Hi, * Romain Beauxis <toots@rastageeks.org> [2009-11-16 16:28]: > Le mercredi 11 novembre 2009 08:01:59, Daniel Bünzli a écrit : > > A new version of Xmlm is available. > > It's a security update. All users are recommended to upgrade. > > > > http://erratique.ch/software/xmlm > > > > A call to List.map crept into my implementation of namespaces. A > > maliciously crafted xml file with a very large amount of attributes on a > > single tag can crash your (native code) program by stack overflow. The fix > > doesn't affect performance -- a rev and a map makes a t.r. rev_map. > > I have just uploaded the fixed version to unstable. > > I am not yet sure about the seriouness of the issue, but if you think this is > a serious issue, we should also ask for a rebuild of the packages depending on > xmlm. Thanks for CCing me! Did someone already evaluate if this results only in a crash or can also result in code execution? if it's only a DoS I think it shouldn't be a big deal. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgppLANKr4GgH.pgp
Description: PGP signature