Re: ANNOUNCE Xmlm 1.0.2

To: debian-ocaml-maint@lists.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: Re: ANNOUNCE Xmlm 1.0.2
From: Romain Beauxis <toots@rastageeks.org>
Date: Mon, 16 Nov 2009 09:32:31 -0600
Message-id: <200911160932.32250.toots@rastageeks.org>
In-reply-to: <91a3da520911110601t50ff710ftc48403a44eee0f6d@mail.gmail.com>
References: <91a3da520911110601t50ff710ftc48403a44eee0f6d@mail.gmail.com>

	Hi all !

Le mercredi 11 novembre 2009 08:01:59, Daniel Bünzli a écrit :
> A new version of Xmlm is available.
> It's a security update. All users are recommended to upgrade.
> 
> http://erratique.ch/software/xmlm
> 
> A call to List.map crept into my implementation of namespaces. A
> maliciously crafted xml file with a very large amount of attributes on a
> single tag can crash your (native code) program by stack overflow. The fix
> doesn't affect performance -- a rev and a map makes a t.r. rev_map.

I have just uploaded the fixed version to unstable.

I am not yet sure about the seriouness of the issue, but if you think this is 
a serious issue, we should also ask for a rebuild of the packages depending on 
xmlm.

So far, I know only one, ocaml-xmlplaylist.



Romain

Reply to:

Follow-Ups:
- Re: ANNOUNCE Xmlm 1.0.2
  - From: Nico Golde <nion@debian.org>
- Re: ANNOUNCE Xmlm 1.0.2
  - From: Stéphane Glondu <steph@glondu.net>

References:
- ANNOUNCE Xmlm 1.0.2
  - From: Daniel Bünzli <daniel.buenzli@erratique.ch>

Prev by Date: Processing of xmlm_1.0.2-1_amd64.changes
Next by Date: Bug#556529: marked as done (fails to install, trying to overwrite other packages files)
Previous by thread: ANNOUNCE Xmlm 1.0.2
Next by thread: Re: ANNOUNCE Xmlm 1.0.2
Index(es):
- Date
- Thread