You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by GitBox <gi...@apache.org> on 2022/01/23 15:31:31 UTC

[GitHub] [xerces-c] rouault opened a new pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

rouault opened a new pull request #47:
URL: https://github.com/apache/xerces-c/pull/47


   The fix consists in adding a new argument to pushReader() to specify if
   ReaderMgr must own the passed entity, and adapt callers to specify the
   right value of this ownership flag depending on the calling context.
   
   SPDX-FileCopyrightText: Portions Copyright 2021 Siemens
   Modified on 15-Jul-2021 by Siemens and/or its affiliates to fix CVE-2018-1311: Apache Xerces-C use-after-free vulnerability scanning external DTD. Copyright 2021 Siemens.
   
   Co-authored-by: Even Rouault <ev...@spatialys.com>
   
   Supersedes https://github.com/apache/xerces-c/pull/46 (avoids the memory leak in the unit tests)
   @johnjamesmccann  Do you have access to a reproducer to confirm it fixes the issue ? I couldn't easily find a reproducer 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] scantor commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
scantor commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1028196255


   I looked at the fix last night at least in cursory fashion. It can't be backported to 3.2 because it's an API and therefore ABI change. Given some method defaulting it could probably be a 3.3 since it would be backwardly-compatible.
   
   As with you, I have absolutely no idea if the fix is either sufficient or doesn't break anything. I don't really care for my own purposes so would defer to others on whether to accept the patch given that lack of insight into its correctness.
   
   As for doing a release, not really, no. It would be very unlikely for me to find any time to do so until some time later this year, possibly in the Spring. And I can't promise that.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rleigh-lumiradx removed a comment on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rleigh-lumiradx removed a comment on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1028188261


   I am not sufficiently familiar with this part of the codebase to review it meaningfully, but the changes look good and the unit tests are passing and not reporting any leaks, so I think merging this should be fairly risk-free.
   
   Regarding making a new release, all of the recent bugfixes will need backporting to the 3.2 branch if we want to have a new 3.2 point release with all of these changes included.  There are quite a few to backport thanks to all the work done recently, primarily by @rouault.  @scantor Would you be able to make the release?  I can probably find some time to do the backporting, unless you want to do this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rouault commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rouault commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1021224266


   > I cant see how my changes could cause a test regression, all my change does is delete 4 smart pointers that are not used in the code base.
   
   yes, but that causes a memory leak since nobody would take care of freeing the declDTD object. Hence my extra changes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rouault commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rouault commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1026885985


   > So just to confirm there is nothing you need me to do to get this fix in the code base?
   
   no, we just need someone with commit rights in this repository to review & merge it


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rouault commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rouault commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1021224266


   > I cant see how my changes could cause a test regression, all my change does is delete 4 smart pointers that are not used in the code base.
   
   yes, but that causes a memory leak since nobody would take care of freeing the declDTD object. Hence my extra changes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rouault commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rouault commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1026875277


   > or has it been added in your fork which is later than mine?
   
   yes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] johnjamesmccann commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
johnjamesmccann commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1021204613


   Hi Rouault,
   
   I cant see how my changes could cause a test regression, all my change does is delete 4 smart pointers that are not used in the code base.
   
   Kind regards
   
   John
   
   From: Even Rouault ***@***.***>
   Sent: 23 January 2022 15:34
   To: apache/xerces-c ***@***.***>
   Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
   Subject: Re: [apache/xerces-c] [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() (PR #47)
   
   
   Seeing now https://issues.apache.org/jira/projects/XERCESC/issues/XERCESC-2188 , I see my approach is close to a suggestion of https://issues.apache.org/jira/browse/XERCESC-2188?focusedCommentId=17055399&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17055399
   
   —
   Reply to this email directly, view it on GitHub<https://github.com/apache/xerces-c/pull/47#issuecomment-1019508927>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WD5SDILV22VLP5YNFLUXQNXNANCNFSM5MTPEBCQ>.
   Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
   You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
   
   -----------------
   Siemens Industry Software Limited is a limited company registered in England and Wales.
   Registered number: 3476850.
   Registered office: Pinehurst 2, Pinehurst Road, Farnborough, Hampshire, GU14 7BF.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rleigh-codelibre commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rleigh-codelibre commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1028191103


   I am not sufficiently familiar with this part of the codebase to review it meaningfully, but the changes look good and the unit tests are passing and not reporting any leaks, so I think merging this should be fairly risk-free.
   
   Regarding making a new release, all of the recent bugfixes will need backporting to the 3.2 branch if we want to have a new 3.2 point release with all of these changes included. There are quite a few to backport thanks to all the work done recently, primarily by @rouault. @scantor Would you be able to make the release? I can probably find some time to do the backporting, unless you want to do this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] johnjamesmccann commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
johnjamesmccann commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1021204613


   Hi Rouault,
   
   I cant see how my changes could cause a test regression, all my change does is delete 4 smart pointers that are not used in the code base.
   
   Kind regards
   
   John
   
   From: Even Rouault ***@***.***>
   Sent: 23 January 2022 15:34
   To: apache/xerces-c ***@***.***>
   Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
   Subject: Re: [apache/xerces-c] [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() (PR #47)
   
   
   Seeing now https://issues.apache.org/jira/projects/XERCESC/issues/XERCESC-2188 , I see my approach is close to a suggestion of https://issues.apache.org/jira/browse/XERCESC-2188?focusedCommentId=17055399&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17055399
   
   —
   Reply to this email directly, view it on GitHub<https://github.com/apache/xerces-c/pull/47#issuecomment-1019508927>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WD5SDILV22VLP5YNFLUXQNXNANCNFSM5MTPEBCQ>.
   Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
   You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
   
   -----------------
   Siemens Industry Software Limited is a limited company registered in England and Wales.
   Registered number: 3476850.
   Registered office: Pinehurst 2, Pinehurst Road, Farnborough, Hampshire, GU14 7BF.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rouault commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rouault commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1019508927


   Seeing now https://issues.apache.org/jira/projects/XERCESC/issues/XERCESC-2188 , I see my approach is close to a suggestion of https://issues.apache.org/jira/browse/XERCESC-2188?focusedCommentId=17055399&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17055399


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] theta682 commented on a change in pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
theta682 commented on a change in pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#discussion_r792337283



##########
File path: src/xercesc/internal/ReaderMgr.cpp
##########
@@ -72,8 +72,9 @@ ReaderMgr::~ReaderMgr()
     //  entities it still references!)
     //
     delete fCurReader;
+    if (fOwnEntity)
+        delete fCurEntity;

Review comment:
       `delete` checks for `nullptr`
   ```suggestion
       delete fCurEntity;
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] theta682 commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
theta682 commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1027376814


   @rleigh-codelibre can you merge this PR and make a new release?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] rleigh-lumiradx commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
rleigh-lumiradx commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1028188261


   I am not sufficiently familiar with this part of the codebase to review it meaningfully, but the changes look good and the unit tests are passing and not reporting any leaks, so I think merging this should be fairly risk-free.
   
   Regarding making a new release, all of the recent bugfixes will need backporting to the 3.2 branch if we want to have a new 3.2 point release with all of these changes included.  There are quite a few to backport thanks to all the work done recently, primarily by @rouault.  @scantor Would you be able to make the release?  I can probably find some time to do the backporting, unless you want to do this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] johnjamesmccann commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
johnjamesmccann commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1026872614


   Ah yes I can see that now, thanks for picking up on that. Do I need to add that change to my fork or has it been added in your fork which is later than mine?
   
   Thanks and kind regards
   
   John
   
   From: Even Rouault ***@***.***>
   Sent: 25 January 2022 14:15
   To: apache/xerces-c ***@***.***>
   Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
   Subject: Re: [apache/xerces-c] [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() (PR #47)
   
   
   I cant see how my changes could cause a test regression, all my change does is delete 4 smart pointers that are not used in the code base.
   
   yes, but that causes a memory leak since nobody would take care of freeing the declDTD object. Hence my extra changes
   
   —
   Reply to this email directly, view it on GitHub<https://github.com/apache/xerces-c/pull/47#issuecomment-1021224266>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WGUPIVCZD6K2NQ2IYTUX2V5XANCNFSM5MTPEBCQ>.
   Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
   You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
   
   -----------------
   Siemens Industry Software Limited is a limited company registered in England and Wales.
   Registered number: 3476850.
   Registered office: Pinehurst 2, Pinehurst Road, Farnborough, Hampshire, GU14 7BF.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] johnjamesmccann commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
johnjamesmccann commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1026877695


   So just to confirm there is nothing you need me to do to get this fix in the code base?
   
   From: Even Rouault ***@***.***>
   Sent: 01 February 2022 14:02
   To: apache/xerces-c ***@***.***>
   Cc: McCann, John (DI SW PE OT IO PP) ***@***.***>; Mention ***@***.***>
   Subject: Re: [apache/xerces-c] [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() (PR #47)
   
   
   or has it been added in your fork which is later than mine?
   
   yes
   
   —
   Reply to this email directly, view it on GitHub<https://github.com/apache/xerces-c/pull/47#issuecomment-1026875277>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXMN5WBMXAP4Q4D7FUWXLZLUY7RWZANCNFSM5MTPEBCQ>.
   Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
   You are receiving this because you were mentioned.Message ID: ***@***.***>
   
   -----------------
   Siemens Industry Software Limited is a limited company registered in England and Wales.
   Registered number: 3476850.
   Registered office: Pinehurst 2, Pinehurst Road, Farnborough, Hampshire, GU14 7BF.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] theta682 commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
theta682 commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1027379163


   @scantor this vulnerability was reported almost 4 years ago. It has to be finally fixed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[GitHub] [xerces-c] scantor commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()

Posted by GitBox <gi...@apache.org>.
scantor commented on pull request #47:
URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1027462800


   Since you addressed me personally, I can simply reiterate as I have in Jira (which is where this proposal should be, this is not a GitHub project) that I don't have any exposure to, and thus no source of resources with which to work on, anything in the DTD code unless it's a trivial fix that doesn't change the ABI and I'm already doing some other work on the code.
   
   Nothing else has arisen with the code that necessitated a release for my project, so there hasn't been any opportunity for me to look at anything else.
   
   I am not stopping anybody else from doing the work, and nobody is stopping others from joining the project as committers, which is certainly needed for obvious reasons.
   
   One issue that's perhaps less obvious is that a fix that requires a 4.0 rev may not get uptake by the few distributors of the current version. I imagine that's why Red Hat took the approach they took with it and just made it leak memory instead. Perhaps that's the best option in the end after all. I really have not looked at the issue at all in any depth to understand the trade-offs or possible fixes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org