libxml2 security update regression
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libxml2 (Ubuntu) |
Invalid
|
Undecided
|
Marc Deslauriers | ||
Lucid |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Quantal |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Raring |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
USN-1904-1 seems to have introduced a regression.
See https:/
Steps to reproduce:
>>> from io import BytesIO
>>> from lxml import etree
>>> xml='''<root>
... <child name='one' />
... <child name='two' />
... </root>
... '''
>>> document = etree.iterparse
>>> for action, elem in document:
... print("%s: %s" % (action, elem.tag))
...
end: root
>>> file('/
>>> document = etree.iterparse
>>> for action, elem in document:
... print("%s: %s" % (action, elem.tag))
...
end: root
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "iterparse.pxi", line 478, in lxml.etree.
File "iterparse.pxi", line 530, in lxml.etree.
File "parser.pxi", line 601, in lxml.etree.
lxml.etree.
Can reproduce on Precise and Quantal
CVE References
Changed in libxml2 (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libxml2 (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libxml2 (Ubuntu Quantal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libxml2 (Ubuntu Raring): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libxml2 (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in libxml2 (Ubuntu Raring): | |
status: | New → Fix Released |
Changed in libxml2 (Ubuntu): | |
status: | New → Invalid |
This bug was fixed in the package libxml2 - 2.7.6.dfsg- 1ubuntu1. 10
--------------- dfsg-1ubuntu1. 10) lucid-security; urgency=low
libxml2 (2.7.6.
* SECURITY REGRESSION: regression with lxml (LP: #1201849)
- parser.c: revised to fix regression, and a couple of wrong return
values.
- CVE-2013-2877
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2013 14:08:20 -0400