On Tue, 5 Jul 2022 11:58:12 +0200 Sebastiaan Couwenberg <sebas...@xs4all.nl> wrote:
> On 7/5/22 11:14, Neil Williams wrote: > > CVE-2022-30045[0]: > > | An issue was discovered in libezxml.a in ezXML 0.8.6. The function > > | ezxml_decode() performs incorrect memory handling while parsing > > | crafted XML files, leading to a heap out-of-bounds read. > > How is this different from #989363? Only in that it's a different change within ezXML and a different CVE identifier. Typically each separate vulnerability gets a unique CVE id. If those CVEs are created as a batch, then a Debian bug can be filed for multiple similar CVEs in a package. When one CVE turns up much later, it needs it's own Debian bug report. > It's another ezxml bug that needs to be fixed by updating the > embedded copy of switching to something else. > > I'm tempted to merge these two issues. Merging the Debian bugs will be fine. Please ensure that both CVE identifiers are mentioned in the debian/changelog of the upload to unstable that fixes the merged bug. -- Neil Williams ============= https://linux.codehelp.co.uk/
pgpC3heAbO1lV.pgp
Description: OpenPGP digital signature
