Overview
Request 508174 accepted
- Version update to 2.2.1 Sat June 17 2017
- Security fixes:
CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
- [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow;
(Fixed version of existing downstream patches!)
- (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names;
#25 More integer overflow detection (function poolGrow);
- [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse;
- [MOX-005] #30 Use high quality entropy for hash initialization:
* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI
* RtlGenRandom on Windows XP / Server 2003 and later
* getrandom on Linux 3.17+
In a way, that's still part of CVE-2016-5300.
https://github.com/libexpat/libexpat/pull/30/commits
- [MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak,
- [MOX-003] Prevent use of uninitialised variable; commit
- [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
- [MOX-006] * NULL checks; commits
* Negative length (XML_Parse); commit
- [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
- [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
to go further with fixing CVE-2012-0876.
https://github.com/libexpat/libexpat/pull/39/commits
- Created by msmeissn
- In state accepted
-
Package maintainers:
david.anes and
pgajdos
Request History
msmeissn created request
- Version update to 2.2.1 Sat June 17 2017
- Security fixes:
CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
- [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow;
(Fixed version of existing downstream patches!)
- (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names;
#25 More integer overflow detection (function poolGrow);
- [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse;
- [MOX-005] #30 Use high quality entropy for hash initialization:
* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI
* RtlGenRandom on Windows XP / Server 2003 and later
* getrandom on Linux 3.17+
In a way, that's still part of CVE-2016-5300.
https://github.com/libexpat/libexpat/pull/30/commits
- [MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak,
- [MOX-003] Prevent use of uninitialised variable; commit
- [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
- [MOX-006] * NULL checks; commits
* Negative length (XML_Parse); commit
- [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
- [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
to go further with fixing CVE-2012-0876.
https://github.com/libexpat/libexpat/pull/39/commits
scarabeus_iv accepted request
Thanks
