[xml/sgml-pkgs] Bug#774358: libxml2: CVE-2014-3660 patch makes installation-guide FTBFS

Salvatore Bonaccorso carnil at debian.org
Sat Apr 4 09:14:24 UTC 2015


Hi Cyril, hi Samuel,

On Fri, Apr 03, 2015 at 11:34:06PM +0200, Cyril Brulebois wrote:
> Hi people,
> 
> (adding debian-boot@ for reference.)
> 
> Samuel Thibault <sthibault at debian.org> (2015-03-26):
> > Samuel Thibault, le Thu 26 Mar 2015 02:17:01 +0100, a écrit :
> > > Control: found -1 2.8.0+dfsg1-7+wheezy3
> > > 
> > > This is still an issue in stable, the proposed patch was not applied
> > > there, and thus installation-guide still FTBFS on wheezy, notably on our
> > > dillon.debian.org machine, thus making http://d-i.debian.org/manual/
> > > completely out of date. Could this be proposed for stable update?
> > > 
> > > I have attached the proposed patch again.
> > 
> > Just to insist: while the symptoms of my report (#774358) may look like
> > #768089, the *actual* bug is *not* the same. Please read my bug report
> > and the proposed patch again: the issue is that the security fix for
> > CVE-2014-3660 from a newer version of libxml2 (2.9.x) was backported
> > into the libxml2 of wheezy (2.8.x) without noticing the subtle source
> > code difference which does matter a lot.
> 
> As one of the guys receiving a notification of the FTBFS every time
> the crontab entry is triggered, and who would like to make sure the
> installation guide is actually buildable *and* up-to-date, I really
> would like to get a fix for this regression ASAP. It's been more than
> 3 months since this bug report about ***stable being broken*** has
> been opened.
> 
> Thanks already.

I prepared an update adding the two additional commits which seem
required as basis for the patch for CVE-2014-3660. I have uploaded it
here:

https://people.debian.org/~carnil/tmp/libxml2/

Would appreciate some additonal testing to them before we release a
regression update for libxml2. The installation guide would build now
but a second pair of eyes over the changes would really be
appreciated.

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20150404/42456341/attachment.sig>


More information about the debian-xml-sgml-pkgs mailing list