The .xml contains the following description section: <description> <p> Tavis Ormandy of the Google Security team reported a heap-based buffer overflow when compiling regular expression patterns containing "Internal Option Settings" such as "<i>(?i)</i>". </p> </description> When running "glsa-check -d 200807-03" it shows the following though: Description: Tavis Ormandy of the Google Security team reported a heap-based buffer overflow when compiling regular expression patterns containing "Internal Option Settings" such as "". Note the missing (?i) in the last quotation marks. This happens with gentoolkit-0.2.3-r1 as well as with -0.2.4_rc4
I don't think this is a bug in glsa-check. It's a bug in the GLSA XML. "<i>(?i)</i>" should be inside <![CDATA[ ... ]]> tags. (Alternatively it could be represented with standard xml entity refs <i>(?i)</i>)
The GLSA is not meant to display the literal <i>, but the highlighting that is caused due to <i>. Please note that this is according to the DTD (which specifies that 'i' elements are allowed inside 'p' elements, and this is the case here) and that it works fine on the web XSLT: http://www.gentoo.org/security/en/glsa/glsa-200807-03.xml
(In reply to comment #2) > The GLSA is not meant to display the literal <i>, but the highlighting that is > caused due to <i>. > Please note that this is according to the DTD (which specifies that 'i' > elements are allowed inside 'p' elements, and this is the case here) and that > it works fine on the web XSLT: > http://www.gentoo.org/security/en/glsa/glsa-200807-03.xml Ah, indeed. I stand corrected. Then the error is in glsa.py, "getText" function, around line 217 of revision 495 in SVN (which is HEAD at the time of this comment). A case needs to be added for the 'i' subnode. I'd do a patch, but I'm not on Gentoo right now, and it better be done by someone with better knowledge of the DTD anyway. ;)
