Your message dated Thu, 09 Apr 2015 21:32:16 +0000
with message-id <e1ygk3c-00037l...@franck.debian.org>
and subject line Bug#774358: fixed in libxml2 2.8.0+dfsg1-7+wheezy4
has caused the Debian Bug report #774358,
regarding libxml2: CVE-2014-3660 patch makes installation-guide FTBFS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
774358: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774358
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxml2
Version: 2.8.0+dfsg1-7+wheezy2
Severity: serious
Justification: makes other package FTBFS
Hello,
The cve-2014-3660.patch patch makes installation-guide FTBFS:
Entity: line 2: parser error : Detected an entity reference loop
<ulink url="&downloadable-file;images/orion5x/network-console/buffalo/kuroboxpro
^
/tmp/manual/en/install-methods/download/arm.xml:40: parser error : Detected an
entity reference loop
^
while there is actually no reference loop there.
It seems cve-2014-3660.patch is assuming that git commit cff2546 is
applied: notably it copies this code as it is:
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
but in libxml2 2.8.0, it was still
ent->checked = ctxt->nbentities - oldnbent + 1;
and other parts of the code assume that too. The attached patch fixes
this confusion.
Samuel
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'buildd-unstable'), (500, 'unstable'),
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.18.0 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
--
Samuel
Accroche-toi au terminal, j'enlève le shell...
-+- nojhan -+-
--- /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch.original
2015-01-01 14:48:26.337554556 +0100
+++ /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch 2015-01-01
14:48:53.000874666 +0100
@@ -6,11 +6,11 @@
parser.c | 42 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 38 insertions(+), 4 deletions(-)
-diff --git a/parser.c b/parser.c
-index 7ef712d..b435913 100644
---- a/parser.c
-+++ b/parser.c
-@@ -127,6 +127,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+Index: libxml2-2.8.0+dfsg1/parser.c
+===================================================================
+--- libxml2-2.8.0+dfsg1.orig/parser.c 2015-01-01 13:20:23.913738969 +0000
++++ libxml2-2.8.0+dfsg1/parser.c 2015-01-01 13:47:31.930940787 +0000
+@@ -127,6 +127,27 @@
return (0);
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
return (1);
@@ -29,10 +29,8 @@
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
+
-+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++ ent->checked = ctxt->nbentities - oldnbent + 1;
+ if (rep != NULL) {
-+ if (xmlStrchr(rep, '<'))
-+ ent->checked |= 1;
+ xmlFree(rep);
+ rep = NULL;
+ }
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy4
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 04 Apr 2015 11:01:18 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg
libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy4
Distribution: wheezy-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
libxml2-utils-dbg - XML utilities (debug extension)
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug
extension)
Closes: 774358
Changes:
libxml2 (2.8.0+dfsg1-7+wheezy4) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add missing required patches for CVE-2014-3660.
The two upstream commits a3f1e3e5712257fd279917a9158278534e8f4b72 and
cff2546f13503ac028e4c1f63c7b6d85f2f2d777 are required in addition to the
commit be2a7edaf289c5da74a4f9ed3a0b6c733e775230 to fix CVE-2014-3660 due
to changes in the use of ent->checked.
Fixes "libxml2: CVE-2014-3660 patch makes installation-guide FTBFS".
(Closes: #774358)
* Refresh cve-2014-3660.patch patch
* Refresh cve-2014-3660-bis.patch patch
Checksums-Sha1:
d91b54a3db38ff78742b45113e44d415d0343560 2500 libxml2_2.8.0+dfsg1-7+wheezy4.dsc
220c813f26f6284c15f0c52f65e2c120b40928a5 43067
libxml2_2.8.0+dfsg1-7+wheezy4.debian.tar.gz
2a0fb99e24de568e1ba6b5f18f407750dce91b46 905002
libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
644fc61c65b19a1416cc806097e57877102ee3d0 97090
libxml2-utils_2.8.0+dfsg1-7+wheezy4_amd64.deb
8fd6742a3d8600543d6aa27347ecd4efe4d759be 127648
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
007db87fb7e75f365f198c1100f0ccd2ac598c9f 902366
libxml2-dev_2.8.0+dfsg1-7+wheezy4_amd64.deb
3114c42b2f85d7ac0190b27c55874abcc68c22c1 1401044
libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
8c71ea1d987055c1129deb77f13c4fff66325d35 1397456
libxml2-doc_2.8.0+dfsg1-7+wheezy4_all.deb
3270173bed8836be737ca3d8204f2e69ec81a4d5 346202
python-libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
ca8f6ecd9a32437124101bd8b6825a1a296139dd 728992
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
Checksums-Sha256:
1ce6f6595c1132b67d8d99fea8232ff7eb77b09043debdfcb23d6a156d2e4ca9 2500
libxml2_2.8.0+dfsg1-7+wheezy4.dsc
d807f286f77babaf01bfa24e297281fb6b87d9f2f83e3a3eeb04a504702ca143 43067
libxml2_2.8.0+dfsg1-7+wheezy4.debian.tar.gz
36a9d42f2712c44e0c67fd1e6df8a379fe31b69bd7834fb729ba264db2455a34 905002
libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
38f98f4c2c271d933fc8d9d5f6096ab2bd38df7bce9bbe3e7680de3a41b2a39a 97090
libxml2-utils_2.8.0+dfsg1-7+wheezy4_amd64.deb
74da54355e613c8b13c28a87e72b3701f4c5242ca9b6a3ef982b7a15e2bc09f3 127648
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
546a8f4461a447036eab4e081ce455a321888b2d53027d7457a872a49d216991 902366
libxml2-dev_2.8.0+dfsg1-7+wheezy4_amd64.deb
a8d460b975be0c53f97423a9bf35d7fe200b684fa8aa64e6f3390f92fccf6e0c 1401044
libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
10067f47e741941119ab1d74d251f6b060ef59bcaa423844be484a9749233b72 1397456
libxml2-doc_2.8.0+dfsg1-7+wheezy4_all.deb
593384bf33e4225ccacd3c087a9820712eb57bb17291a328907d424ccf95ae2e 346202
python-libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
37e92801f6a585ba27f320c6c64270ec43c17c2dc5096f0e5fdd3b282a50f00e 728992
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
Files:
1afc989f8349724918d1b3cbca1126a7 2500 libs optional
libxml2_2.8.0+dfsg1-7+wheezy4.dsc
581d8728c1afdb0c3714e8436ac30768 43067 libs optional
libxml2_2.8.0+dfsg1-7+wheezy4.debian.tar.gz
76dcf25e5464645b8facc52c75691160 905002 libs standard
libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
760cb7abfd2f0d55883ba008a3f97d43 97090 text optional
libxml2-utils_2.8.0+dfsg1-7+wheezy4_amd64.deb
0a3e338caa937d44e5aef32dfbdce4c6 127648 debug extra
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
12425aabb8ab3a268f965d4553fd402d 902366 libdevel optional
libxml2-dev_2.8.0+dfsg1-7+wheezy4_amd64.deb
d76351c16a7e85d7c44ca702df95466a 1401044 debug extra
libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
80bdd23a4bbae93416a0558863e944c7 1397456 doc optional
libxml2-doc_2.8.0+dfsg1-7+wheezy4_all.deb
b4588e93b60f144b11e22a8f817435f0 346202 python optional
python-libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
cbf3805dc192b538250e5b448b667974 728992 debug extra
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVI+tgAAoJEAVMuPMTQ89EtAgP/AwoiUgxT8qWmlczpBYTqob9
1/60ycUnvSvHHtFlgImA4DLENTCpwlwaDM+VmR5CIWeY7rsTjdg2qMbUFX2J1wwE
mqWEcMX8sIKZxWS63ugI3PaD9kcI4dHqAoMZjkcCGE+qYdVytrhTrPcDPaweVs+X
pJqaiqwzvqsabmBu7EMgHnd90yybpSpiaLhq7y05L2ZmO21KDijUk5sdYTw2E3MF
dhml1HooP35fxmQQhP7R+u45JFVbq+vUCmoGjaIWBGUkA9Lyd3mVHz950EDHyDoc
REYJiz6Fg2LRqBQsIQl+r3LS+PvjNr/hbd5JQVRIJUEfU58C0M9jtnDjcH1FGRy4
6LTPpDiWj2yjA0njg28NRCh0UbL2JUbwjN3W3hbiF3wxj38zjWfQZBINpBd8Mt4G
HI2cGeVTgFpnjuY02cFn/+CcR0P4xK3VdE3tS5pFcQAKztXxMxwyDcOpp9MCV4Fv
+5dXxJry0i4+Iy07/LupHIe8uOzJgerfC/GCyCF+rRd+uKAA1CbndZwJo1iQYic8
y1rXDMG/4dGBo36TmkrRvd4rvTq60khZJ5dIVSKUNbyB4aRmRTRkuYV4VftBwRvD
0Aj469NKPY+H5HtjiS4gyHbCNEzq953qY4MMpXWZPZP+/nCegjOK65/sd00fG3yR
fNs6W5h3CPjS8nuFZHoK
=Xv/p
-----END PGP SIGNATURE-----
--- End Message ---
