[prev in list] [next in list] [prev in thread] [next in thread]
List: apr-dev
Subject: Re: CVE-2016-0718
From: Jeff Trawick <trawick () gmail ! com>
Date: 2016-05-27 14:24:57
Message-ID: CAKUrXK4s6wuPAqCDzR-YnnFNs9kJO2b8X-M9xL7F784dzPjtJQ () mail ! gmail ! com
[Download RAW message or body]
On Fri, May 27, 2016 at 10:12 AM, Eric Covener <covener@gmail.com> wrote:
> On Fri, May 27, 2016 at 9:48 AM, David Dillard <davidedillard@gmail.com>
> wrote:
> > Did anyone see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat
> > allows context-dependent attackers to cause a denial of service (crash)
> or
> > possibly execute arbitrary code via a malformed input document, which
> > triggers a buffer overflow."
> >
> > A patch used for Debian can be found at
> > http://www.openwall.com/lists/oss-security/2016/05/17/12
>
> Thanks David.
>
> As reported by Seulbae Kim from the Center for Software Security and
> Assurance (CSSA), we either need to spend a lot of time on a bundled
> expat or rip it out from releases. I think one more release with an
> updated expat might be prudent, given the severity of the issue shared
> above.
>
+1 in concept; not sure what the ABI rules would say, if code needs to be
changed so that it works with separately-packaged upstream, etc.
>
> --
> Eric Covener
> covener@gmail.com
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
[Attachment #3 (text/html)]
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, May 27, 2016 \
at 10:12 AM, Eric Covener <span dir="ltr"><<a href="mailto:covener@gmail.com" \
target="_blank">covener@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Fri, May 27, 2016 at \
9:48 AM, David Dillard <<a \
href="mailto:davidedillard@gmail.com">davidedillard@gmail.com</a>> wrote:<br> > \
Did anyone see<br> > <a \
href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718" \
rel="noreferrer" target="_blank">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718</a>? \
"Expat<br> > allows context-dependent attackers to cause a denial of service \
(crash) or<br> > possibly execute arbitrary code via a malformed input document, \
which<br> > triggers a buffer overflow."<br>
><br>
> A patch used for Debian can be found at<br>
> <a href="http://www.openwall.com/lists/oss-security/2016/05/17/12" \
rel="noreferrer" target="_blank">http://www.openwall.com/lists/oss-security/2016/05/17/12</a><br>
<br>
</div></div>Thanks David.<br>
<br>
As reported by Seulbae Kim from the Center for Software Security and<br>
Assurance (CSSA), we either need to spend a lot of time on a bundled<br>
expat or rip it out from releases. I think one more release with an<br>
updated expat might be prudent, given the severity of the issue shared<br>
above.<br></blockquote><div><br></div><div>+1 in concept; not sure what the ABI rules \
would say, if code needs to be changed so that it works with separately-packaged \
upstream, etc.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> <span class="HOEnZb"><font \
color="#888888"><br>
--<br>
Eric Covener<br>
<a href="mailto:covener@gmail.com">covener@gmail.com</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Born in \
Roswell... married an alien...<br><a href="http://emptyhammock.com/" \
target="_blank">http://emptyhammock.com/</a><div><br></div></div></div> </div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic