Control: tags -1 d-i Hi,
On Tue, Jun 25, 2019 at 06:59:09AM +0200, Salvatore Bonaccorso wrote: > Please unblock package expat, it fixes CVE-2018-20843 and got fixed by > Laszlo cherry-picking the upstream fix. The issue is tracked as > #931031 in the BTS: > > > expat (2.2.6-2) unstable; urgency=high > > > > * Fix extraction of namespace prefix from XML name (CVE-2018-20843) > > (closes: #931031). > > > > -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 24 Jun 2019 21:18:31 > > +0000 > > unblock expat/2.2.6-2 I'm fine with this, but expat has a udeb, so this needs a d-i ack. Kibi Cc's (and diff quoted below for easy review). Thanks, Ivo > diff -Nru expat-2.2.6/debian/changelog expat-2.2.6/debian/changelog > --- expat-2.2.6/debian/changelog 2018-08-15 17:18:15.000000000 +0200 > +++ expat-2.2.6/debian/changelog 2019-06-24 23:18:31.000000000 +0200 > @@ -1,3 +1,10 @@ > +expat (2.2.6-2) unstable; urgency=high > + > + * Fix extraction of namespace prefix from XML name (CVE-2018-20843) > + (closes: #931031). > + > + -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 24 Jun 2019 21:18:31 > +0000 > + > expat (2.2.6-1) unstable; urgency=medium > > * New upstream release. > diff -Nru > expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch > > expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch > --- > expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch > 2019-06-24 23:18:31.000000000 +0200 > @@ -0,0 +1,23 @@ > +From 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 Mon Sep 17 00:00:00 2001 > +From: Sebastian Pipping <[email protected]> > +Date: Wed, 12 Jun 2019 15:42:22 +0200 > +Subject: [PATCH] xmlparse.c: Fix extraction of namespace prefix from XML name > + (#186) > + > +--- > + expat/lib/xmlparse.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c > +index 30d55c5c..737d7cd2 100644 > +--- a/expat/lib/xmlparse.c > ++++ b/expat/lib/xmlparse.c > +@@ -6080,7 +6080,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE > *elementType) > + else > + poolDiscard(&dtd->pool); > + elementType->prefix = prefix; > +- > ++ break; > + } > + } > + return 1; > diff -Nru expat-2.2.6/debian/patches/series expat-2.2.6/debian/patches/series > --- expat-2.2.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 > +++ expat-2.2.6/debian/patches/series 2019-06-24 23:18:31.000000000 +0200 > @@ -0,0 +1 @@ > +Fix_extraction_of_namespace_prefix_from_XML_name.patch
