Re: Re: libxml2 denial of service flaw (CVE-2008-3281)

[Nico Golde <oss-security+ml () ngolde de>]

Hi Robert,
* Robert Buchholz <rbu () gentoo org> [2008-08-23 18:06]:
> On Wednesday 20 August 2008, Daniel Veillard wrote:
> > On Wed, Aug 20, 2008 at 12:42:29PM -0400, Josh Bressers wrote:
> > > Yes, this can be considered public.  An announcement should be
> > > appearing on the xml list shortly:
> > >
> > > http://mail.gnome.org/archives/xml/
> >
> >   It's out:
> >
> >    http://mail.gnome.org/archives/xml/2008-August/msg00034.html
> >
> > thanks everybody !
>
> Our gnome maintainers pointed out that the patch (which was also pushed 
> upstream) breaks GDM in GNOME 2.22, as can be seen in Gentoo and 
> Mandriva:
>   https://bugs.gentoo.org/show_bug.cgi?id=235529
>   https://qa.mandriva.com/show_bug.cgi?id=43094
>
> upstream bug:
>   http://bugzilla.gnome.org/show_bug.cgi?id=549087
>
> Those who did not push updates yet might want to delay this, we have 
> been reverting the patch for now.
> I am CC'ing oss-security, please send follow-ups to that list.

Looks like rebuilding librsvg against libxml2 does solve the 
problem referring to our bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496125#79

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: