Skip to content

fix: CVE-2026-6653#10

Closed
Zeno-sole wants to merge 1 commit into
deepin-community:masterfrom
Zeno-sole:fix-cve
Closed

fix: CVE-2026-6653#10
Zeno-sole wants to merge 1 commit into
deepin-community:masterfrom
Zeno-sole:fix-cve

Conversation

@Zeno-sole

Copy link
Copy Markdown
Contributor

Fix use-after-free in xmlParseInternalSubset causing denial of service via maliciously crafted XML input with improper entity resolution handling.

Restructure the loop in xmlParseInternalSubset to call xmlParseMarkupDecl and xmlParsePEReference conditionally based on the current character, instead of calling both unconditionally.

Changes:

  • Add debian/patches/CVE-2026-6653.patch
  • Update debian/patches/series
  • Update debian/changelog

Bug: https://security-tracker.debian.org/tracker/CVE-2026-6653

Fix use-after-free in xmlParseInternalSubset causing denial of service
via maliciously crafted XML input with improper entity resolution handling.

Restructure the loop in xmlParseInternalSubset to call xmlParseMarkupDecl
and xmlParsePEReference conditionally based on the current character,
instead of calling both unconditionally.

Changes:
  - Add debian/patches/CVE-2026-6653.patch
  - Update debian/patches/series
  - Update debian/changelog

Bug: https://security-tracker.debian.org/tracker/CVE-2026-6653

Signed-off-by: lichenggang <lichenggang@deepin.org>
@deepin-ci-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from zeno-sole. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deepin-ci-robot

Copy link
Copy Markdown
Contributor

/hold
因为该quilt包的上游版本号变更,详情见: deepin-community/infra-settings#134

@github-actions

Copy link
Copy Markdown

TAG Bot

TAG: 2.12.7+dfsg+really2.9.14-2.1+deb13u2deepin1
EXISTED: no
DISTRIBUTION: unstable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants