Closed
Bug 1271009
Opened 8 years ago
Closed 8 years ago
CVE-2016-0718 for libexpat
Categories
(Core :: XML, defect)
Core
XML
Tracking
()
RESOLVED
DUPLICATE
of bug 1236923
People
(Reporter: erahm, Assigned: erahm)
Details
(Whiteboard: btpp-fixnow Embargo until May 17, 2016 21:00 UTC+2 (noon PDT))
Received an email indicating a pending libexpat CVE disclosure. They want to disclose on May 17th, but are willing to coordinate if we need more time. Contents below:
> From: sebastian@pipping.org Sebastian Pipping
> To:
> Date: Fri, 6 May 2016 15:07:05 -0700
> Subject: Re: Expat vuln. CVE-2016-0718, please reply before 2016-05-10
>
> Hello again!
>
>
> A quick update on dates:
> ^^^^^^ ^^^^^
> We have been asked to move the second deadline off Friday for good
> reasons. After careful consideration, we have decided to:
>
> move the second deadline ("end of embargo")
> from Friday 2016-05-13 forward
> to Tuesday 2016-05-17,
> keeping the time unchanged at 21:00 UTC+2.
>
> leaving more time to you as well. I hope it's in your interest, too.
> Thanks for your attention.
>
> Best, Sebastian
>
>
> On 06.05.2016 00:40, Sebastian Pipping wrote:
> > Hello!
> >
> >
> > You are either maintaining Expat somewhere important or are security
> > contact of a project or both.
> >
> > There is a vulnerability named "CVE-2016-0718" in Expat that we aim to
> > disclose to the public responsibly: The idea is to have everyone
> > publish a fixed version at the same time so that no one remains
> > vulnerable once the vulnerability went public.
> >
> > For next steps we are planning:
> >
> > * 2016-05-10 Mail to everyone (who replied confirming to be in and
> > Tuesday respect the embargo period):
> > 21:00 UTC+2 * More details
> > * A patch
> > * Malformed trigger files in a tar archive
> > * The list of contacts that are in to promote
> > collaboration without violating the embargo
> >
> > * 2016-05-17 Embargo ends, we push related commits to the Expat
> ^^ moved
> > Tuesday Git repository, and publish to oss-security.
> ^^^^ moved
> > 21:00 UTC+2 You upload packaging changes, new binaries etc.
> ^^ kept :)
> >
> > If these dates do not work for you, please let us know ASAP.
> > We will share changes of dates with everyone.
> >
> > To continue, please confirm that you respect the embargo and
> > would like to participate.
> >
> > We are looking forward to hearing from you. Best,
> >
> >
> >
> > Sebastian
> >
>
Assignee | ||
Comment 1•8 years ago
|
||
I assume I received this email because I fixed a previous sec issue in libexpat. I've replied indicating we'd like to participate and CC'd security@mozilla.org.
Updated•8 years ago
|
Group: core-security → dom-core-security
Comment 2•8 years ago
|
||
We don't have any details yet, but given the way this is being coordinated and dropping everywhere at once this could lead to a chemspill release for May 17 or 18.
Group: dom-core-security → core-security-release
Flags: needinfo?(lhenry)
Comment 3•8 years ago
|
||
OK. thanks for letting me know. So does this definitely affect 46 ? 45esr too?
status-firefox46:
--- → ?
tracking-firefox46:
--- → +
tracking-firefox49:
--- → +
Flags: needinfo?(lhenry)
Comment 4•8 years ago
|
||
Can you fix this, Eric, when the patch is released, if it is needed? Thanks.
Flags: needinfo?(erahm)
Whiteboard: btpp-fixnow
Assignee | ||
Comment 5•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4) > Can you fix this, Eric, when the patch is released, if it is needed? Thanks. Yes. I'm hoping whatever it is doesn't affect us (my guess is it's character conversion which we don't use), either way I'll evaluate and fix as necessary.
Flags: needinfo?(erahm)
Comment 7•8 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #3) > OK. thanks for letting me know. So does this definitely affect 46? 45esr too? If it affects any version, it will affect all versions. As Eric said, we might be safe but we can't tell yet.
Comment 8•8 years ago
|
||
This has the same CVE, and same discoverer according to the additional details we got, as bug 1236923. We determined that bug didn't affect us, but now that we have a patch we should double-check that.
Whiteboard: btpp-fixnow → btpp-fixnow Embargo until May 17, 2016
Updated•8 years ago
|
Whiteboard: btpp-fixnow Embargo until May 17, 2016 → btpp-fixnow Embargo until May 17, 2016 21:00 UTC+2 (noon PDT)
Comment 9•8 years ago
|
||
Yes, same testcase -- this is bug 1236923.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
status-firefox46:
? → ---
status-firefox49:
affected → ---
tracking-firefox46:
+ → ---
tracking-firefox49:
+ → ---
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•