Debian Bug report logs -
#862450
libxml2: CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#862450; Package src:libxml2.
(Fri, 12 May 2017 19:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Fri, 12 May 2017 19:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Version: 2.9.4+dfsg1-2.2
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=775200
Hi,
the following vulnerability was published for libxml2.
CVE-2017-8872[0]:
| The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4
| allows attackers to cause a denial of service (buffer over-read) or
| information disclosure.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872
[1] https://bugzilla.gnome.org/show_bug.cgi?id=775200
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libxml2/2.9.1+dfsg1-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 12 May 2017 20:21:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#862450; Package src:libxml2.
(Tue, 02 Jan 2018 08:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Tue, 02 Jan 2018 08:30:03 GMT) (full text, mbox, link).
Message #12 received at 862450@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 862450 + patch
Control: tags 862450 + pending
Dear maintainer, hi Mattia
I've prepared an NMU for libxml2 (versioned as 2.9.4+dfsg1-6.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libxml2-2.9.4+dfsg1-6.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 862450-submit@bugs.debian.org.
(Tue, 02 Jan 2018 08:30:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 862450-submit@bugs.debian.org.
(Tue, 02 Jan 2018 08:30:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#862450; Package src:libxml2.
(Tue, 02 Jan 2018 09:48:03 GMT) (full text, mbox, link).
Message #19 received at 862450@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Jan 02, 2018 at 09:27:47AM +0100, Salvatore Bonaccorso wrote:
> I've prepared an NMU for libxml2 (versioned as 2.9.4+dfsg1-6.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
Usually I consider a bad idea incorporating patches like this that
haven't be applied upstream. I hope SUSE did the right thing…
I subscribed the upstream bug so to replace the patch if needed.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#862450; Package src:libxml2.
(Tue, 02 Jan 2018 10:00:03 GMT) (full text, mbox, link).
Message #22 received at 862450@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Jan 02, 2018 at 10:45:33AM +0100, Mattia Rizzolo wrote:
> On Tue, Jan 02, 2018 at 09:27:47AM +0100, Salvatore Bonaccorso wrote:
> > I've prepared an NMU for libxml2 (versioned as 2.9.4+dfsg1-6.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I
> > should delay it longer.
>
> Usually I consider a bad idea incorporating patches like this that
> haven't be applied upstream. I hope SUSE did the right thing…
Besides, it doesn't apply to 2.9.7, and there is another line of code
that may or may not need a similar treatment (check out the experimental
branch on git). Could you please see about it? Otherwise we risk
ending up with an higher version either dropping the patch or
mis-applying it...
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 02 Jan 2018 10:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 02 Jan 2018 10:09:03 GMT) (full text, mbox, link).
Message #27 received at 862450-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.9.4+dfsg1-6.1
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jan 2018 08:59:03 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg python3-libxml2 python3-libxml2-dbg
Architecture: source
Version: 2.9.4+dfsg1-6.1
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 862450
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
python3-libxml2 - Python3 bindings for the GNOME XML library
python3-libxml2-dbg - Python3 bindings for the GNOME XML library (debug extension)
Changes:
libxml2 (2.9.4+dfsg1-6.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
(Closes: #862450)
Checksums-Sha1:
460ab48dfab257d37c6fe7c0f46b7eab14aa857b 3139 libxml2_2.9.4+dfsg1-6.1.dsc
edda624b958bcd83bdb867c3ee4078e83fcd945f 36064 libxml2_2.9.4+dfsg1-6.1.debian.tar.xz
Checksums-Sha256:
80781c59c3fe24ed81efe58d2512c20a3cdbc9c862bee87cbd17f8241c2efab2 3139 libxml2_2.9.4+dfsg1-6.1.dsc
bd4ee9a9e0c5c3c78902e4c12482fdbbcd4da0b0d1c3c41680bb8b5304116ca2 36064 libxml2_2.9.4+dfsg1-6.1.debian.tar.xz
Files:
682ad195365b7c16319dd7df2c3783da 3139 libs optional libxml2_2.9.4+dfsg1-6.1.dsc
5b473576146728ef155f675a55e51427 36064 libs optional libxml2_2.9.4+dfsg1-6.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpLQqRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/bQQAI3ese573EHH2mIjPixT5WSh4zyLwddd
SptHol9LNla9hGOGx5YAFWPVnnUX6J1rIuJWHEPs+RqQGbvxiMNdUERRQN8vMg6n
lj6QHeWwyl04LIEFS68LHaXHn0zTuQQJXUQ9UimdSJIxwJlncAihL7OsXR6RMGGS
3V0OLUq2BFs0mnU7Eok3spWDJDud9mXPrfzJ9Hfrahi6n70Unhic8tCmHCFbJ/Jw
ccTCFiZA2l5eUMgipTsFfNsxFJAjxQUYYhnISNa3Wd3vCamVBQjyJwS4rClBHBWa
N2/rLkSoTIyQ2Soaw6Mxo92VG0YsQElqAxRSRSh8zGWXDAnueAm2/l7wa8igYZWx
jYnTPx146vPxPBiowTVyxrprs/vkJ/cbJEz/Bv69IjzB4zYpyED4qeHT7XAkjUrj
t/gLqtXjRCHRCEUsN6IIcj15yQRncZKli/5Ukvp25N+7L+ZIDeO3+pD/hQk4pCN1
WMz7ElSBe596ni2tuvEU/atf2k/ihPBK/9awHhZ2LPPkfo5cBGuK2VKwxTAMaryM
3Ol49oRsUSBXXBTFNiLl7nYuiavQzFMKy2VYQv0RGkQg4QNM7x3vnTIpZztVJXaj
sHkCpCr3B4aBEy5jAXP8efQz8hTkW2sYvUOVk1NMCfQVRZuddnScHbHXSX0Me+nA
0bjIpVlcQ5wp
=eosY
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#862450; Package src:libxml2.
(Tue, 02 Jan 2018 12:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Tue, 02 Jan 2018 12:39:03 GMT) (full text, mbox, link).
Message #32 received at 862450@bugs.debian.org (full text, mbox, reply):
Hi Mattia,
On Tue, Jan 02, 2018 at 10:57:04AM +0100, Mattia Rizzolo wrote:
> On Tue, Jan 02, 2018 at 10:45:33AM +0100, Mattia Rizzolo wrote:
> > On Tue, Jan 02, 2018 at 09:27:47AM +0100, Salvatore Bonaccorso wrote:
> > > I've prepared an NMU for libxml2 (versioned as 2.9.4+dfsg1-6.1) and
> > > uploaded it to DELAYED/2. Please feel free to tell me if I
> > > should delay it longer.
> >
> > Usually I consider a bad idea incorporating patches like this that
> > haven't be applied upstream. I hope SUSE did the right thing…
>
> Besides, it doesn't apply to 2.9.7, and there is another line of code
> that may or may not need a similar treatment (check out the experimental
> branch on git). Could you please see about it? Otherwise we risk
> ending up with an higher version either dropping the patch or
> mis-applying it...
Yes I agree with you that's not good. I had a look at the issue and
pingend the upstream bug again with a proposed/rebased patch on which
hopefully Marcus and upstream people can comment.
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 01 Feb 2018 07:28:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:07:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon