Bug#931043: unblock: expat/2.2.6-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#931043: unblock: expat/2.2.6-2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Jun 2019 06:59:09 +0200
Message-id: <[🔎] 156143874943.7369.1451085434422896067.reportbug@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 931043@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package expat, it fixes CVE-2018-20843 and got fixed by
Laszlo cherry-picking the upstream fix. The issue is tracked as
#931031 in the BTS:

> expat (2.2.6-2) unstable; urgency=high
> 
>   * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
>     (closes: #931031).
> 
>  -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Jun 2019 21:18:31 +0000

unblock expat/2.2.6-2

Regards,
Salvatore

diff -Nru expat-2.2.6/debian/changelog expat-2.2.6/debian/changelog
--- expat-2.2.6/debian/changelog	2018-08-15 17:18:15.000000000 +0200
+++ expat-2.2.6/debian/changelog	2019-06-24 23:18:31.000000000 +0200
@@ -1,3 +1,10 @@
+expat (2.2.6-2) unstable; urgency=high
+
+  * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
+    (closes: #931031).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Jun 2019 21:18:31 +0000
+
 expat (2.2.6-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch
--- expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch	1970-01-01 01:00:00.000000000 +0100
+++ expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch	2019-06-24 23:18:31.000000000 +0200
@@ -0,0 +1,23 @@
+From 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 12 Jun 2019 15:42:22 +0200
+Subject: [PATCH] xmlparse.c: Fix extraction of namespace prefix from XML name
+ (#186)
+
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5c..737d7cd2 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -6080,7 +6080,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff -Nru expat-2.2.6/debian/patches/series expat-2.2.6/debian/patches/series
--- expat-2.2.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ expat-2.2.6/debian/patches/series	2019-06-24 23:18:31.000000000 +0200
@@ -0,0 +1 @@
+Fix_extraction_of_namespace_prefix_from_XML_name.patch

Reply to:

Follow-Ups:
- Bug#931043: unblock: expat/2.2.6-2
  - From: Ivo De Decker <ivodd@debian.org>
- Processed: Re: unblock: expat/2.2.6-2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#931043: marked as done (unblock: expat/2.2.6-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#931042: unblock: bzip2/1.0.6-9.1
Next by Date: Bug#930293: unblock: docker.io/18.09.1+dfsg1-7
Previous by thread: Bug#931042: marked as done (unblock: bzip2/1.0.6-9.1)
Next by thread: Bug#931043: unblock: expat/2.2.6-2
Index(es):
- Date
- Thread