Debian Bug report logs -
#883790
libxml2: CVE-2017-15412: use-after-free in xmlXPathCompOpEvalPositionalPredicate
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#883790; Package src:libxml2.
(Thu, 07 Dec 2017 15:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Thu, 07 Dec 2017 15:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Version: 2.9.4+dfsg1-5.1
Severity: important
Tags: patch security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=783160
Hi,
the following vulnerability was published for libxml2.
CVE-2017-15412[0]:
use after free
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
[1] https://bugzilla.gnome.org/show_bug.cgi?id=783160
[2] https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Changed Bug title to 'libxml2: CVE-2017-15412: use-after-free in xmlXPathCompOpEvalPositionalPredicate' from 'libxm2: CVE-2017-15412: use-after-free in xmlXPathCompOpEvalPositionalPredicate'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 07 Dec 2017 15:30:09 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 14 Dec 2017 19:51:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Dec 2017 19:51:10 GMT) (full text, mbox, link).
Message #12 received at 883790-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.9.4+dfsg1-5.2
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883790@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Dec 2017 20:36:07 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg python3-libxml2 python3-libxml2-dbg
Architecture: source
Version: 2.9.4+dfsg1-5.2
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 883790
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
python3-libxml2 - Python3 bindings for the GNOME XML library
python3-libxml2-dbg - Python3 bindings for the GNOME XML library (debug extension)
Changes:
libxml2 (2.9.4+dfsg1-5.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix XPath stack frame logic (CVE-2017-15412) (Closes: #883790)
Checksums-Sha1:
29760e94d88598248b4358576889a940141be4ca 3131 libxml2_2.9.4+dfsg1-5.2.dsc
bb6cec530f58839f2d55d74844a18804cf1d413c 35848 libxml2_2.9.4+dfsg1-5.2.debian.tar.xz
Checksums-Sha256:
f46aaec278a4e9bb0c6661daa6296709e5445f7cc787cf20d8a031468692f8f0 3131 libxml2_2.9.4+dfsg1-5.2.dsc
31fdc490e38e1b1487dba142688da2ee2924aaccd8980381926322dfde00325c 35848 libxml2_2.9.4+dfsg1-5.2.debian.tar.xz
Files:
84105c0acc59acbaf5d55ad98d70a525 3131 libs optional libxml2_2.9.4+dfsg1-5.2.dsc
aa0bcd43b5db7e26897baed23f9ce8d2 35848 libs optional libxml2_2.9.4+dfsg1-5.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloy1CxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E2PgP/jT4Qmi5woZ1o3ixMllXmd3hajpGda9L
bA72jrtynl15hJ20LHLXSj9Oc+/oXtdklEb5cvVnhu2sCFPOHTi+frU0mDM3qQam
ru+/U4i0NkUWgS5K72Ga32mqCs+WhXYaEN0oJLaBkdSMIbMsP+TfbOzj60megMml
WOL5J0xH+8H+YiM00IkSyEE6FhOvGFHbhIgoLhKfngtFKDb65HFUC78zhThWsMD/
Uw8fL2EDLeIXOXnDoFVtTczOlyVSlQWMH+hGmVHrxkpicZURdywoetZI+NlsDbw7
yHX292CjMv8oGLytcYE3muuhqJYkHH8Cq2z/nwHn8dUz4AmNs8vWOIYXDkDFKBYF
dOuDIa60LbB5S4zY9fVGQF0o2ilXepaOoMbSTZBmj+125dQJBRWCGcxiWNk027+h
CGN45JXtLwb+AlF7Hcy+fM+oO462JXTppT51KEuizbp+XN5TNg98VbbtynW8Po84
mWcVu40L24s0VxZvyAop/JST6bv37hOZXeuw8XuaOs21T+T24y5ELJpnsaASMzpd
OXlDMonpDeLVODxXPW/Pm6o1mTpRN+j+lvjnd41pPPX5mrwAnDmP5rnRWOYYQ3q4
7KN7zscyRCwLd5g18OKhL5k91AMUyGWz3A4qHGhB8HLVv71DQNVrhxvz3Ph4TrSM
6ZjMhR1drEFg
=h5MM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 01 Feb 2018 07:31:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:36:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon