[PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376, 9047, 9048, 9049, 9050}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Alex Vong
  • Marius Bakke
Owner
unassigned
Submitted by
Alex Vong
Severity
important
A
A
Alex Vong wrote on 30 Aug 2017 15:31
(address . guix-patches@gnu.org)
87inh5uqpd.fsf@gmail.com
Severity: important
Tags: patch security

Hi,

This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
introduce test failure. The changes only enable new tests so it should
be fine to remove them.
Attachment: 0001-gnu-libxml2-Fix-CVE-2017-0663-7375-7376-9047-9048-90.patch
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmmvk8ACgkQxYq4eRf1
Ea48CxAAn1QJe2xZqi31Y99F2lsAygsYKg0n11V2oQh5mTGxuqn0MdTq00roScx0
x30liZKse1Rw6FjAFXxxk+S8I/mJiDHZbiijPin2Inn5GfsJOZsZ8ZjgzwQpcAqT
slJUdFP3wRAewkvi47DylaZArdko2DhioEUzD30voD09bni2UIMxdpLjwtjOVwO/
y3fhVxerboDSewf5YXYCLUxPd5qC0GbWnH9NQzHJ9x9TtrWE1lMjkFlBaV2rV8y4
NefD1qJFfxlr5eez59c/3dshtx5B+Y7fnVNPmXW3HDCEw2zcG/MNX+GxbLf/dtxO
RZ6xVomXJ4odaycy4hrUFwCEQ3UGza3G/IGlFjXGWeneYsdFP9N1PP2wTy6bmvgR
irT3sCsxmhtYg4d26UwiQZ1aHj8kYKTq6KZ6VQvFP7J4fv831OwGQHHEDaBS943O
BelikIylCLQZCorJ40dlc4jksksvAfjAokKTDeyxYf+R1LGp/z+dUEV4wA4clRQP
EGZYG1FHXZrAIQ0SBPI4Z33EMj0VfM7rlJ0aezYBL5ea6l6zudOgnUorMwGAmJSI
q6/GvIDLCtaEZT9z2kvrxp92HXua2CT8cvNdKZItFF5ITQcGtX+OEmusJVRnD9ud
ItbY1wfsVodOLBQj/jhiJFOegUmpgnKcyWJAwyhDL8l4eU5nx+0=
=+xeu
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 30 Aug 2017 20:57
87inh4lw7y.fsf@fastmail.com
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (10 lines)
> Severity: important
> Tags: patch security
>
> Hi,
>
> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
> introduce test failure. The changes only enable new tests so it should
> be fine to remove them.

Thanks for this! I think we have to graft this fix since changing
'libxml2' would rebuild 2/3 of the tree. Can you try that?

PS: Do you have a Savannah account? I'm sure Ludo or someone can add
you given the steady rate of quality commits.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmnCqEACgkQoqBt8qM6
VPpgUAgAt8wF7MOg7CNzSWdo75yanqUCZizJmlk8hOCRZuXCWbOLoZw7eRQcmL8W
Lolnv1HfuW12ds1pBV2b0LT97CsFvA1fYpncogvIdRDBexQGYcYXNOqB/AhQoTjI
8hscQ0edaoAjNXOx3lnYbxH5JcxpQhhYbQlks0xHz1VzTTnqfduOI+FMNhve79dm
uqr0i85zdfNfDgGA9H4/bTgyd6ghN6K9UZHbrkyDJFOapGrp9y14rlbd29iPz6xA
wLZPucdvyBcEq9r+alc8F/xPdmyxTvk0qujWmGJcX/cKAcxaFQXhmnwcH9bXemCo
2gAyVjR0A9Xn9xedci2achKvMLlK2A==
=s9Cq
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 31 Aug 2017 12:40
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 28294@debbugs.gnu.org)
87y3q0ow9h.fsf@gmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (18 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Severity: important
>> Tags: patch security
>>
>> Hi,
>>
>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
>> introduce test failure. The changes only enable new tests so it should
>> be fine to remove them.
>
> Thanks for this! I think we have to graft this fix since changing
> 'libxml2' would rebuild 2/3 of the tree. Can you try that?
>
> PS: Do you have a Savannah account? I'm sure Ludo or someone can add
> you given the steady rate of quality commits.

Sure, here is the new patch:
Attachment: 0001-gnu-libxml2-Fix-CVE-2017-0663-7375-7376-9047-9048-90.patch
Previously, I had a Savannah account, but then I deleted it, since I
didn't use it. Now I realize I cannot create a new account with the same
username... I am asking for help from the Savannah admin.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmn56oACgkQxYq4eRf1
Ea7xgA/+MhiG/BuZpS8bph3ZTDLlAwknUBvffetoxuvdyEDO0dBS62RLcQ/8xzSH
HavuSjOAimbbZ7Z41F4gQflhVOtO+3E4n8tetgiZXK/fdacOA/tzgVFOiXk+bl8t
cCN31MYN8vjTBbXVjeIODTMSdaIHmPFbtmjKB5B2sgeeSO9pZgnIrxL9LziYOjHr
Nkqg3fQJFDHPeiSju4KO+gkxzIpQLcPLpVCmFd6GNy4ChR/Ai91hChC0CvqzmQBZ
CqFcT0paJfwbIX5032mNZHXt1wg1CQ8uFXljCXoOmgA0pCBq6qPw/CbdjdlUDRyy
YAcc/vVgasAnOEYV5nPMfR47ukK3IkCgwzXxKkim0Qt1wJnAk4YoZyesFUo0uSht
uo7VIYxrVgtclhicXRlMProalAGO3S3P+aDQ/rCMoOKzlEUX+xfmKEOF+vDSM6OU
NQlurq0RYOHZ1AH65L7fQCMXtgM6y2dujSYnVQVtaVGfzYuvX4pE5PnpvCaW2i6Y
xrwdvYRBuLTOHdkySYBKFW9dRPypEkr4TU6/biJGF3QxTI0bAqmTdzXaXnZmF04u
F1mBiEIqyZZay3Gefzz+l361TF/8oj3dAOnd72dA+0O20Gcrpd4OZrpkVU1UCoeB
liphHaSit1SAFN7dUiQG4DVgTcnkK3OzcU+DXzxbNu3zPoimrQk=
=ajFD
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 31 Aug 2017 21:52
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 28294-done@debbugs.gnu.org)
87k21jjyzy.fsf@fastmail.com
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (22 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Alex Vong <alexvong1995@gmail.com> writes:
>>
>>> Severity: important
>>> Tags: patch security
>>>
>>> Hi,
>>>
>>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
>>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
>>> introduce test failure. The changes only enable new tests so it should
>>> be fine to remove them.
>>
>> Thanks for this! I think we have to graft this fix since changing
>> 'libxml2' would rebuild 2/3 of the tree. Can you try that?
>>
>> PS: Do you have a Savannah account? I'm sure Ludo or someone can add
>> you given the steady rate of quality commits.
>
> Sure, here is the new patch:

Pushed, thanks! I added tabs before the line breaks in gnu/local.mk,
but otherwise untouched.

Side note: I think we should start adding patches as origins instead of
copying them wholesale, to try and keep the git repository slim.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmoaRIACgkQoqBt8qM6
VPpsYAf/Y02dcsAJHQm5cl+xuYVxoplU82N55Xgl+wr6LwcnhNsntBtCqsAnlhqd
W/8nDw87P+j4SlD2kXjGPDtu2taxYIskpqr82nNH9613dOnGO5Q3G2ZIWUXiRehH
ew0OiKkBLakEj09caeUIef5ckjjFt4wqxuvRIpktaaA04r45Cik1iehru8CLlLHr
1r+ffZE7todyYqcTA3+qdP8Hw5CT0pWjLc2Eds/hMsEUXdmpP3i9wk6+LwrfKHdF
NJAcpTYS/nB9EnD5x/grjzM0+ZNc/xl5MxMJThl1XmzQz0TUsCDdtceWzr85hXHH
9zPDL6Ur9z0Yntxd8WZpQOi68GP0FA==
=7x2G
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 28294@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28294
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch