[xml/sgml-pkgs] Bug#774358: libxml2: CVE-2014-3660 patch makes installation-guide FTBFS

Samuel Thibault sthibault at debian.org
Thu Mar 26 01:17:01 UTC 2015


Control: reopen -1
Control: found -1 2.8.0+dfsg1-7+wheezy3

Hello,

This is still an issue in stable, the proposed patch was not applied
there, and thus installation-guide still FTBFS on wheezy, notably on our
dillon.debian.org machine, thus making http://d-i.debian.org/manual/
completely out of date. Could this be proposed for stable update?

I have attached the proposed patch again.

Samuel
-------------- next part --------------
--- libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch.original	2015-01-01 14:48:26.337554556 +0100
+++ libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch	2015-01-01 14:48:53.000874666 +0100
@@ -6,11 +6,11 @@
  parser.c |   42 ++++++++++++++++++++++++++++++++++++++----
  1 file changed, 38 insertions(+), 4 deletions(-)
 
-diff --git a/parser.c b/parser.c
-index 7ef712d..b435913 100644
---- a/parser.c
-+++ b/parser.c
-@@ -127,6 +127,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+Index: libxml2-2.8.0+dfsg1/parser.c
+===================================================================
+--- libxml2-2.8.0+dfsg1.orig/parser.c	2015-01-01 13:20:23.913738969 +0000
++++ libxml2-2.8.0+dfsg1/parser.c	2015-01-01 13:47:31.930940787 +0000
+@@ -127,6 +127,27 @@
          return (0);
      if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
          return (1);
@@ -29,10 +29,8 @@
 +	rep = xmlStringDecodeEntities(ctxt, ent->content,
 +				  XML_SUBSTITUTE_REF, 0, 0, 0);
 +
-+	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++	ent->checked = ctxt->nbentities - oldnbent + 1;
 +	if (rep != NULL) {
-+	    if (xmlStrchr(rep, '<'))
-+		ent->checked |= 1;
 +	    xmlFree(rep);
 +	    rep = NULL;
 +	}


More information about the debian-xml-sgml-pkgs mailing list