[xml/sgml-pkgs] Bug#993638: Bug#993638: libxml2: XHTML 1.0 validation is broken

Vincent Lefevre vincent at vinc17.net
Mon Sep 20 11:37:05 BST 2021


On 2021-09-20 12:11:17 +0200, Mattia Rizzolo wrote:
> On Mon, Sep 20, 2021 at 11:41:38AM +0200, Vincent Lefevre wrote:
> > Please also make sure that the NEWS file is up-to-date; see my other
> > message. This is also useful for the user when getting regressions
> > in general (possibly from bug fixes like here).
> 
> I'm not sure I'd like to add such item to the Debian's NEWS.

Note that for this one, I was talking about the upstream NEWS. But
this may be an upstream bug. The NEWS file hasn't been regenerated
in the git repository. I don't know about the tarball. But the
announce message *does* contain the release notes. So I'm wondering.

Well, there is already an upstream bug for this one:

  https://gitlab.gnome.org/GNOME/libxml2/-/issues/171

This was for 2.9.10, but is still a valid issue; I've added a comment.

> It would stop updates for too many users that most likely are not
> affected. For now, you are really the only one that brought up this
> issue.

Concerning Debian's NEWS, it is difficult to know, as I fear that
this hasn't been tested by most users. I could detect the issue,
because I use a machine more recent than Debian/stable and because
I have a cron job that does a check everyday.

> > I'm wondering whether this check for invalid redeclarations of
> > predefined entities should also go to Debian/stable since it fixes
> > an integer overflow at the same time:
> > 
> >   https://gitlab.gnome.org/GNOME/libxml2/-/issues/217
> > 
> > Any security issue related to that?
> 
> AFAIK not yet at least.

This is the opposite: things like integer overflows (in particular
when they occur on untrusted data like here) should be regarded as
security issues by default, but it can be found later that they
have no security implications.

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)



More information about the debian-xml-sgml-pkgs mailing list