Tobias Frost pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6b6171e9 by Tobias Frost at 2024-11-02T19:06:12+01:00
CVE-2017-16932/libxml2 - add triaging result for missing patch
personal verdict: too intrusive to patch; the additional patch makes the
minified testcase from #882613 work, but the patch changes quite some internal
workings of the library, so risk of additional regression is high.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -494667,6 +494667,9 @@ CVE-2017-16932 (parser.c in libxml2 before 2.9.5 does
not prevent infinite recur
NOTE:
https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
NOTE: Applying only 899a5d9f0ed13b8e32449a08a361e0de127dd961 does not
completely
NOTE: fix the issue, see https://bugs.debian.org/882613#12 for
discussion.
+ NOTE: bisecting, an important missing patchset seems to be
+ NOTE:
https://github.com/GNOME/libxml2/commit/453dff1e3b6f7aa724c4996a375c51df6d95abc4,
+ NOTE: however this patch is very intrusive.
CVE-2017-16931 (parser.c in libxml2 before 2.9.5 mishandles parameter-entity
reference ...)
{DLA-1194-1}
- libxml2 2.9.4+dfsg1-3.1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b6171e9bcd492283650514c95fe5812744e3b23
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b6171e9bcd492283650514c95fe5812744e3b23
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
