[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Sun, 24 Aug 2008 17:16:55 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com, vendor-sec@....de
Subject: Re: Re: libxml2 denial of service flaw (CVE-2008-3281)
Hi again,
* Nico Golde <oss-security+ml@...lde.de> [2008-08-24 17:07]:
> * Robert Buchholz <rbu@...too.org> [2008-08-23 18:06]:
> > On Wednesday 20 August 2008, Daniel Veillard wrote:
> > > On Wed, Aug 20, 2008 at 12:42:29PM -0400, Josh Bressers wrote:
[...]
> > Our gnome maintainers pointed out that the patch (which was also pushed
> > upstream) breaks GDM in GNOME 2.22, as can be seen in Gentoo and
> > Mandriva:
> > https://bugs.gentoo.org/show_bug.cgi?id=235529
> > https://qa.mandriva.com/show_bug.cgi?id=43094
> >
> > upstream bug:
> > http://bugzilla.gnome.org/show_bug.cgi?id=549087
> >
> > Those who did not push updates yet might want to delay this, we have
> > been reverting the patch for now.
> > I am CC'ing oss-security, please send follow-ups to that list.
>
> Looks like rebuilding librsvg against libxml2 does solve the
> problem referring to our bug report:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496125#79
YFYI there is a new patch which is not extending the
xmlEntity struct but abusing an already existing field.
See https://bugzilla.redhat.com/show_bug.cgi?id=459830
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux