DTD hot fix remove use after free pointer vulnerability. These pointer are not used so can be deleted #46
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SPDX-FileCopyrightText: Portions Copyright 2021 Siemens Modified on 15-Jul-2021 by Siemens and/or its affiliates to fix CVE-2018-1311: Apache Xerces-C use-after-free vulnerability scanning external DTD. Copyright 2021 Siemens.
|
@johnjamesmccann Thanks for opening this PR. The changes appear as an addition of two new files at the toplevel, rather than as a change to the original files. Please could you update this to add the changes in the correct directory so that the original files are updated? Thanks. |
|
I would be happy to do that, if you show me how to, as I have no idea 😊
From: Roger Leigh ***@***.***>
Sent: 20 January 2022 21:56
To: apache/xerces-c ***@***.***>
Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
Subject: Re: [apache/xerces-c] DTD hot fix (PR #46)
@johnjamesmccann<https://github.com/johnjamesmccann> Thanks for opening this PR. The changes appear as an addition of two new files at the toplevel, rather than as a change to the original files. Please could you update this to add the changes in the correct directory so that the original files are updated? Thanks.
—
Reply to this email directly, view it on GitHub<#46 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WBLNMDWZRSWSKERT5DUXCAIXANCNFSM5MM52CTA>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
…-----------------
Siemens Industry Software Limited is a limited company registered in England and Wales.
Registered number: 3476850.
Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
|
|
Ok I think I have managed to change the files now by editing them on the PR file list. Please let me know if you need anything else Roger John |
|
@johnjamesmccann Thanks John, it now looks fine. Would it be possible to edit the PR description and add a short comment to explain why removing the use of the Janitor prevents the double-free, so that it's documented for the record. Thanks again, |
|
There is also a unit test failure, which needs investigation. If there isn't a logic error in the PR, the corresponding unit tests might need updating to match. |
|
@rouault Did this problem surface with any of your recent work identifying memory bugs? Do you have any thoughts on the change being proposed and the test failure? |
|
Hello Roger,
Is everything ok with my proposed changes?
Kind regards
John
From: Roger Leigh ***@***.***>
Sent: 23 January 2022 08:27
To: apache/xerces-c ***@***.***>
Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
Subject: Re: [apache/xerces-c] DTD hot fix (PR #46)
@rouault<https://github.com/rouault> Did this problem surface with any of your recent work identifying memory bugs? Do you have any thoughts on the change being proposed and the test failure?
—
Reply to this email directly, view it on GitHub<#46 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WERO3L5YKCK7RLQDSDUXO3UHANCNFSM5MM52CTA>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
…-----------------
Siemens Industry Software Limited is a limited company registered in England and Wales.
Registered number: 3476850.
Registered office: Pinehurst 2, Pinehurst Road, Farnborough, Hampshire, GU14 7BF.
|
johnjamesmccann
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SPDX-FileCopyrightText: Portions Copyright 2021 Siemens
Modified on 15-Jul-2021 by Siemens and/or its affiliates to fix CVE-2018-1311: Apache Xerces-C use-after-free vulnerability scanning external DTD. Copyright 2021 Siemens.