Bug#762864: libxml2 patch for CVE-2014-0191 wrongly applied

Thijs Kinkhorst Thu, 25 Sep 2014 12:21:41 -0700

Package: libxml2
Version: 2.7.8.dfsg-2+squeeze9 2.8.0+dfsg1-7+wheezy1
Severity: important
Tags: security


Hi,

The patch applied to libxml2 for wheezy and squeeze-lts for CVE-2014-0191
seems to be applied wrong. A line is duplicated in xmlSAXParseDTD:

@@ -12324,6 +12341,12 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const
xmlChar *ExternalID,
        return(NULL);
     }

+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
     /*
      * Set-up the SAX context
      */

while the upstream patch applies that line twice, but once each for two
different functions as seen in
https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825

Can you look into fixes for this?

Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#762864: libxml2 patch for CVE-2014-0191 wrongly applied

Reply via email to