Bug#899063: marked as done (tinyxml2: CVE-2018-11210)

Sat, 19 May 2018 01:33:37 -0700 

Your message dated Sat, 19 May 2018 16:30:07 +0800
with message-id <[email protected]>
and subject line Re: Bug#899063: tinyxml2: CVE-2018-11210
has caused the Debian Bug report #899063,
regarding tinyxml2: CVE-2018-11210
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
899063: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899063
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: tinyxml2
Version: 6.2.0+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/leethomason/tinyxml2/issues/675

Hi,

The following vulnerability was published for tinyxml2.

CVE-2018-11210[0]:
| TinyXML2 6.2.0 has a heap-based buffer over-read in the
| XMLDocument::Parse function in libtinyxml2.so.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11210
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11210
[1] https://github.com/leethomason/tinyxml2/issues/675

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Control: tags -1 + unreproducible

On Fri, May 18, 2018 at 08:57:30PM +0200, Salvatore Bonaccorso wrote:
> Source: tinyxml2
> Version: 6.2.0+dfsg-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/leethomason/tinyxml2/issues/675
> 
> Hi,
> 
> The following vulnerability was published for tinyxml2.
> 
> CVE-2018-11210[0]:
> | TinyXML2 6.2.0 has a heap-based buffer over-read in the
> | XMLDocument::Parse function in libtinyxml2.so.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-11210
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11210
> [1] https://github.com/leethomason/tinyxml2/issues/675
> 
> Please adjust the affected versions in the BTS as needed.

Seems like upstream has closed it as not a bug, as no test-case was
provided and it's suspected to a be a misuse of the API. I'll close it
here as well.

-- 
Kind regards,
Loong Jin

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to