Bug#774358: marked as done (libxml2: CVE-2014-3660 patch makes installation-guide FTBFS)

Sat, 07 Feb 2015 09:21:43 -0800 

Your message dated Sat, 07 Feb 2015 17:17:14 +0000
with message-id <[email protected]>
and subject line Bug#768089: fixed in libxml2 2.8.0+dfsg1-7+wheezy3
has caused the Debian Bug report #768089,
regarding libxml2: CVE-2014-3660 patch makes installation-guide FTBFS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
768089: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768089
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: libxml2
Version: 2.8.0+dfsg1-7+wheezy2
Severity: serious
Justification: makes other package FTBFS

Hello,

The cve-2014-3660.patch patch makes installation-guide FTBFS: 

Entity: line 2: parser error : Detected an entity reference loop
<ulink url="&downloadable-file;images/orion5x/network-console/buffalo/kuroboxpro
                               ^
/tmp/manual/en/install-methods/download/arm.xml:40: parser error : Detected an 
entity reference loop
                              ^

while there is actually no reference loop there.


It seems cve-2014-3660.patch is assuming that git commit cff2546 is
applied: notably it copies this code as it is:

+                       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;

but in libxml2 2.8.0, it was still

                       ent->checked = ctxt->nbentities - oldnbent + 1;

and other parts of the code assume that too.  The attached patch fixes
this confusion.

Samuel

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'buildd-unstable'), (500, 'unstable'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.18.0 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-- 
Samuel
Accroche-toi au terminal, j'enlève le shell...
 -+- nojhan -+-

--- /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch.original        
2015-01-01 14:48:26.337554556 +0100
+++ /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch 2015-01-01 
14:48:53.000874666 +0100
@@ -6,11 +6,11 @@
  parser.c |   42 ++++++++++++++++++++++++++++++++++++++----
  1 file changed, 38 insertions(+), 4 deletions(-)
 
-diff --git a/parser.c b/parser.c
-index 7ef712d..b435913 100644
---- a/parser.c
-+++ b/parser.c
-@@ -127,6 +127,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+Index: libxml2-2.8.0+dfsg1/parser.c
+===================================================================
+--- libxml2-2.8.0+dfsg1.orig/parser.c  2015-01-01 13:20:23.913738969 +0000
++++ libxml2-2.8.0+dfsg1/parser.c       2015-01-01 13:47:31.930940787 +0000
+@@ -127,6 +127,27 @@
          return (0);
      if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
          return (1);
@@ -29,10 +29,8 @@
 +      rep = xmlStringDecodeEntities(ctxt, ent->content,
 +                                XML_SUBSTITUTE_REF, 0, 0, 0);
 +
-+      ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++      ent->checked = ctxt->nbentities - oldnbent + 1;
 +      if (rep != NULL) {
-+          if (xmlStrchr(rep, '<'))
-+              ent->checked |= 1;
 +          xmlFree(rep);
 +          rep = NULL;
 +      }

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy3

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 03 Feb 2015 20:02:14 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg 
libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy3
Distribution: wheezy-security
Urgency: high
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 768089
Changes: 
 libxml2 (2.8.0+dfsg1-7+wheezy3) wheezy-security; urgency=high
 .
   * Do not fetch external parsed entities unless asked to do so. This
     supplements the patch for CVE-2014-0191
   * Fix regression introducedd by the patch fixing CVE-2014-3660
     (Closes: #768089)
   * Set urgency=high accordingly
Checksums-Sha1: 
 ea658d3eb49ffc675315a829bd144d02d481a163 2498 libxml2_2.8.0+dfsg1-7+wheezy3.dsc
 7531ffb6504207e4b54bf4ad172708e18dd0f46c 41235 
libxml2_2.8.0+dfsg1-7+wheezy3.debian.tar.gz
 da18dbff22de213d4c85ea1c31d4cae5fa38f902 904342 
libxml2_2.8.0+dfsg1-7+wheezy3_amd64.deb
 fc942e9c046eadb4a84ea2699ca956c89405758d 96994 
libxml2-utils_2.8.0+dfsg1-7+wheezy3_amd64.deb
 e23808bfa4aff11fca9dc3f0b9c50bfdee7a1166 127530 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
 64ec0910c8afb771e13cdb809cea714594376684 901836 
libxml2-dev_2.8.0+dfsg1-7+wheezy3_amd64.deb
 e248b95a5c62886f903d0156e60f7aa0fdd802f6 1400892 
libxml2-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
 dc06db7874e102aa476894428fa2ff1f66cf0f3c 1389538 
libxml2-doc_2.8.0+dfsg1-7+wheezy3_all.deb
 0ea23cfceb50898a460c11553761ea63310235b3 346124 
python-libxml2_2.8.0+dfsg1-7+wheezy3_amd64.deb
 16640d18c7d5facc452b4d834428184ea97af992 728046 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
Checksums-Sha256: 
 9312f33735c86855c06ee40966fb4a68fe34dc742cc52c6860735acb058f6b23 2498 
libxml2_2.8.0+dfsg1-7+wheezy3.dsc
 2220405b60e44a080f18aae74f378baae9a4adb074384ab6d705b3e49a7abb42 41235 
libxml2_2.8.0+dfsg1-7+wheezy3.debian.tar.gz
 04199566f509d1b997fbae18ca2e5736b25cfd0368f69d68ac5f57e2f8820277 904342 
libxml2_2.8.0+dfsg1-7+wheezy3_amd64.deb
 ee8621b922d46dd99834b801aab490efd0a10e0516d0d2c36fdc510771f29c31 96994 
libxml2-utils_2.8.0+dfsg1-7+wheezy3_amd64.deb
 745bdcebc643046acd930ec0f02ef234169347d3c1c01e0e4bd88ea984e77f28 127530 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
 31caae176d7189ac2d5af388eac2b7d4761a59ab13877ca35793e5dce2797935 901836 
libxml2-dev_2.8.0+dfsg1-7+wheezy3_amd64.deb
 6a62257f83b49dbb580b3beb61e961f67552a0889b44aa1c8d5beb69755b41a0 1400892 
libxml2-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
 b39fdf5713f506b3318a04e9ad8dc4671d5e5b51e2f8a1171c1840bd599337c7 1389538 
libxml2-doc_2.8.0+dfsg1-7+wheezy3_all.deb
 7a9f27ed52b0cf7adbe75d70147f83c74966ed845d15b59066dfd337c27a476d 346124 
python-libxml2_2.8.0+dfsg1-7+wheezy3_amd64.deb
 5845df22b0278dd9361308e1fd415b12c649a53d3a33ee5833128edeb1a43ac9 728046 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
Files: 
 e68a51fefa3b096577ae092efccf06d9 2498 libs optional 
libxml2_2.8.0+dfsg1-7+wheezy3.dsc
 ed983bb6d0ec49c0d28b59663e8a0939 41235 libs optional 
libxml2_2.8.0+dfsg1-7+wheezy3.debian.tar.gz
 033ddcff167eb8adf6c7b98af8aa4151 904342 libs standard 
libxml2_2.8.0+dfsg1-7+wheezy3_amd64.deb
 8feb438b81fbbc93ff12117e93247d53 96994 text optional 
libxml2-utils_2.8.0+dfsg1-7+wheezy3_amd64.deb
 980526f05c5761405cd136c3027d830a 127530 debug extra 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
 d8c1dbffea8b329b1381db118c2cc823 901836 libdevel optional 
libxml2-dev_2.8.0+dfsg1-7+wheezy3_amd64.deb
 56d8a321f3b3cc70bc4233e5d6d8d94f 1400892 debug extra 
libxml2-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb
 6ed94b519e6cef8e60117ffb916ea730 1389538 doc optional 
libxml2-doc_2.8.0+dfsg1-7+wheezy3_all.deb
 94da9a5c324ae12710e4418a5f4adf4a 346124 python optional 
python-libxml2_2.8.0+dfsg1-7+wheezy3_amd64.deb
 49400b33f654037e7e9349f3b0aa0261 728046 debug extra 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU0nBBAAoJEK+lG9bN5XPL+k8P/3Tp7QZ6DDj4Dn98Pr9btILb
BNBTjPxEOirT+RSmzZ1lTF47JhbU14CnFEDpb2PNZDZ/s6sfydRZgzMIDdBP0/tp
6PQ6/2RiPZmQZHK9MEYIrsZLQlLnCoMqr+YnQZLJeeU6RFJ18R4+cpwSOHIfp4oq
nySjm29gExEXusu1FO7pI6LI6HxoHElQU2nMN04Yg+/NS4OIU8YcfD3pq9tM7G+2
F3wERZL2D9H9izexOXS7OCfsInycDRM0a+YBJ+zSVGSIEuFY2vsf9jUjC8gkAmky
2lzqZqnyEta6PBvA3p8L6RfZlVcNjT+3cmv/M8rGm3SJ7ZQoYvoUFMAzK5ODihpv
7ioSVMFaOE+8mX0bN1Z9/AvGHhxQmt4hVTuvutX9CENnIb50bbKIjptOyeFkYUhc
BFeso3T8s3hcbsCtz30i9A0v5Cw/jlLB4rbrcud5zLWllqUCQ0c4MVvsFroye2Qa
yrDN3aeu4rZplIrQ73EwLk7B83PP969qOyfdDNM24hAH/UlgmaxgjfOGr4tiPNat
jtZnt2+jMJIRzlQp3x0j7VFSJTnNQEVUYiSKWa44Py21dqB0iXLt6AkM3gXuqAJz
FwOOJRZFs/mHtpImwSZGpRMOaXgbEJcblgXsFJVvo+40D4hHfdIyUByu9lTxTVKh
FEINmKr2rtNTKAgeCVbu
=Nhj+
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to