Hi, On Wed, Feb 23, 2022 at 07:44:34PM +0100, Jonas Smedegaard wrote: > Control: reassign -1 src:expat > Control: found -1 2.2.6-2+deb10u3 > Control: affects -1 biboumi > > Quoting Slavko (2022-02-23 18:57:49) > > Package: biboumi > > Severity: serious > > Version: 8.3-1+b1 > > > > After security upgrade of libexpat library, the biboumi refused to > > start with error: > > > > Xml_Parsebuffer encountered an error: out of memory > > > > I tried to build testing's version (in pbuilder chroot) for > > oldstable, it builds fain, but test "Test basic XML parsing" fails with: > > > > SIGSEGV - Segmentation violation signal > > > > It builds success on current testing (again pbuilder), thus it seems, > > that some change in libexpat 2.2.6-2+deb10u3 is incompatible, as it was > > working with previous version (2.2.6-2+deb10u2). > > > > I am not able to decide, if it is libexpat or biboumi problem. > > Thanks for the bugreport, Slavko. > > Updates to stable Debian are supposed to not change API or API, so the > problem is more likely to lie in expat than biboumi. > > Reassigning accordingly.
Actually this should not be reassigned. As per https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2022-February/036223.html biboumi does use a colon for a namepsace separator, details are outline by upstream in the referenced https://github.com/libexpat/libexpat/issues/572#issuecomment-1050119036 . I do agree it's more than unfortunate that we discovered about those breakages only after the DSA release, once autopkgtests are integrated as well for embargoed uploads things might improve. Reverting to previous behaviour of expat is not an option, for CVE-2022-25236, exploits with code execution are known to exists and the API docs of XML_ParserCreateNS state as well that as separator one should pick a character that can't be part of an URI. So in short this looks that it needs to be fixed in biboumi itself, and might need as well updates for the affected source packages in stable and oldstable via the upcoming point releases (and where needed speeded up via the updates mechanism). Hope this clarifies the current state for the affected source packages. Regards, Salvatore
