Bug#931043: marked as done (unblock: expat/2.2.6-2)

To: Ivo De Decker <ivodd@debian.org>
Subject: Bug#931043: marked as done (unblock: expat/2.2.6-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 28 Jun 2019 15:09:10 +0000
Message-id: <[🔎] handler.931043.D931043.15617343691611.ackdone@bugs.debian.org>
Reply-to: 931043@bugs.debian.org
References: <638e1def-79e2-4859-e089-eed7459eafff@debian.org> <[🔎] 156143874943.7369.1451085434422896067.reportbug@lorien.valinor.li>

Your message dated Fri, 28 Jun 2019 17:06:05 +0200
with message-id <638e1def-79e2-4859-e089-eed7459eafff@debian.org>
and subject line Re: unblock: expat/2.2.6-2
has caused the Debian Bug report #931043,
regarding unblock: expat/2.2.6-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
931043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931043
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: expat/2.2.6-2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Jun 2019 06:59:09 +0200
Message-id: <[🔎] 156143874943.7369.1451085434422896067.reportbug@lorien.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package expat, it fixes CVE-2018-20843 and got fixed by
Laszlo cherry-picking the upstream fix. The issue is tracked as
#931031 in the BTS:

> expat (2.2.6-2) unstable; urgency=high
> 
>   * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
>     (closes: #931031).
> 
>  -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Jun 2019 21:18:31 +0000

unblock expat/2.2.6-2

Regards,
Salvatore

diff -Nru expat-2.2.6/debian/changelog expat-2.2.6/debian/changelog
--- expat-2.2.6/debian/changelog	2018-08-15 17:18:15.000000000 +0200
+++ expat-2.2.6/debian/changelog	2019-06-24 23:18:31.000000000 +0200
@@ -1,3 +1,10 @@
+expat (2.2.6-2) unstable; urgency=high
+
+  * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
+    (closes: #931031).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Jun 2019 21:18:31 +0000
+
 expat (2.2.6-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch
--- expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch	1970-01-01 01:00:00.000000000 +0100
+++ expat-2.2.6/debian/patches/Fix_extraction_of_namespace_prefix_from_XML_name.patch	2019-06-24 23:18:31.000000000 +0200
@@ -0,0 +1,23 @@
+From 11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 12 Jun 2019 15:42:22 +0200
+Subject: [PATCH] xmlparse.c: Fix extraction of namespace prefix from XML name
+ (#186)
+
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 30d55c5c..737d7cd2 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -6080,7 +6080,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff -Nru expat-2.2.6/debian/patches/series expat-2.2.6/debian/patches/series
--- expat-2.2.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ expat-2.2.6/debian/patches/series	2019-06-24 23:18:31.000000000 +0200
@@ -0,0 +1 @@
+Fix_extraction_of_namespace_prefix_from_XML_name.patch

--- End Message ---

--- Begin Message ---

To: Cyril Brulebois <kibi@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 931043-done@bugs.debian.org

Subject: Re: unblock: expat/2.2.6-2

From: Ivo De Decker <ivodd@debian.org>

Date: Fri, 28 Jun 2019 17:06:05 +0200

Message-id: <638e1def-79e2-4859-e089-eed7459eafff@debian.org>

In-reply-to: <[🔎] 20190628150410.yegm6lhur2khpipu@mraw.org>

References: <[🔎] 156143874943.7369.1451085434422896067.reportbug@lorien.valinor.li> <[🔎] 20190625174448.3hil6c7zbf766acb@debian.org> <[🔎] 20190628150410.yegm6lhur2khpipu@mraw.org>
Hi,

On 6/28/19 5:04 PM, Cyril Brulebois wrote:
Hi,

Ivo De Decker <ivodd@debian.org> (2019-06-25):
On Tue, Jun 25, 2019 at 06:59:09AM +0200, Salvatore Bonaccorso wrote:
Please unblock package expat, it fixes CVE-2018-20843 and got fixed by
Laszlo cherry-picking the upstream fix. The issue is tracked as
#931031 in the BTS:
expat (2.2.6-2) unstable; urgency=high

   * Fix extraction of namespace prefix from XML name (CVE-2018-20843)
     (closes: #931031).

  -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Jun 2019 21:18:31 +0000
unblock expat/2.2.6-2
I'm fine with this, but expat has a udeb, so this needs a d-i ack. Kibi Cc's
(and diff quoted below for easy review).
No obvious regressions in the graphical installer, so no objections.
OK. Unblock-udeb added.

Ivo
--- End Message ---

Reply to:

References:
- Bug#931043: unblock: expat/2.2.6-2
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#931043: unblock: expat/2.2.6-2
Next by Date: Bug#931220: marked as done (unblock: cloudkitty/8.0.0-5)
Previous by thread: Processed: Re: unblock: expat/2.2.6-2
Next by thread: Bug#931052: unblock: webkit2gtk/2.24.2-2
Index(es):
- Date
- Thread