On 30/01/2019 10:36, Alexander Dahl wrote:
What about CVE-2017-8872?
Debian (and SuSE) have a patch:
According to https://bugzilla.gnome.org/show_bug.cgi?id=775200 and
https://gitlab.gnome.org/GNOME/libxml2/issues/26 that might have been fixed by
accident with git commit v2.9.8-26-g123234f2?
The Debian patch still applies on 2.9.9, but I don't understand libxml2 well
enough to say if it is harmful now and should be dropped?
The Debian patch is basically the same as commit 123234f2, so it can be dropped.
I also can not say
if CVE-2017-8872 is really mitigated with v2.9.8-26-g123234f2?
Yes, it's the same issue. I just verified that the POC document in bug 775200
doesn't trigger ASan anymore.
xml mailing list, project page http://xmlsoft.org/