On Sun, 18 Jul 2021, Mattia Rizzolo (@mattia) wrote: > ddf2b33b by Salvatore Bonaccorso at 2021-05-02T16:08:16+02:00 > Validate UTF8 in xmlEncodeEntities (CVE-2021-3517)
Hah, I feel *so* vindicated. http://www.mirbsd.org/~tg/Debs/dists/buster/wtf/Pkgs/libxml2/libxml2_2.9.4+dfsg1-7+b3tarent1.debdiff I already carried a (different) fix for this issue (and others) which I prepared during 2013/2014 when working on a project for a customer that used libxml2 through several abstraction levels, and when proposing the patches upstream, they didn’t care (they could not agree which way forward was right and decided to keep the bad behaviour in the meantime), and in #770836 the packager wasn’t interested, either. Maybe it’s time, from a security PoV, to look at my diff again, figure out which of it is now superceded, if any of the patches that were applied still need fixing, and which of the bugs were not yet addressed. I’m not on that project any more, so I can’t currently justify doing the expenses. bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ************************************************* Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *************************************************