[OE-core] [PATCH] expat: Security Advisory-expat-CVE-2015-1283

Burton, Ross ross.burton at intel.com
Thu Dec 24 09:15:08 UTC 2015


On 24 December 2015 at 02:59, Zhixiong Chi <Zhixiong.Chi at windriver.com>
wrote:

> +++ b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
> @@ -0,0 +1,58 @@
> +Multiple integer overflows in the XML_GetBuffer function in Expat
> +through 2.1.0, allow remote attackers to cause a denial of service
> +(heap-based buffer overflow) or possibly have unspecified other
> +impact via crafted XML data.
> +
> +CVSSv2:  (AV:N/AC:M/Au:N/C:P/I:P/A:P)
> +
> +Upstream-Status: Backport
> +
> +Index: expat-2.1.0/lib/xmlparse.c
>

No signed-off-by in the patch.  Also can we experiment with a CVE tag in
the patch alongside the upstream-status and s-o-b?  "CVE: CVE-2015-1283".

Thanks,
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20151224/e3552dca/attachment-0002.html>


More information about the Openembedded-core mailing list