Bug#1006333: biboumi: fail to start after libexpat1 update
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 24 19:55:19 GMT 2022
Hi,
On Wed, Feb 23, 2022 at 07:44:34PM +0100, Jonas Smedegaard wrote:
> Control: reassign -1 src:expat
> Control: found -1 2.2.6-2+deb10u3
> Control: affects -1 biboumi
>
> Quoting Slavko (2022-02-23 18:57:49)
> > Package: biboumi
> > Severity: serious
> > Version: 8.3-1+b1
> >
> > After security upgrade of libexpat library, the biboumi refused to
> > start with error:
> >
> > Xml_Parsebuffer encountered an error: out of memory
> >
> > I tried to build testing's version (in pbuilder chroot) for
> > oldstable, it builds fain, but test "Test basic XML parsing" fails with:
> >
> > SIGSEGV - Segmentation violation signal
> >
> > It builds success on current testing (again pbuilder), thus it seems,
> > that some change in libexpat 2.2.6-2+deb10u3 is incompatible, as it was
> > working with previous version (2.2.6-2+deb10u2).
> >
> > I am not able to decide, if it is libexpat or biboumi problem.
>
> Thanks for the bugreport, Slavko.
>
> Updates to stable Debian are supposed to not change API or API, so the
> problem is more likely to lie in expat than biboumi.
>
> Reassigning accordingly.
Actually this should not be reassigned. As per
https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2022-February/036223.html
biboumi does use a colon for a namepsace separator, details are
outline by upstream in the referenced
https://github.com/libexpat/libexpat/issues/572#issuecomment-1050119036
.
I do agree it's more than unfortunate that we discovered about those
breakages only after the DSA release, once autopkgtests are integrated
as well for embargoed uploads things might improve.
Reverting to previous behaviour of expat is not an option, for
CVE-2022-25236, exploits with code execution are known to exists and
the API docs of XML_ParserCreateNS state as well that as separator one
should pick a character that can't be part of an URI.
So in short this looks that it needs to be fixed in biboumi itself,
and might need as well updates for the affected source packages in
stable and oldstable via the upcoming point releases (and where needed
speeded up via the updates mechanism).
Hope this clarifies the current state for the affected source
packages.
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list