On Fri, Jul 31, 2015 at 03:50:08PM -0500, William Rowe wrote: > Thanks Daniel, sharing this with the dev@ list, as the problem and the fix > are both public. > > Folks, what are your thoughts? Our expat is already quite old, and > the current release was 2.10, while we were still shipping 1.95.7, > before this issue popped up. > > Bumping major versions in a subversion release seems out of place. > Perhaps though we can ship this in a 1.6 if we are going to proceed. > Would we want to ship the patch, or would we want to ship expat > project's own patches once they update?
Having taken a brief look, I'm not sure if CVE-2015-2716 would be properly considered an expat bug, or a bug in some use of the expat API which Mozilla chose to fix by patching input parameter validation into expat. https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c That said, there is also CVE-2012-0876 and CVE-2012-1148 which look unfixed in the apr-util bundled expat. I have backports of those fixes for expat 1.95.8 which don't apply to the 1.95.7 in apr-util. Dunno. "Don't start from here" looks like a pretty good option. Regards, Joe
