Hi, On Sat, Sep 20, 2008 at 09:06:21AM +0200, Mike Hommey wrote: > On Fri, Sep 19, 2008 at 07:10:14PM -0700, Kees Cook wrote: > > The above changes are for CVE-2008-3529. > > Certainly not. It's not in upstream patch.
This is where I was getting details: https://bugzilla.redhat.com/show_bug.cgi?id=461015 > > BTW, would it be possible to > > add a patch system to libxml2? It's much easier to split up the patches > > over time, and is nice for anyone doing post-release updates. :) > > There is a (D)VCS. True, though I prefer in-package patch systems for doing stable updates. > > > @@ -6476,8 +6475,6 @@ > > > } else if (list != NULL) { > > > xmlFreeNodeList(list); > > > list = NULL; > > > - } else if (ent->owner != 1) { > > > - ctxt->nbentities += ent->owner; > > > } > > > } > > > ent->checked = 1; > > > @@ -6668,6 +6665,8 @@ > > > ctxt->nodelen = 0; > > > return; > > > } > > > + } else if (ent->owner != 1) { > > > + ctxt->nbentities += ent->owner; > > > } > > > } else { > > > val = ent->content; > > > > Was this just interdiff output? There were some changes to this area of > > code that needed some by-hand backporting, so the versions used to > > compare might not end up looking clean. Or, I could have messed up the > > backport, but I put them through a bunch of xml regression tests and > > things seemed to be behaving. > > There was only 1 conflict when applying upstream patch for RHEL5, and > only because of tabulations/spaces, on my end... I'm not sure which version of the patch you're quoting, but I had 5 versions to do backports for: libxml2 | 2.6.32.dfsg-2ubuntu3 | intrepid/main libxml2 | 2.6.31.dfsg-2ubuntu1.2 | hardy-security/main libxml2 | 2.6.30.dfsg-2ubuntu1.3 | gutsy-security/main libxml2 | 2.6.27.dfsg-1ubuntu3.3 | feisty-security/main libxml2 | 2.6.24.dfsg-1ubuntu1.3 | dapper-security/main They all tested out fine for me. -Kees -- Kees Cook Ubuntu Security Team -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
