[Secure-testing-commits] r54888 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sat Aug 19 13:50:32 UTC 2017


Author: carnil
Date: 2017-08-19 13:50:32 +0000 (Sat, 19 Aug 2017)
New Revision: 54888

Modified:
   data/CVE/list
Log:
Add note for CVE-2017-7376

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-08-19 13:34:02 UTC (rev 54887)
+++ data/CVE/list	2017-08-19 13:50:32 UTC (rev 54888)
@@ -16319,7 +16319,10 @@
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)
 	NOTE: Android patch: https://android.googlesource.com/platform/external/libxml2/+/51e0cb2e5ec18eaf6fb331bc573ff27b743898f4
 	NOTE: Fix upstream: https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
-	NOTE: Fix upstream not yet complete as per 2017-06-17
+	NOTE: The upstream patch has the slight consequence that some port values end up
+	NOTE: negative when cast to a 32-bit int. A negative port though in the URL would
+	NOTE: make the URL invalid. It is discussed if instead it would be best to prevent
+	NOTE: the port from ever being negative. Upstream decided to leave the above patch.
 CVE-2017-7375 [Missing validation for external entities in xmlParsePEReference]
 	RESERVED
 	{DLA-1008-1}




More information about the Secure-testing-commits mailing list