-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTD hot fix remove use after free pointer vulnerability. These pointer are not used so can be deleted #46
base: master
Are you sure you want to change the base?
Conversation
SPDX-FileCopyrightText: Portions Copyright 2021 Siemens Modified on 15-Jul-2021 by Siemens and/or its affiliates to fix CVE-2018-1311: Apache Xerces-C use-after-free vulnerability scanning external DTD. Copyright 2021 Siemens.
@johnjamesmccann Thanks for opening this PR. The changes appear as an addition of two new files at the toplevel, rather than as a change to the original files. Please could you update this to add the changes in the correct directory so that the original files are updated? Thanks. |
I would be happy to do that, if you show me how to, as I have no idea 😊
From: Roger Leigh ***@***.***>
Sent: 20 January 2022 21:56
To: apache/xerces-c ***@***.***>
Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
Subject: Re: [apache/xerces-c] DTD hot fix (PR #46)
@johnjamesmccann<https://github.com/johnjamesmccann> Thanks for opening this PR. The changes appear as an addition of two new files at the toplevel, rather than as a change to the original files. Please could you update this to add the changes in the correct directory so that the original files are updated? Thanks.
—
Reply to this email directly, view it on GitHub<#46 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WBLNMDWZRSWSKERT5DUXCAIXANCNFSM5MM52CTA>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
…-----------------
Siemens Industry Software Limited is a limited company registered in England and Wales.
Registered number: 3476850.
Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
|
Ok I think I have managed to change the files now by editing them on the PR file list. Please let me know if you need anything else Roger John |
@johnjamesmccann Thanks John, it now looks fine. Would it be possible to edit the PR description and add a short comment to explain why removing the use of the Janitor prevents the double-free, so that it's documented for the record. Thanks again, |
There is also a unit test failure, which needs investigation. If there isn't a logic error in the PR, the corresponding unit tests might need updating to match.
|
@rouault Did this problem surface with any of your recent work identifying memory bugs? Do you have any thoughts on the change being proposed and the test failure? |
Hello Roger,
Is everything ok with my proposed changes?
Kind regards
John
From: Roger Leigh ***@***.***>
Sent: 23 January 2022 08:27
To: apache/xerces-c ***@***.***>
Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
Subject: Re: [apache/xerces-c] DTD hot fix (PR #46)
@rouault<https://github.com/rouault> Did this problem surface with any of your recent work identifying memory bugs? Do you have any thoughts on the change being proposed and the test failure?
—
Reply to this email directly, view it on GitHub<#46 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WERO3L5YKCK7RLQDSDUXO3UHANCNFSM5MM52CTA>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
…-----------------
Siemens Industry Software Limited is a limited company registered in England and Wales.
Registered number: 3476850.
Registered office: Pinehurst 2, Pinehurst Road, Farnborough, Hampshire, GU14 7BF.
|
SPDX-FileCopyrightText: Portions Copyright 2021 Siemens
Modified on 15-Jul-2021 by Siemens and/or its affiliates to fix CVE-2018-1311: Apache Xerces-C use-after-free vulnerability scanning external DTD. Copyright 2021 Siemens.