On Wed, Oct 08, 2014 at 10:53:04AM +0800, Paul Wise wrote: > That sounds of a potential denial of service vulnerability. > > How likely is it that Xalan would be used with untrusted stylesheets > supplied by attackers? In my opinion, people *shouldn't* be running untrusted stylesheets any more than they should run untrusted shell scripts or other code. If we conveniently ignore that sometimes people do things that are unwise, then I would say the likelyhood is low. > > If you don't think it would be possible to fix it you can ask the > release team for a jessie-ignore tag, reportbug release.debian.org, > choose "3 other", explain your reasoning. I don't think upstream has the intention of fixing it anytime soon, and I don't have the time right now to dig into the complexities of the Xalan codebase myself. I'll consider talking to the release team about an exception - I don't think I realized that was an option. > > You could also reimplement the libxslt solution for this in Xalan. That's an interesting thought. That would likely resolve the issue as filed in the bug report against the xalan executables. However the same problem would still technically exist in the underlying library code (libxalan-c). Though, having never done any programming against libxslt, that might be a longer path for me than just fixing xalan. Thanks for your insight. Bill > > -- bye, pabs > > https://wiki.debian.org/PaulWise > > > -- To UNSUBSCRIBE, email to debian-mentors-REQUEST@lists.debian.org with a > subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Archive: > [🔎] CAKTje6EZuFzMhS4H0K3Khy3kT6f7CRC2BnXtWwUc0eh7BmxKdg@mail.gmail.com">https://lists.debian.org/[🔎] CAKTje6EZuFzMhS4H0K3Khy3kT6f7CRC2BnXtWwUc0eh7BmxKdg@mail.gmail.com >
Attachment:
signature.asc
Description: Digital signature