[xml/sgml-pkgs] Bug#774358: libxml2: CVE-2014-3660 patch makes installation-guide FTBFS
Samuel Thibault
sthibault at debian.org
Thu Mar 26 01:17:01 UTC 2015
Control: reopen -1
Control: found -1 2.8.0+dfsg1-7+wheezy3
Hello,
This is still an issue in stable, the proposed patch was not applied
there, and thus installation-guide still FTBFS on wheezy, notably on our
dillon.debian.org machine, thus making http://d-i.debian.org/manual/
completely out of date. Could this be proposed for stable update?
I have attached the proposed patch again.
Samuel
-------------- next part --------------
--- libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch.original 2015-01-01 14:48:26.337554556 +0100
+++ libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch 2015-01-01 14:48:53.000874666 +0100
@@ -6,11 +6,11 @@
parser.c | 42 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 38 insertions(+), 4 deletions(-)
-diff --git a/parser.c b/parser.c
-index 7ef712d..b435913 100644
---- a/parser.c
-+++ b/parser.c
-@@ -127,6 +127,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+Index: libxml2-2.8.0+dfsg1/parser.c
+===================================================================
+--- libxml2-2.8.0+dfsg1.orig/parser.c 2015-01-01 13:20:23.913738969 +0000
++++ libxml2-2.8.0+dfsg1/parser.c 2015-01-01 13:47:31.930940787 +0000
+@@ -127,6 +127,27 @@
return (0);
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
return (1);
@@ -29,10 +29,8 @@
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
+
-+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++ ent->checked = ctxt->nbentities - oldnbent + 1;
+ if (rep != NULL) {
-+ if (xmlStrchr(rep, '<'))
-+ ent->checked |= 1;
+ xmlFree(rep);
+ rep = NULL;
+ }
More information about the debian-xml-sgml-pkgs
mailing list