On Thu, Jul 28, 2005 at 02:29:07PM +0200, Ralf Corsepius wrote: > On Thu, 2005-07-28 at 07:05 -0400, Daniel Veillard wrote: > > On Fri, Jul 22, 2005 at 08:08:17PM -1000, Warren Togami wrote: > > > > > Now multiply by the number of library we ship, to me you annoy the user > > and the maintainers. > > > > I really disagree with this myself. > Then let me turn your remark around into a devel's advocate question: > > Which packages in all RH based distributions (FC, FE, etc.) are > statically linked against libxml and therefore will be subject to the > vulnerability that allows arbitrary users to become root by parsing > xml-files, to be discovered, tomorrow? I don't think there is any in the distro (I think open-office specific version was removed). The problem of course is for ISV and independant developpers. Sorry you tried to attack the problem from the wrong angle. I could not conclude whether you suspected libxml2 had security problems when parsing files, I hope not. Now if you are really worried, I would suggest you start chasing the various expat libraries used right and left some of them using the system ones but not all ... Daniel -- Daniel Veillard | Red Hat Desktop team http://redhat.com/ veillard@xxxxxxxxxx | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
