RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
Thank you for clarification. Regards, Vladimir. -Original Message- From: Cantor, Scott [mailto:canto...@osu.edu] Sent: October-21-16 1:24 PM To: c-dev@xerces.apache.org Subject: RE: XERCESC-2066 (Exception handling mistake in DTDScanner) > Hi Scott, > I checked Xerces 3.1.4 sources( > src/xercesc/validators/DTD/DTDScanner.cpp) > > The fix is missing in them. > const XMLCh nextCh = fReaderMgr->peekNextChar(); calls without try > catch . The fix I intended to aply is in 3.1.4 and I just verified that. -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
Hi Scott, I checked Xerces 3.1.4 sources( src/xercesc/validators/DTD/DTDScanner.cpp) The fix is missing in them. const XMLCh nextCh = fReaderMgr->peekNextChar(); calls without try catch . Does the fix will be in Xerces 3.1.5? Regards, Vladimir. -Original Message- From: Cantor, Scott [mailto:canto...@osu.edu] Sent: October-21-16 12:52 PM To: c-dev@xerces.apache.org Subject: RE: XERCESC-2066 (Exception handling mistake in DTDScanner) > > Does somebody know when it will be fixed in official patch? > > Months ago? > > https://urldefense.proofpoint.com/v2/url?u=http-3A__svn.apache.org_viewvc-3Fview-3Drevision-26revision-3D1747619=DQIFAg=ZgVRmm3mf2P1-XDAyDsu4A=Go-zk3wwFXw3zk6IKI5viJn9Qf3N2dP8AA11tevsqfk=Z1iJtUb3kO64ypZrVXuv_5eWJsIAENmMp9gowKA4Kco=2RYr1B-G8DJYMTi7wK98HImnweDSBSo-ixJ5NOgrhp0= > Meant to link to advisory. https://urldefense.proofpoint.com/v2/url?u=http-3A__xerces.apache.org_xerces-2Dc_secadv_CVE-2D2016-2D4463.txt=DQIFAg=ZgVRmm3mf2P1-XDAyDsu4A=Go-zk3wwFXw3zk6IKI5viJn9Qf3N2dP8AA11tevsqfk=Z1iJtUb3kO64ypZrVXuv_5eWJsIAENmMp9gowKA4Kco=a_7XsYlyztGFIc2FHL-UqwUj0ZePqrh2W9MyMb3kotk= > -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
> > Does somebody know when it will be fixed in official patch? > > Months ago? > > http://svn.apache.org/viewvc?view=revision=1747619 Meant to link to advisory. http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt > -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
> Does somebody know when it will be fixed in official patch? Months ago? http://svn.apache.org/viewvc?view=revision=1747619 Red Hat still hasn't backported it to my knowledge. -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
XERCESC-2066 (Exception handling mistake in DTDScanner)
Hi National Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2099 tracks https://issues.apache.org/jira/browse/XERCESC-2066 as a Critical Vulnerability issue. Does somebody know when it will be fixed in official patch? Regards, Vladimir. - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: Porting XERCESC-2052 fix to 3.1 branch
> So just for the record, the error is really a regression, it worked in > 3.1.1 and the fix in trunk was this commit: That's even stronger evidence that I have no business touching that code, I'm afraid. So I would have to say that somebody who does know it needs to own it and take care of applying those fixes to the branch. -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org