[xml/sgml-pkgs] Bug#498768: ubuntu patch matching upstream

Kees Cook kees at ubuntu.com
Mon Sep 22 17:18:35 UTC 2008 

Hi,

On Sat, Sep 20, 2008 at 09:06:21AM +0200, Mike Hommey wrote:
> On Fri, Sep 19, 2008 at 07:10:14PM -0700, Kees Cook wrote:
> > The above changes are for CVE-2008-3529.
> 
> Certainly not. It's not in upstream patch.

This is where I was getting details:
https://bugzilla.redhat.com/show_bug.cgi?id=461015

> > BTW, would it be possible to
> > add a patch system to libxml2?  It's much easier to split up the patches
> > over time, and is nice for anyone doing post-release updates. :)
> 
> There is a (D)VCS.

True, though I prefer in-package patch systems for doing stable updates.

> > > @@ -6476,8 +6475,6 @@
> > >  		    } else if (list != NULL) {
> > >  			xmlFreeNodeList(list);
> > >  			list = NULL;
> > > -		    } else if (ent->owner != 1) {
> > > -			ctxt->nbentities += ent->owner;
> > >  		    }
> > >  		}
> > >  		ent->checked = 1;
> > > @@ -6668,6 +6665,8 @@
> > >  		    ctxt->nodelen = 0;
> > >  		    return;
> > >  		}
> > > +	    } else if (ent->owner != 1) {
> > > +		ctxt->nbentities += ent->owner;
> > >  	    }
> > >  	} else {
> > >  	    val = ent->content;
> > 
> > Was this just interdiff output?  There were some changes to this area of
> > code that needed some by-hand backporting, so the versions used to
> > compare might not end up looking clean.  Or, I could have messed up the
> > backport, but I put them through a bunch of xml regression tests and
> > things seemed to be behaving.
> 
> There was only 1 conflict when applying upstream patch for RHEL5, and
> only because of tabulations/spaces, on my end...

I'm not sure which version of the patch you're quoting, but I had 5
versions to do backports for:

libxml2 | 2.6.32.dfsg-2ubuntu3   | intrepid/main
libxml2 | 2.6.31.dfsg-2ubuntu1.2 | hardy-security/main
libxml2 | 2.6.30.dfsg-2ubuntu1.3 | gutsy-security/main
libxml2 | 2.6.27.dfsg-1ubuntu3.3 | feisty-security/main
libxml2 | 2.6.24.dfsg-1ubuntu1.3 | dapper-security/main

They all tested out fine for me.

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the debian-xml-sgml-pkgs mailing list