Control: tags 1010667 + patch Control: tags 1010667 + pending Dear maintainer,
I've prepared an NMU for ruby-xmlhash (versioned as 1.3.6-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
diff -Nru ruby-xmlhash-1.3.6/debian/changelog ruby-xmlhash-1.3.6/debian/changelog --- ruby-xmlhash-1.3.6/debian/changelog 2022-07-01 02:30:29.000000000 +0300 +++ ruby-xmlhash-1.3.6/debian/changelog 2023-03-16 17:28:19.000000000 +0200 @@ -1,3 +1,11 @@ +ruby-xmlhash (1.3.6-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2022-21949: Improper Restriction of XML External Entity Reference + (Closes: #1010667) + + -- Adrian Bunk <b...@debian.org> Thu, 16 Mar 2023 17:28:19 +0200 + ruby-xmlhash (1.3.6-3) unstable; urgency=medium [ Cédric Boutillier ] diff -Nru ruby-xmlhash-1.3.6/debian/patches/0001-Remove-misnamed-libxml-parsing-flag.patch ruby-xmlhash-1.3.6/debian/patches/0001-Remove-misnamed-libxml-parsing-flag.patch --- ruby-xmlhash-1.3.6/debian/patches/0001-Remove-misnamed-libxml-parsing-flag.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-xmlhash-1.3.6/debian/patches/0001-Remove-misnamed-libxml-parsing-flag.patch 2023-03-16 17:28:02.000000000 +0200 @@ -0,0 +1,27 @@ +From 4a5a8974d5dfc7f8c906b22b346279a5482d3d69 Mon Sep 17 00:00:00 2001 +From: Stephan Kulow <co...@suse.de> +Date: Mon, 4 Apr 2022 16:17:56 +0200 +Subject: Remove misnamed libxml parsing flag + +See details on +https://stackoverflow.com/questions/38807506/what-does-libxml-noent-do-and-why-isnt-it-called-libxml-ent +--- + ext/xmlhash/xmlhash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/xmlhash/xmlhash.c b/ext/xmlhash/xmlhash.c +index aa8eacf..d07aee8 100644 +--- a/ext/xmlhash/xmlhash.c ++++ b/ext/xmlhash/xmlhash.c +@@ -209,7 +209,7 @@ static VALUE parse_xml_hash(VALUE self, VALUE rb_xml) + memcpy(data, StringValuePtr(rb_xml), RSTRING_LEN(rb_xml)); + + reader = xmlReaderForMemory(data, RSTRING_LEN(rb_xml), +- NULL, NULL, XML_PARSE_NOENT | XML_PARSE_NOERROR | XML_PARSE_NOWARNING ); ++ NULL, NULL, XML_PARSE_NOERROR | XML_PARSE_NOWARNING ); + init_XmlhashParserData(); + + if (reader != NULL) { +-- +2.30.2 + diff -Nru ruby-xmlhash-1.3.6/debian/patches/series ruby-xmlhash-1.3.6/debian/patches/series --- ruby-xmlhash-1.3.6/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ ruby-xmlhash-1.3.6/debian/patches/series 2023-03-16 17:28:15.000000000 +0200 @@ -0,0 +1 @@ +0001-Remove-misnamed-libxml-parsing-flag.patch