Re: [xml] Release of libxml2-2.9.9

2019-01-30 Thread Nick Wellnhofer

On 30/01/2019 10:36, Alexander Dahl wrote:

What about CVE-2017-8872?

Debian (and SuSE) have a patch:

https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/

https://security-tracker.debian.org/tracker/CVE-2017-8872

According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by
accident with git commit v2.9.8-26-g123234f2?

The Debian patch still applies on 2.9.9, but I don't understand libxml2 well
enough to say if it is harmful now and should be dropped?


The Debian patch is basically the same as commit 123234f2, so it can be dropped.

https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407


I also can not say
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?


Yes, it's the same issue. I just verified that the POC document in bug 775200 
doesn't trigger ASan anymore.


Nick
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml


Re: [xml] Release of libxml2-2.9.9

2019-01-30 Thread Alexander Dahl
Hei hei,

Am Donnerstag, 3. Januar 2019, 20:30:29 CET schrieb Daniel Veillard via xml:
> Security:
> - CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (Nick
> Wellnhofer) - CVE-2018-14404 Fix nullptr deref with XPath logic ops (Nick
> Wellnhofer)

What about CVE-2017-8872?

Debian (and SuSE) have a patch:

https://sources.debian.org/patches/libxml2/2.9.8+dfsg-1/0003-CVE-2017-8872.patch/

https://security-tracker.debian.org/tracker/CVE-2017-8872

According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and 
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by 
accident with git commit v2.9.8-26-g123234f2?

The Debian patch still applies on 2.9.9, but I don't understand libxml2 well 
enough to say if it is harmful now and should be dropped? I also can not say 
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?

Anyone else?

Greets
Alex

___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml


[xml] Release of libxml2-2.9.9

2019-01-03 Thread Daniel Veillard via xml
  Happy New Year,

 the release is finally out, I just tagged it in git and pushed signed
tarball and rpms to the usual place:

  ftp://xmlsoft.org/libxml2/

this is a mixed release, it includes security fixes, bug fixes as well
as improvement and portability fixes for cygwin:


Security:
- CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (Nick 
Wellnhofer)
- CVE-2018-14404 Fix nullptr deref with XPath logic ops (Nick Wellnhofer)

Documentation:
- reader: Fix documentation comment (Mohammed Sadiq)

Portability:
- Fix MSVC build with lzma (Nick Wellnhofer)
- Variables need 'extern' in static lib on Cygwin (Michael Haubenwallner)
- Really declare dllexport/dllimport for Cygwin (Michael Haubenwallner)
- Merge branch 'patch-2' into 'master' (Nick Wellnhofer)
- Change dir to $THEDIR after ACLOCAL_PATH check autoreconf creates aclocal.m4 
in $srcdir (Vitaly Buka)
- Improve error message if pkg.m4 couldn't be found (Nick Wellnhofer)
- NaN and Inf fixes for pre-C99 compilers (Nick Wellnhofer)

Bug Fixes:
- Revert "Support xmlTextReaderNextSibling w/o preparsed doc" (Nick Wellnhofer)
- Fix building relative URIs (Thomas Holder)
- Problem with data in interleave in RelaxNG validation (Nikolai Weibull)
- Fix memory leak in xmlSwitchInputEncodingInt error path (Nick Wellnhofer)
- Set doc on element obtained from freeElems (Nick Wellnhofer)
- Fix HTML serialization with UTF-8 encoding (Nick Wellnhofer)
- Use actual doc in xmlTextReaderRead*Xml (Nick Wellnhofer)
- Unlink node before freeing it in xmlSAX2StartElement (Nick Wellnhofer)
- Check return value of nodePush in xmlSAX2StartElement (Nick Wellnhofer)
- Free input buffer in xmlHaltParser (Nick Wellnhofer)
- Reset HTML parser input pointers on encoding failure (Nick Wellnhofer)
- Don't run icu_parse_test if EUC-JP is unsupported (Nick Wellnhofer)
- Fix xmlSchemaValidCtxtPtr reuse memory leak (Greg Hildstrom)
- Fix xmlTextReaderNext with preparsed document (Felix Bünemann)
- Remove stray character from comment (Nick Wellnhofer)
- Remove a misleading line from xmlCharEncOutput (Andrey Bienkowski)
- HTML noscript should not close p (Daniel Veillard)
- Don't change context node in xmlXPathRoot (Nick Wellnhofer)
- Stop using XPATH_OP_RESET (Nick Wellnhofer)
- Revert "Change calls to xmlCharEncInput to set flush false" (Nick Wellnhofer)

Improvements:
- Fix "Problem with data in interleave in RelaxNG validation" (Nikolai Weibull)
- cleanup: remove some unreachable code (Thomas Holder)
- add --relative to testURI (Thomas Holder)
- Remove redefined starts and defines inside include elements (Nikolai Weibull)
- Allow choice within choice in nameClass in RELAX NG (Nikolai Weibull)
- Look inside divs for starts and defines inside include (Nikolai Weibull)
- Add compile and libxml2-config.cmake to .gitignore (Nikolai Weibull)
- Stop using doc-charset outside parser code (Nick Wellnhofer)
- Add newlines to 'xmllint --xpath' output (Nick Wellnhofer)
- Don't include SAX.h from globals.h (Nick Wellnhofer)
- Support xmlTextReaderNextSibling w/o preparsed doc (Felix Bünemann)
- Don't instruct user to run make when autogen.sh failed (林博仁(Buo-ren Lin))
- Run Travis ASan tests with "sudo: required" (Nick Wellnhofer)
- Improve restoring of context size and position (Nick Wellnhofer)
- Simplify and harden nodeset filtering (Nick Wellnhofer)
- Avoid unnecessary backups of the context node (Nick Wellnhofer)
- Fix inconsistency in xmlXPathIsInf (Nick Wellnhofer)

  Thanks everybody for your help for this release and especially Nick who
did most of the work on patches and integration !

   Enjoy the new release,

Daniel

-- 
Daniel Veillard  | Red Hat Developers Tools http://developer.redhat.com/
veill...@redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml