[GitHub] [openoffice] DonLewisFreeBSD opened a new pull request #102: Libxml+serf 418

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] [openoffice] DonLewisFreeBSD opened a new pull request #102: Libxml+serf 418

GitBox

DonLewisFreeBSD opened a new pull request #102:
URL: https://github.com/apache/openoffice/pull/102


   Bug fixes from upstream for bundled libxml2 and serf modules
   
   * libxml2
     - Possible infinite loop in xmlStringLenDecodeEntities
     - Make sure that truncated UTF-8 sequences don't cause an out-of-bounds array access.
     - Fix memory leak in xmlSchemaValidateStream
   
   * serf
     - Fix handling of NUL characters in certificate fields


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[GitHub] [openoffice] DonLewisFreeBSD commented on pull request #102: Libxml+serf 418

GitBox

DonLewisFreeBSD commented on pull request #102:
URL: https://github.com/apache/openoffice/pull/102#issuecomment-703146676


   Testing the serf bug fix would require making an SSL connection through a MITM device that redirected SSL network connections to intended to go to the server "example.com" to a rogue server that has a certificate for "example.com\0.badguy.com".  Without the fix, the connection would be allowed.  With the fix, the connection attempt should fail with a certificate error.
   
   I don't have reproducers for the libxml2 fixes, but they would need to be embedded in a document and two of the bugs would cause a potential DoS (memory leak or infinite loop).
   
   Since the patches came from upstream, I'm inclined to trust them as long as we don't see any regressions.  The libxml2 patches will be included in the next release.  The serf patch has been part of a released version of serf for many years.  Unfortunately upgrading to a fixed release of serf is non-trivial.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[GitHub] [openoffice] DonLewisFreeBSD merged pull request #102: Libxml+serf 418

GitBox
In reply to this post by GitBox

DonLewisFreeBSD merged pull request #102:
URL: https://github.com/apache/openoffice/pull/102


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]