Re: CVE Request: additional fix for CVE-2012-2825 libxslt crash

[Vincent Danen <vdanen () redhat com>]

* [2013-11-05 23:29:08 +0100] Marcus Meissner wrote:

> On Tue, Nov 05, 2013 at 11:17:21PM +0100, Florian Weimer wrote:
> > * Vincent Danen:
> >
> > > The reason this doesn't crash for me on Red Hat Enterprise Linux 5 which
> > > ships 1.1.17 is because we included this patch (well, the developer did)
> > > a day after the initial build with the comment:
> > >
> > > - CVE-2012-2825 requires an extra patch on 1.1.17
> > >
> > > So, I think this does require a second CVE.
> >
> > Has anyone shipped an incomplete update?  If yes, then I think we
> > actually need a second CVE.  In the past, we got them for similar
> > cases, and at least Debian's tracking more or less assumes that it's
> > possible to assign CVEs to deal with such corner cases.
>
> SUSE did, otherwise we would not have noticed :/

Heh.

The other point is that CVE-2012-2825 affected before and after 1.1.25,
whereas this one really only affects < 1.1.25 so it's either a different
flaw or that commit (fixed in 1.1.25) is actually an incomplete fix, and
CVE-2012-2825 is the "fix of the fix" CVE.

--
Vincent Danen / Red Hat Security Response Team