On Fri, May 27, 2016 at 10:12 AM, Eric Covener <[email protected]> wrote:
> On Fri, May 27, 2016 at 9:48 AM, David Dillard <[email protected]> > wrote: > > Did anyone see > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat > > allows context-dependent attackers to cause a denial of service (crash) > or > > possibly execute arbitrary code via a malformed input document, which > > triggers a buffer overflow." > > > > A patch used for Debian can be found at > > http://www.openwall.com/lists/oss-security/2016/05/17/12 > > Thanks David. > > As reported by Seulbae Kim from the Center for Software Security and > Assurance (CSSA), we either need to spend a lot of time on a bundled > expat or rip it out from releases. I think one more release with an > updated expat might be prudent, given the severity of the issue shared > above. > +1 in concept; not sure what the ABI rules would say, if code needs to be changed so that it works with separately-packaged upstream, etc. > > -- > Eric Covener > [email protected] > -- Born in Roswell... married an alien... http://emptyhammock.com/
