Bug#774358: marked as done (libxml2: CVE-2014-3660 patch makes installation-guide FTBFS)

Debian Bug Tracking System Thu, 29 Jan 2015 22:39:48 -0800

Your message dated Fri, 30 Jan 2015 06:34:14 +0000
with message-id <e1yh59i-00070j...@franck.debian.org>
and subject line Bug#768089: fixed in libxml2 2.9.2+dfsg1-2
has caused the Debian Bug report #768089,
regarding libxml2: CVE-2014-3660 patch makes installation-guide FTBFS
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
768089: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768089
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libxml2
Version: 2.8.0+dfsg1-7+wheezy2
Severity: serious
Justification: makes other package FTBFS

Hello,

The cve-2014-3660.patch patch makes installation-guide FTBFS: 

Entity: line 2: parser error : Detected an entity reference loop
<ulink url="&downloadable-file;images/orion5x/network-console/buffalo/kuroboxpro
                               ^
/tmp/manual/en/install-methods/download/arm.xml:40: parser error : Detected an 
entity reference loop
                              ^

while there is actually no reference loop there.


It seems cve-2014-3660.patch is assuming that git commit cff2546 is
applied: notably it copies this code as it is:

+                       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;

but in libxml2 2.8.0, it was still

                       ent->checked = ctxt->nbentities - oldnbent + 1;

and other parts of the code assume that too.  The attached patch fixes
this confusion.

Samuel

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'buildd-unstable'), (500, 'unstable'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.18.0 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-- 
Samuel
Accroche-toi au terminal, j'enlève le shell...
 -+- nojhan -+-

--- /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch.original        
2015-01-01 14:48:26.337554556 +0100
+++ /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch 2015-01-01 
14:48:53.000874666 +0100
@@ -6,11 +6,11 @@
  parser.c |   42 ++++++++++++++++++++++++++++++++++++++----
  1 file changed, 38 insertions(+), 4 deletions(-)
 
-diff --git a/parser.c b/parser.c
-index 7ef712d..b435913 100644
---- a/parser.c
-+++ b/parser.c
-@@ -127,6 +127,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+Index: libxml2-2.8.0+dfsg1/parser.c
+===================================================================
+--- libxml2-2.8.0+dfsg1.orig/parser.c  2015-01-01 13:20:23.913738969 +0000
++++ libxml2-2.8.0+dfsg1/parser.c       2015-01-01 13:47:31.930940787 +0000
+@@ -127,6 +127,27 @@
          return (0);
      if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
          return (1);
@@ -29,10 +29,8 @@
 +      rep = xmlStringDecodeEntities(ctxt, ent->content,
 +                                XML_SUBSTITUTE_REF, 0, 0, 0);
 +
-+      ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++      ent->checked = ctxt->nbentities - oldnbent + 1;
 +      if (rep != NULL) {
-+          if (xmlStrchr(rep, '<'))
-+              ent->checked |= 1;
 +          xmlFree(rep);
 +          rep = NULL;
 +      }

--- End Message ---

--- Begin Message ---

Source: libxml2
Source-Version: 2.9.2+dfsg1-2

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <a...@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 30 Jan 2015 13:52:23 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg 
libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.9.2+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Aron Xu <a...@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 768089 776254
Changes:
 libxml2 (2.9.2+dfsg1-2) unstable; urgency=medium
 .
   [ Michael Gilbert ]
   * Enable icu support (Closes: #776254)
 .
   [ Aron Xu ]
   * 0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch:
     Fix upstream bug triggered by CVE fix (Closes: #768089)
Checksums-Sha1:
 3966865fa5a97c52df466f3baa1bea60173b2ee1 2229 libxml2_2.9.2+dfsg1-2.dsc
 e38ce3bdc024f0327391ed04c5bd258bfbba2fef 23532 
libxml2_2.9.2+dfsg1-2.debian.tar.xz
 5f5281bfc3ebbea7b0c9c67efbd6b89ca73e2598 934286 libxml2_2.9.2+dfsg1-2_amd64.deb
 363b22d55ed00f6b4ccce8e33a020718a44b678a 101610 
libxml2-utils_2.9.2+dfsg1-2_amd64.deb
 3b5a21ab4bc589d37442c2441b0e8b890d76f38d 132670 
libxml2-utils-dbg_2.9.2+dfsg1-2_amd64.deb
 b8063fab58f0598a791f4bcb8c6b254ecad83a02 827586 
libxml2-dev_2.9.2+dfsg1-2_amd64.deb
 a1cfe6d0032ec5041f1981dd24aa52542d45f59a 1609366 
libxml2-dbg_2.9.2+dfsg1-2_amd64.deb
 0f501fafa6591a6ddebc057f62ffe77ba82c5403 820854 
libxml2-doc_2.9.2+dfsg1-2_all.deb
 bf1b481df32010c79592d62f5eb7d7ea75b26cce 203736 
python-libxml2_2.9.2+dfsg1-2_amd64.deb
 6fa423828c265418acbdd2650aa7d8d7ad5df069 333010 
python-libxml2-dbg_2.9.2+dfsg1-2_amd64.deb
Checksums-Sha256:
 8e912823190319797e799985b3d0ae0254fb3243922a26c6e6aad5d50e989dc3 2229 
libxml2_2.9.2+dfsg1-2.dsc
 fef573d80627690ece3064919db0b3d81b6b47734822faabe2e780b7c5069760 23532 
libxml2_2.9.2+dfsg1-2.debian.tar.xz
 dc39c39452956a64391f4859d59614092b6301683496f379c7930fd2878e278e 934286 
libxml2_2.9.2+dfsg1-2_amd64.deb
 406797799e74299b5f0cc8f54cc590d25b0f5e9d904d3aed171ed578486c2c08 101610 
libxml2-utils_2.9.2+dfsg1-2_amd64.deb
 2ae664885ed4beff0fd8be7c88aa381d51cc97e2ffdfd6762f3a72351ee0df50 132670 
libxml2-utils-dbg_2.9.2+dfsg1-2_amd64.deb
 603d8e4bf5a04d35285c1acb2091db1f8cbe93e4f9abad0ff201f9dea9a37847 827586 
libxml2-dev_2.9.2+dfsg1-2_amd64.deb
 68c7b014738a398c2a10d766ef17cf9bb675819f68898590e0c3c39f15752154 1609366 
libxml2-dbg_2.9.2+dfsg1-2_amd64.deb
 aef3c3ea7c0525e05a94fcd3d30d8ec97f0b77a38b3d20de15654840cbc4fe33 820854 
libxml2-doc_2.9.2+dfsg1-2_all.deb
 653bcdb9150556ed2a2ba96a526124f631279d6c3cd519dffd374ef0d894a96d 203736 
python-libxml2_2.9.2+dfsg1-2_amd64.deb
 14577178788a414b9665e89da118b399d78a2bd2697e35770879527e123667a8 333010 
python-libxml2-dbg_2.9.2+dfsg1-2_amd64.deb
Files:
 39758dfbbfd162c79d876677801dbbee 2229 libs optional libxml2_2.9.2+dfsg1-2.dsc
 11bc1b9996343714edf016837419b62f 23532 libs optional 
libxml2_2.9.2+dfsg1-2.debian.tar.xz
 d626ab45a73f620de5ae713ce5d15528 934286 libs standard 
libxml2_2.9.2+dfsg1-2_amd64.deb
 c7f13514e99188c32be331898a47a4fb 101610 text optional 
libxml2-utils_2.9.2+dfsg1-2_amd64.deb
 919944d17881cc25b5a6d76284033963 132670 debug extra 
libxml2-utils-dbg_2.9.2+dfsg1-2_amd64.deb
 7b7fb8f21d9c9812e6276f4a74db4584 827586 libdevel optional 
libxml2-dev_2.9.2+dfsg1-2_amd64.deb
 16749acbc4b7ceab056938a575d8ac85 1609366 debug extra 
libxml2-dbg_2.9.2+dfsg1-2_amd64.deb
 699f87ee11e7e150a6ab976ec331b684 820854 doc optional 
libxml2-doc_2.9.2+dfsg1-2_all.deb
 8acbabc027de392a66358a36429a713a 203736 python optional 
python-libxml2_2.9.2+dfsg1-2_amd64.deb
 c9300caac5c6ceaa9c43e10617867347 333010 debug extra 
python-libxml2-dbg_2.9.2+dfsg1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJUyyHTAAoJEPbsVcVkKA0e/zsH/Rc1mS/otgh5gWSStolaI7l0
Lp8jvwE27iAsD8T3icWtacZnTR41GdCtxqW0j7IeoqESOj3WvRCj3C0h0cd3/uBA
95Gka0qI2/nmigAiqTHEpNdxJugfg9QPexQEGcEIdw1eWsO4toNSabe5wrq3q0Ip
yqtcy7l1lyi8o62DoVc5IH74xEss7p9282/wcRbAj/syh1+qsSYqacXUFQs2WxfV
6AOPHirMks1idN2t+lokQ/4G7R9c9lS8wOESxL0YSht6y8ZHCiJ4Sv0uRzllZIqH
+wtSbgJsptdI20nWOUxFr2VgCYXJmgrzcmfvsOH8jsbt/W9hG2N0spzg838EENw=
=F9U2
-----END PGP SIGNATURE-----

--- End Message ---

Bug#774358: marked as done (libxml2: CVE-2014-3660 patch makes installation-guide FTBFS)

Reply via email to