On Mon, Sep 26, 2016 at 11:21:07AM +0300, Efraim Flashner wrote: > On Sun, Sep 25, 2016 at 07:18:11PM -0400, Leo Famulari wrote: > > On Mon, Sep 12, 2016 at 05:35:15PM -0400, Leo Famulari wrote: > > > This patch applies an upstream patch for a regression caused by the fix > > > for CVE-2016-0718. > > > > > > Apparently, the bug only manifests when building with -DXML_UNICODE, > > > which I don't think our package does. > > > > Sebastian Pipping (the Expat maintainer) contacted me to recommend that > > we apply the patch on the master branch. > > > > He says that the faulty code path can be reached even when XML_UNICODE > > is not defined. Apparently, building with -DXML_UNICODE merely makes it > > easier to reach the faulty code. > > > > I think we should take Sebastian's advice. What does everyone think? > > > Seems to me that as the Expat maintainer he would know best.
I pushed the commit as b9bc6e842066b066ebdf9eaf75d41753598d75b5
signature.asc
Description: PGP signature
