[xml/sgml-pkgs] Bug#762864: libxml2 patch for CVE-2014-0191 wrongly applied
Thijs Kinkhorst
thijs at debian.org
Thu Sep 25 19:18:12 UTC 2014
Package: libxml2
Version: 2.7.8.dfsg-2+squeeze9 2.8.0+dfsg1-7+wheezy1
Severity: important
Tags: security
Hi,
The patch applied to libxml2 for wheezy and squeeze-lts for CVE-2014-0191
seems to be applied wrong. A line is duplicated in xmlSAXParseDTD:
@@ -12324,6 +12341,12 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const
xmlChar *ExternalID,
return(NULL);
}
+ /* We are loading a DTD */
+ ctxt->options |= XML_PARSE_DTDLOAD;
+
+ /* We are loading a DTD */
+ ctxt->options |= XML_PARSE_DTDLOAD;
+
/*
* Set-up the SAX context
*/
while the upstream patch applies that line twice, but once each for two
different functions as seen in
https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825
Can you look into fixes for this?
Cheers,
Thijs
More information about the debian-xml-sgml-pkgs
mailing list