[PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376, 9047, 9048, 9049, 9050}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Alex Vong
  • Marius Bakke
Owner
unassigned
Submitted by
Alex Vong
Severity
important
A
A
Alex Vong wrote on 30 Aug 2017 15:31
(address . guix-patches@gnu.org)
87inh5uqpd.fsf@gmail.com
Severity: important
Tags: patch security

Hi,

This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
introduce test failure. The changes only enable new tests so it should
be fine to remove them.
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmmvk8ACgkQxYq4eRf1
Ea48CxAAn1QJe2xZqi31Y99F2lsAygsYKg0n11V2oQh5mTGxuqn0MdTq00roScx0
x30liZKse1Rw6FjAFXxxk+S8I/mJiDHZbiijPin2Inn5GfsJOZsZ8ZjgzwQpcAqT
slJUdFP3wRAewkvi47DylaZArdko2DhioEUzD30voD09bni2UIMxdpLjwtjOVwO/
y3fhVxerboDSewf5YXYCLUxPd5qC0GbWnH9NQzHJ9x9TtrWE1lMjkFlBaV2rV8y4
NefD1qJFfxlr5eez59c/3dshtx5B+Y7fnVNPmXW3HDCEw2zcG/MNX+GxbLf/dtxO
RZ6xVomXJ4odaycy4hrUFwCEQ3UGza3G/IGlFjXGWeneYsdFP9N1PP2wTy6bmvgR
irT3sCsxmhtYg4d26UwiQZ1aHj8kYKTq6KZ6VQvFP7J4fv831OwGQHHEDaBS943O
BelikIylCLQZCorJ40dlc4jksksvAfjAokKTDeyxYf+R1LGp/z+dUEV4wA4clRQP
EGZYG1FHXZrAIQ0SBPI4Z33EMj0VfM7rlJ0aezYBL5ea6l6zudOgnUorMwGAmJSI
q6/GvIDLCtaEZT9z2kvrxp92HXua2CT8cvNdKZItFF5ITQcGtX+OEmusJVRnD9ud
ItbY1wfsVodOLBQj/jhiJFOegUmpgnKcyWJAwyhDL8l4eU5nx+0=
=+xeu
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 30 Aug 2017 20:57
87inh4lw7y.fsf@fastmail.com
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (10 lines)
> Severity: important
> Tags: patch security
>
> Hi,
>
> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
> introduce test failure. The changes only enable new tests so it should
> be fine to remove them.

Thanks for this! I think we have to graft this fix since changing
'libxml2' would rebuild 2/3 of the tree. Can you try that?

PS: Do you have a Savannah account? I'm sure Ludo or someone can add
you given the steady rate of quality commits.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmnCqEACgkQoqBt8qM6
VPpgUAgAt8wF7MOg7CNzSWdo75yanqUCZizJmlk8hOCRZuXCWbOLoZw7eRQcmL8W
Lolnv1HfuW12ds1pBV2b0LT97CsFvA1fYpncogvIdRDBexQGYcYXNOqB/AhQoTjI
8hscQ0edaoAjNXOx3lnYbxH5JcxpQhhYbQlks0xHz1VzTTnqfduOI+FMNhve79dm
uqr0i85zdfNfDgGA9H4/bTgyd6ghN6K9UZHbrkyDJFOapGrp9y14rlbd29iPz6xA
wLZPucdvyBcEq9r+alc8F/xPdmyxTvk0qujWmGJcX/cKAcxaFQXhmnwcH9bXemCo
2gAyVjR0A9Xn9xedci2achKvMLlK2A==
=s9Cq
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 31 Aug 2017 12:40
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 28294@debbugs.gnu.org)
87y3q0ow9h.fsf@gmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (18 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Severity: important
>> Tags: patch security
>>
>> Hi,
>>
>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
>> introduce test failure. The changes only enable new tests so it should
>> be fine to remove them.
>
> Thanks for this! I think we have to graft this fix since changing
> 'libxml2' would rebuild 2/3 of the tree. Can you try that?
>
> PS: Do you have a Savannah account? I'm sure Ludo or someone can add
> you given the steady rate of quality commits.

Sure, here is the new patch:
Previously, I had a Savannah account, but then I deleted it, since I
didn't use it. Now I realize I cannot create a new account with the same
username... I am asking for help from the Savannah admin.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmn56oACgkQxYq4eRf1
Ea7xgA/+MhiG/BuZpS8bph3ZTDLlAwknUBvffetoxuvdyEDO0dBS62RLcQ/8xzSH
HavuSjOAimbbZ7Z41F4gQflhVOtO+3E4n8tetgiZXK/fdacOA/tzgVFOiXk+bl8t
cCN31MYN8vjTBbXVjeIODTMSdaIHmPFbtmjKB5B2sgeeSO9pZgnIrxL9LziYOjHr
Nkqg3fQJFDHPeiSju4KO+gkxzIpQLcPLpVCmFd6GNy4ChR/Ai91hChC0CvqzmQBZ
CqFcT0paJfwbIX5032mNZHXt1wg1CQ8uFXljCXoOmgA0pCBq6qPw/CbdjdlUDRyy
YAcc/vVgasAnOEYV5nPMfR47ukK3IkCgwzXxKkim0Qt1wJnAk4YoZyesFUo0uSht
uo7VIYxrVgtclhicXRlMProalAGO3S3P+aDQ/rCMoOKzlEUX+xfmKEOF+vDSM6OU
NQlurq0RYOHZ1AH65L7fQCMXtgM6y2dujSYnVQVtaVGfzYuvX4pE5PnpvCaW2i6Y
xrwdvYRBuLTOHdkySYBKFW9dRPypEkr4TU6/biJGF3QxTI0bAqmTdzXaXnZmF04u
F1mBiEIqyZZay3Gefzz+l361TF/8oj3dAOnd72dA+0O20Gcrpd4OZrpkVU1UCoeB
liphHaSit1SAFN7dUiQG4DVgTcnkK3OzcU+DXzxbNu3zPoimrQk=
=ajFD
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 31 Aug 2017 21:52
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 28294-done@debbugs.gnu.org)
87k21jjyzy.fsf@fastmail.com
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (22 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Alex Vong <alexvong1995@gmail.com> writes:
>>
>>> Severity: important
>>> Tags: patch security
>>>
>>> Hi,
>>>
>>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
>>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
>>> introduce test failure. The changes only enable new tests so it should
>>> be fine to remove them.
>>
>> Thanks for this! I think we have to graft this fix since changing
>> 'libxml2' would rebuild 2/3 of the tree. Can you try that?
>>
>> PS: Do you have a Savannah account? I'm sure Ludo or someone can add
>> you given the steady rate of quality commits.
>
> Sure, here is the new patch:

Pushed, thanks! I added tabs before the line breaks in gnu/local.mk,
but otherwise untouched.

Side note: I think we should start adding patches as origins instead of
copying them wholesale, to try and keep the git repository slim.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmoaRIACgkQoqBt8qM6
VPpsYAf/Y02dcsAJHQm5cl+xuYVxoplU82N55Xgl+wr6LwcnhNsntBtCqsAnlhqd
W/8nDw87P+j4SlD2kXjGPDtu2taxYIskpqr82nNH9613dOnGO5Q3G2ZIWUXiRehH
ew0OiKkBLakEj09caeUIef5ckjjFt4wqxuvRIpktaaA04r45Cik1iehru8CLlLHr
1r+ffZE7todyYqcTA3+qdP8Hw5CT0pWjLc2Eds/hMsEUXdmpP3i9wk6+LwrfKHdF
NJAcpTYS/nB9EnD5x/grjzM0+ZNc/xl5MxMJThl1XmzQz0TUsCDdtceWzr85hXHH
9zPDL6Ur9z0Yntxd8WZpQOi68GP0FA==
=7x2G
-----END PGP SIGNATURE-----

Closed
?