[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/1] Help wanted grafting Expat (CVE-2016-0718)
From: |
Leo Famulari |
Subject: |
Re: [PATCH 0/1] Help wanted grafting Expat (CVE-2016-0718) |
Date: |
Wed, 18 May 2016 13:37:31 -0400 |
User-agent: |
Mutt/1.6.0 (2016-04-01) |
On Wed, May 18, 2016 at 12:36:50PM -0400, Leo Famulari wrote:
> I've attached my attempt at fixing CVE-2016-0718 in Expat [0]. The
> grafted expat updates to 2.1.1 and applies the patch from [1].
>
> The problem is that, when trying build something that depends on expat,
> I seem to have to rebuild *many* things.
Of course this would happen, since I had removed the CVE-2015-1283 patch
from expat package definition. D'oh.
I've attached an updated patch that seems to work as expected.
This patch uses the CVE-2016-0718 patch from Debian [0], which has the
same diffs but does not require use of (patch-flags).
It also includes an update to the patch for CVE-2015-1283 [1], which
apparently relied on undefined behavior.
Finally, it does not upgrade to 2.1.1. This patch series does apply to
2.1.0.
Your feedback is requested!
[0] Found here while their VCS appears to be offline...
https://packages.debian.org/source/stable/expat
[1] Some mention of it here. Copied from the tarball in [0]
https://www.debian.org/security/2016/dsa-3582
0001-gnu-expat-Fix-CVE-2016-0718.-Improve-fix-for-CVE-201.patch
Description: Text Data