apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: CVE-2016-0718
Date Fri, 27 May 2016 14:24:57 GMT
On Fri, May 27, 2016 at 10:12 AM, Eric Covener <covener@gmail.com> wrote:

> On Fri, May 27, 2016 at 9:48 AM, David Dillard <davidedillard@gmail.com>
> wrote:
> > Did anyone see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718?  "Expat
> > allows context-dependent attackers to cause a denial of service (crash)
> or
> > possibly execute arbitrary code via a malformed input document, which
> > triggers a buffer overflow."
> >
> > A patch used for Debian can be found at
> > http://www.openwall.com/lists/oss-security/2016/05/17/12
>
> Thanks David.
>
> As reported by Seulbae Kim from the Center for Software Security and
> Assurance (CSSA), we either need to spend a lot of time on a bundled
> expat or rip it out from releases. I think one more release with an
> updated expat might be prudent, given the severity of the issue shared
> above.
>

+1 in concept; not sure what the ABI rules would say, if code needs to be
changed so that it works with separately-packaged upstream, etc.


>
> --
> Eric Covener
> covener@gmail.com
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message