apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: CVE-2016-0718
Date Fri, 27 May 2016 14:23:07 GMT
Here's a manual fix of the merge conflicts, needs -p4 since I did it
in a httpd sandbox.

http://people.apache.org/~covener/patches/apu-expat-CVE-2016-0718.diff

I confirmed a simple webdav test worked.  To double-check the merge, I
did see that the patch did not change every call to xmlConvert and we
have the same number of calls and changes as they do.


On Fri, May 27, 2016 at 10:12 AM, Eric Covener <covener@gmail.com> wrote:
> On Fri, May 27, 2016 at 9:48 AM, David Dillard <davidedillard@gmail.com> wrote:
>> Did anyone see
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718?  "Expat
>> allows context-dependent attackers to cause a denial of service (crash) or
>> possibly execute arbitrary code via a malformed input document, which
>> triggers a buffer overflow."
>>
>> A patch used for Debian can be found at
>> http://www.openwall.com/lists/oss-security/2016/05/17/12
>
> Thanks David.
>
> As reported by Seulbae Kim from the Center for Software Security and
> Assurance (CSSA), we either need to spend a lot of time on a bundled
> expat or rip it out from releases. I think one more release with an
> updated expat might be prudent, given the severity of the issue shared
> above.
>
> --
> Eric Covener
> covener@gmail.com



-- 
Eric Covener
covener@gmail.com

Mime
View raw message