Bug#931043: unblock: expat/2.2.6-2

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 931043@bugs.debian.org, kibi@debian.org
Subject: Bug#931043: unblock: expat/2.2.6-2
From: Ivo De Decker <ivodd@debian.org>
Date: Tue, 25 Jun 2019 19:44:49 +0200
Message-id: <[🔎] 20190625174448.3hil6c7zbf766acb@debian.org>
Reply-to: Ivo De Decker <ivodd@debian.org>, 931043@bugs.debian.org
In-reply-to: <[🔎] 156143874943.7369.1451085434422896067.reportbug@lorien.valinor.li>
References: <[🔎] 156143874943.7369.1451085434422896067.reportbug@lorien.valinor.li> <[🔎] 156143874943.7369.1451085434422896067.reportbug@lorien.valinor.li>

Control: tags -1 d-i

Hi,

On Tue, Jun 25, 2019 at 06:59:09AM +0200, Salvatore Bonaccorso wrote:
> Please unblock package expat, it fixes CVE-2018-20843 and got fixed by
> Laszlo cherry-picking the upstream fix. The issue is tracked as
> #931031 in the BTS:
> 
> > expat (2.2.6-2) unstable; urgency=high
> > 
> >   * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
> >     (closes: #931031).
> > 
> >  -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Jun 2019 21:18:31 +0000
> 
> unblock expat/2.2.6-2

I'm fine with this, but expat has a udeb, so this needs a d-i ack. Kibi Cc's
(and diff quoted below for easy review).

Thanks,

Ivo


> diff -Nru expat-2.2.6/debian/changelog expat-2.2.6/debian/changelog
> --- expat-2.2.6/debian/changelog	2018-08-15 17:18:15.000000000 +0200
> +++ expat-2.2.6/debian/changelog	2019-06-24 23:18:31.000000000 +0200
> @@ -1,3 +1,10 @@
> +expat (2.2.6-2) unstable; urgency=high
> +
> +  * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
> +    (closes: #931031).
> +
> + -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Jun 2019 21:18:31 +0000
> +
>  expat (2.2.6-1) unstable; urgency=medium
>  
>    * New upstream release.
> diff -Nru expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch
> --- expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch	1970-01-01 01:00:00.000000000 +0100
> +++ expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch	2019-06-24 23:18:31.000000000 +0200
> @@ -0,0 +1,23 @@
> +From 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 Mon Sep 17 00:00:00 2001
> +From: Sebastian Pipping <sebastian@pipping.org>
> +Date: Wed, 12 Jun 2019 15:42:22 +0200
> +Subject: [PATCH] xmlparse.c: Fix extraction of namespace prefix from XML name
> + (#186)
> +
> +---
> + expat/lib/xmlparse.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
> +index 30d55c5c..737d7cd2 100644
> +--- a/expat/lib/xmlparse.c
> ++++ b/expat/lib/xmlparse.c
> +@@ -6080,7 +6080,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
> +       else
> +         poolDiscard(&dtd->pool);
> +       elementType->prefix = prefix;
> +-
> ++      break;
> +     }
> +   }
> +   return 1;
> diff -Nru expat-2.2.6/debian/patches/series expat-2.2.6/debian/patches/series
> --- expat-2.2.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
> +++ expat-2.2.6/debian/patches/series	2019-06-24 23:18:31.000000000 +0200
> @@ -0,0 +1 @@
> +Fix_extraction_of_namespace_prefix_from_XML_name.patch

Reply to:

Follow-Ups:
- Bug#931043: unblock: expat/2.2.6-2
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#931043: unblock: expat/2.2.6-2
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#931042: marked as done (unblock: bzip2/1.0.6-9.1)
Next by Date: Processed: Re: unblock: expat/2.2.6-2
Previous by thread: Bug#931043: unblock: expat/2.2.6-2
Next by thread: Bug#931043: unblock: expat/2.2.6-2
Index(es):
- Date
- Thread