Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 22 Jun 2015 12:40:56 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: pkgsrc

* Isaac Dunham <ibid.ag@...il.com> [2015-06-21 16:29:26 -0700]:
> On Sun, Jun 21, 2015 at 04:24:13PM +0200, Szabolcs Nagy wrote:
> > * Justin Cormack <justin@...cialbusservice.com> [2015-06-21 13:02:48 +0100]:
> > > I thought I would try a run of pkgsrc on Alpine as no one has done one
> 
> <snip>
> 
> > > Packages breaking the most other packages
> > > 
> > > Package                               Breaks Maintainer
> > > -------------------------------------------------------------------------
> > > textproc/libxml2                        5523 pkgsrc-users@...BSD.org
> > 
> > someone should come up with a strategy how to
> > avoid libxml2 dependencies in unix userspace:
> > it is a dangerously broken library.
> 
> Any pointers at details?
> Is expat better?
> 

you have to update it often to keep it safe:
http://www.cvedetails.com/product/3311/Xmlsoft-Libxml2.html?vendor_id=1962

it is not easy to set up libxml2 in a safe way
(eg facebook failed to do it
http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution.html
the facebook url with the details is no longer available so i'm not sure
if this was the issue: but XML_PARSE_NOENT turns entity expansion *on*)

and there are library safety issues
(eg. non-thread-safe initialization, incorrect use of weak references
that breaks static linking, uses time() as seed to avoid hash collision
DoS instead of better entropy,..)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.