Bug#774358: marked as done (libxml2: CVE-2014-3660 patch makes installation-guide FTBFS)

Sat, 07 Feb 2015 07:22:06 -0800 

Your message dated Sat, 07 Feb 2015 15:20:30 +0000
with message-id <e1yk7bo-0003e4...@franck.debian.org>
and subject line Bug#768089: fixed in libxml2 2.7.8.dfsg-2+squeeze11
has caused the Debian Bug report #768089,
regarding libxml2: CVE-2014-3660 patch makes installation-guide FTBFS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
768089: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768089
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: libxml2
Version: 2.8.0+dfsg1-7+wheezy2
Severity: serious
Justification: makes other package FTBFS

Hello,

The cve-2014-3660.patch patch makes installation-guide FTBFS: 

Entity: line 2: parser error : Detected an entity reference loop
<ulink url="&downloadable-file;images/orion5x/network-console/buffalo/kuroboxpro
                               ^
/tmp/manual/en/install-methods/download/arm.xml:40: parser error : Detected an 
entity reference loop
                              ^

while there is actually no reference loop there.


It seems cve-2014-3660.patch is assuming that git commit cff2546 is
applied: notably it copies this code as it is:

+                       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;

but in libxml2 2.8.0, it was still

                       ent->checked = ctxt->nbentities - oldnbent + 1;

and other parts of the code assume that too.  The attached patch fixes
this confusion.

Samuel

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'buildd-unstable'), (500, 'unstable'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.18.0 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-- 
Samuel
Accroche-toi au terminal, j'enlève le shell...
 -+- nojhan -+-

--- /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch.original        
2015-01-01 14:48:26.337554556 +0100
+++ /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch 2015-01-01 
14:48:53.000874666 +0100
@@ -6,11 +6,11 @@
  parser.c |   42 ++++++++++++++++++++++++++++++++++++++----
  1 file changed, 38 insertions(+), 4 deletions(-)
 
-diff --git a/parser.c b/parser.c
-index 7ef712d..b435913 100644
---- a/parser.c
-+++ b/parser.c
-@@ -127,6 +127,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+Index: libxml2-2.8.0+dfsg1/parser.c
+===================================================================
+--- libxml2-2.8.0+dfsg1.orig/parser.c  2015-01-01 13:20:23.913738969 +0000
++++ libxml2-2.8.0+dfsg1/parser.c       2015-01-01 13:47:31.930940787 +0000
+@@ -127,6 +127,27 @@
          return (0);
      if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
          return (1);
@@ -29,10 +29,8 @@
 +      rep = xmlStringDecodeEntities(ctxt, ent->content,
 +                                XML_SUBSTITUTE_REF, 0, 0, 0);
 +
-+      ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++      ent->checked = ctxt->nbentities - oldnbent + 1;
 +      if (rep != NULL) {
-+          if (xmlStrchr(rep, '<'))
-+              ent->checked |= 1;
 +          xmlFree(rep);
 +          rep = NULL;
 +      }

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.7.8.dfsg-2+squeeze11

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Feb 2015 15:05:28 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc 
python-libxml2 python-libxml2-dbg
Architecture: source i386 all
Version: 2.7.8.dfsg-2+squeeze11
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 768089
Changes: 
 libxml2 (2.7.8.dfsg-2+squeeze11) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Do not fetch external parsed entities unless asked to do so. This
     supplements the patch for CVE-2014-0191
   * Fix regression introducedd by the patch fixing CVE-2014-3660
     (Closes: #768089)
Checksums-Sha1: 
 727c78ebea4ba8de94b755587027bf5197c4f7b5 2311 
libxml2_2.7.8.dfsg-2+squeeze11.dsc
 bf481743478da6899a65507a34b67731466960dd 3509930 libxml2_2.7.8.dfsg.orig.tar.gz
 7fe25afb2b54786f157ca4fed50e1118cbd44192 124146 
libxml2_2.7.8.dfsg-2+squeeze11.diff.gz
 7c3efdc09799e40dab7fdb5b590875518261b8a0 829678 
libxml2_2.7.8.dfsg-2+squeeze11_i386.deb
 821ec3d8ab182b2fdaede480694770b945794896 91234 
libxml2-utils_2.7.8.dfsg-2+squeeze11_i386.deb
 2fd33659fb296f2e36424f5c0413cb9e4b3bfb8f 752812 
libxml2-dev_2.7.8.dfsg-2+squeeze11_i386.deb
 9aba397ec91dec96ecc30cdca0dac529f4e41845 991576 
libxml2-dbg_2.7.8.dfsg-2+squeeze11_i386.deb
 8d0da21b701da9a2c1afccb5125b45caec11d3d2 1382872 
libxml2-doc_2.7.8.dfsg-2+squeeze11_all.deb
 1beed0bfeb52cc086abf2e090a938c71c0a5b3c9 309832 
python-libxml2_2.7.8.dfsg-2+squeeze11_i386.deb
 9b6bf557c6a50bafaa057037e4e4fd44a872928f 825042 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze11_i386.deb
Checksums-Sha256: 
 5bb3cfd4901d9dd8fe52d13f1c183c61e644b7d22faa5abafd57dcb7a1d04a70 2311 
libxml2_2.7.8.dfsg-2+squeeze11.dsc
 9f5262963fda356708903b42ff862a816c714582d0cf41477a8b3839945f0e43 3509930 
libxml2_2.7.8.dfsg.orig.tar.gz
 118229e9d3b5d13192f3c65460dd1598e741befdb5ebe3db69f9269887b157af 124146 
libxml2_2.7.8.dfsg-2+squeeze11.diff.gz
 1cc36b8b15ea92db96997cf5a743acd51a693d408433be51ca6d7b6512571c5a 829678 
libxml2_2.7.8.dfsg-2+squeeze11_i386.deb
 aa67dfc7cf15a58b6ae10f0d81e48e5f3b4b1e077c27ee64b405a6f397e1fbac 91234 
libxml2-utils_2.7.8.dfsg-2+squeeze11_i386.deb
 0536a45df065ce8deb6149d59c15c3f87e5ae3f167965c539821588e3807673a 752812 
libxml2-dev_2.7.8.dfsg-2+squeeze11_i386.deb
 b8f3bd576fc5162102147e77d59284bcb5424e7057a06b65fcab2da99c2a046d 991576 
libxml2-dbg_2.7.8.dfsg-2+squeeze11_i386.deb
 226eead1bb7ad06b01ad81938474714394a0d96ebb832cc253de4268ac5c74fe 1382872 
libxml2-doc_2.7.8.dfsg-2+squeeze11_all.deb
 042038671d2c48725bc700fd1b83546031ff66d5fae88e372f6ab7aeef95a072 309832 
python-libxml2_2.7.8.dfsg-2+squeeze11_i386.deb
 c8ccb4864a319ee669271e4304d44b982dd2f265d2b2b0b434c387f31d8fada5 825042 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze11_i386.deb
Files: 
 5c06d03f7fa4054876a5010cf1410b1d 2311 libs optional 
libxml2_2.7.8.dfsg-2+squeeze11.dsc
 116fd86aa1b392dfe38d6b17613deebb 3509930 libs optional 
libxml2_2.7.8.dfsg.orig.tar.gz
 efae2c3f5612658803689f4da7ce629e 124146 libs optional 
libxml2_2.7.8.dfsg-2+squeeze11.diff.gz
 cc5eb306a01f62bc0a0c8394f09728e3 829678 libs standard 
libxml2_2.7.8.dfsg-2+squeeze11_i386.deb
 0fbe3db5675b23cc7c0522f0d3a35602 91234 text optional 
libxml2-utils_2.7.8.dfsg-2+squeeze11_i386.deb
 a2c1a3ba3ee22d47dae5efc14e932f1d 752812 libdevel optional 
libxml2-dev_2.7.8.dfsg-2+squeeze11_i386.deb
 d5d247b0c59c42b73ba037a366820c49 991576 debug extra 
libxml2-dbg_2.7.8.dfsg-2+squeeze11_i386.deb
 0dd71b0e582f22b5d8b889821a4a9adf 1382872 doc optional 
libxml2-doc_2.7.8.dfsg-2+squeeze11_all.deb
 a0f595d8ed73fe301631449a96695264 309832 python optional 
python-libxml2_2.7.8.dfsg-2+squeeze11_i386.deb
 689fab2ddb5cd7818997973c70bf4769 825042 debug extra 
python-libxml2-dbg_2.7.8.dfsg-2+squeeze11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJU1h6gXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHJQkQAI5U+i+EcKVyi79T5RRnVRgJ
qrHzuF8zEWo2/Maz/1NT7Al2rFIeRenFgDrM4sBVvWcg9nFOigml6qh2VhoIDJQS
Q5XMLn8MnUu2htQyV2AEjuc6ZM9UQjpcjfSGJFtiZH/1zmH9nhNX9SZYENTSQfTw
dBVr/gzMFkxmgJRrPRX2CYSxFCJvBc55RnvhNr7hszNn8L6T16qGlXiwb5P9vF8C
3iIRY4rE1qElSJFokgrVdXFZ/SJ/su7tDGuU4nWnm8BTYuELpjIesvOtrmKwQxJa
2uhpNctbfctzghzEmitYOSXzOrPOsIVVLmrfaCDnKVrQc36VSoTus4naWcu9T7du
UKkWOkNmVoTyWZJXsdlYN9TDCm/X7+zSJt88jNhBiVCnY9v5TupGH3MGTdRunD5x
Lz0ur2SJiKoJjN1xfHozdXyQLJ5R/ol5WhOE67+Zrk7oxGSgyVx2p3dIFwpeqBwi
vtiLPMfU/9R5PcsZIhOS97LMHNWUzK767BBVbEJ5WTwjIei1/BjEd795gSm0pGGg
AdfjuTddF5YHap8X2sPe+2ATuP8b9819ubF4Z8hnze4cybFJ+hSgHRzYCFnyLExl
0OvkyAIbQJPSApPXBf8I5Tw2mQvCB17+gpe5MwbW0ehUJ8ra2Bc1QuGJl5Sa9wXc
8Em4m0YJUEa2oSSU/uf6
=7F/h
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to