[xml/sgml-pkgs] Bug#770836: [Git][xml-sgml-team/libxml2][master] 8 commits: Fix use-after-free with `xmllint --html --push` (CVE-2021-3516)

Thorsten Glaser t.glaser at tarent.de
Sun Jul 18 17:09:18 BST 2021

On Sun, 18 Jul 2021, Mattia Rizzolo (@mattia) wrote:

> ddf2b33b by Salvatore Bonaccorso at 2021-05-02T16:08:16+02:00
> Validate UTF8 in xmlEncodeEntities (CVE-2021-3517)

Hah, I feel *so* vindicated.


I already carried a (different) fix for this issue (and others)
which I prepared during 2013/2014 when working on a project for
a customer that used libxml2 through several abstraction levels,
and when proposing the patches upstream, they didn’t care (they
could not agree which way forward was right and decided to keep
the bad behaviour in the meantime), and in #770836 the packager
wasn’t interested, either.

Maybe it’s time, from a security PoV, to look at my diff again,
figure out which of it is now superceded, if any of the patches
that were applied still need fixing, and which of the bugs were
not yet addressed. I’m not on that project any more, so I can’t
currently justify doing the expenses.

Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg


Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter


More information about the debian-xml-sgml-pkgs mailing list