Your message dated Fri, 28 Jun 2019 17:06:05 +0200
with message-id <[email protected]>
and subject line Re: unblock: expat/2.2.6-2
has caused the Debian Bug report #931043,
regarding unblock: expat/2.2.6-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931043
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi,
Please unblock package expat, it fixes CVE-2018-20843 and got fixed by
Laszlo cherry-picking the upstream fix. The issue is tracked as
#931031 in the BTS:
> expat (2.2.6-2) unstable; urgency=high
>
> * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
> (closes: #931031).
>
> -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 24 Jun 2019 21:18:31
> +0000
unblock expat/2.2.6-2
Regards,
Salvatore
diff -Nru expat-2.2.6/debian/changelog expat-2.2.6/debian/changelog
--- expat-2.2.6/debian/changelog 2018-08-15 17:18:15.000000000 +0200
+++ expat-2.2.6/debian/changelog 2019-06-24 23:18:31.000000000 +0200
@@ -1,3 +1,10 @@
+expat (2.2.6-2) unstable; urgency=high
+
+ * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
+ (closes: #931031).
+
+ -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 24 Jun 2019 21:18:31 +0000
+
expat (2.2.6-1) unstable; urgency=medium
* New upstream release.
diff -Nru
expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch
expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch
---
expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch
1970-01-01 01:00:00.000000000 +0100
+++
expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch
2019-06-24 23:18:31.000000000 +0200
@@ -0,0 +1,23 @@
+From 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <[email protected]>
+Date: Wed, 12 Jun 2019 15:42:22 +0200
+Subject: [PATCH] xmlparse.c: Fix extraction of namespace prefix from XML name
+ (#186)
+
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5c..737d7cd2 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -6080,7 +6080,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE
*elementType)
+ else
+ poolDiscard(&dtd->pool);
+ elementType->prefix = prefix;
+-
++ break;
+ }
+ }
+ return 1;
diff -Nru expat-2.2.6/debian/patches/series expat-2.2.6/debian/patches/series
--- expat-2.2.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ expat-2.2.6/debian/patches/series 2019-06-24 23:18:31.000000000 +0200
@@ -0,0 +1 @@
+Fix_extraction_of_namespace_prefix_from_XML_name.patch
--- End Message ---
--- Begin Message ---
Hi,
On 6/28/19 5:04 PM, Cyril Brulebois wrote:
Hi,
Ivo De Decker <[email protected]> (2019-06-25):
On Tue, Jun 25, 2019 at 06:59:09AM +0200, Salvatore Bonaccorso wrote:
Please unblock package expat, it fixes CVE-2018-20843 and got fixed by
Laszlo cherry-picking the upstream fix. The issue is tracked as
#931031 in the BTS:
expat (2.2.6-2) unstable; urgency=high
* Fix extraction of namespace prefix from XML name (CVE-2018-20843)
(closes: #931031).
-- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 24 Jun 2019 21:18:31 +0000
unblock expat/2.2.6-2
I'm fine with this, but expat has a udeb, so this needs a d-i ack. Kibi Cc's
(and diff quoted below for easy review).
No obvious regressions in the graphical installer, so no objections.
OK. Unblock-udeb added.
Ivo
--- End Message ---
