[Git][security-tracker-team/security-tracker][master] CVE-2017-16932/libxml2 - add triaging result for missing patch

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6b6171e9 by Tobias Frost at 2024-11-02T19:06:12+01:00
CVE-2017-16932/libxml2 - add triaging result for missing patch

personal verdict: too intrusive to patch; the additional patch makes the minified testcase from #882613 work, but the patch changes quite some internal workings of the library, so risk of additional regression is high.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -494667,6 +494667,9 @@ CVE-2017-16932 (parser.c in libxml2 before 2.9.5 does not prevent infinite recur
 	NOTE: https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
 	NOTE: Applying only 899a5d9f0ed13b8e32449a08a361e0de127dd961 does not completely
 	NOTE: fix the issue, see https://bugs.debian.org/882613#12 for discussion.
+	NOTE: bisecting, an important missing patchset seems to be
+	NOTE: https://github.com/GNOME/libxml2/commit/453dff1e3b6f7aa724c4996a375c51df6d95abc4, 
+	NOTE: however this patch is very intrusive.
 CVE-2017-16931 (parser.c in libxml2 before 2.9.5 mishandles parameter-entity reference ...)
 	{DLA-1194-1}
 	- libxml2 2.9.4+dfsg1-3.1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b6171e9bcd492283650514c95fe5812744e3b23

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b6171e9bcd492283650514c95fe5812744e3b23
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241102/2b941274/attachment.htm>