O27VjYup8jWFS2w1muypGeM0xsBLLgQADmVSq4e+x+jsradC7wt+2
/+wZqDmXrlJF4Rpwm7Edu37uXngSMjwXN75bMYtie54AKn+Mc38QpcuM3lp6qHGG
n0b2TrR4Ay0t2upof2lOwVMAg7007BcmvOxuPmnVAPdpAKjiMCQukTdhmfthmBZ4
QdVRN3NYDfjehYzioUkpcBgoNhu7nD7tFsIIC592kaW7YGmV8eLrcPt7WqOOZnoW
Ew6BSyOMPDvVibB0pmi1LnSAZxmkDmpqdEUpcaoyQ6Mv6Emc1lVORDqWy/Lf1r44
gf8IOIxc9/Zql4W65CKTGcnpWRHY6vUwY5GIdYk1z1BxS+h1JNH8JZCHTY/A/FIO
mNhEVvbVSM0g
=3MwH
-----END PGP SIGNATURE-----
--- End Message ---
