From daniel.leidert.spam at gmx.net Wed Dec 23 15:05:30 2009 From: daniel.leidert.spam at gmx.net (Daniel Leidert) Date: Wed, 23 Dec 2009 15:05:30 +0100 Subject: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser Message-ID: <1261577130.19144.26.camel@haktar.wgdd.de> x-post to expat-discuss, debian-devel and debian-perl Hi, The security issue known as CVE-2009-3560 [1] has been fixed in expats source code some time ago [2]. Now a Debian user informed [3] me, that the fix breaks parsing XML files with entities using Perls XML parser. Also several tests of the suite then fail (attached build log). So this makes the problem RC for us Debian and creates a problem in the *stable suites. I guess, the Perl XML parser needs to be fixed and not expat. But I'm not familiar with the Perl module. I wonder if you (expat developers) have been informed about this? Unfortunately the author of the Perl XML parser module seems not active anymore (CCed him tough). Is someone able to help to track this down? Any help is appreciated. [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 [2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 [3] http://bugs.debian.org/561658 Regards, Daniel -------------- next part -------------- dpkg-buildpackage -rfakeroot -D -us -uc dpkg-buildpackage: setze CFLAGS auf Standardwert: -g -O2 dpkg-buildpackage: setze CPPFLAGS auf Standardwert: dpkg-buildpackage: setze LDFLAGS auf Standardwert: dpkg-buildpackage: setze FFLAGS auf Standardwert: -g -O2 dpkg-buildpackage: setze CXXFLAGS auf Standardwert: -g -O2 dpkg-buildpackage: Quellpaket libxml-parser-perl dpkg-buildpackage: Quellversion 2.36-1.2 dpkg-buildpackage: Quellen ge?ndert durch Daniel Leidert (dale) dpkg-buildpackage: Host-Architektur amd64 fakeroot debian/rules clean dh_testdir dh_testroot [ ! -f Makefile ] || /usr/bin/make realclean make[1]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' /usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make clean'\'' if -f '\''Makefile'\'';' -- make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' rm -f \ *.a core \ core.[0-9] ../blib/arch/auto/XML/Parser/Expat/extralibs.all \ core.[0-9][0-9] Expat.bso \ pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \ Expat.x Expat.bs \ perl tmon.out \ *.o pm_to_blib \ ../blib/arch/auto/XML/Parser/Expat/extralibs.ld blibdirs.ts \ core.[0-9][0-9][0-9][0-9][0-9] Expat.c \ *perl.core core.*perl.*.? \ Makefile.aperl perl \ Expat.def core.[0-9][0-9][0-9] \ mon.out libExpat.def \ perlmain.c perl.exe \ so_locations Expat.exp rm -rf \ blib mv Makefile Makefile.old > /dev/null 2>&1 make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' rm -f \ *.a core \ core.[0-9] blib/arch/auto/XML/Parser/extralibs.all \ core.[0-9][0-9] Parser.bso \ pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \ Parser.x \ perl tmon.out \ *.o pm_to_blib \ blib/arch/auto/XML/Parser/extralibs.ld blibdirs.ts \ core.[0-9][0-9][0-9][0-9][0-9] *perl.core \ core.*perl.*.? Makefile.aperl \ Parser.def perl \ core.[0-9][0-9][0-9] mon.out \ libParser.def perl.exe \ perlmain.c so_locations \ Parser.exp rm -rf \ blib mv Makefile Makefile.old > /dev/null 2>&1 /usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make -f Makefile.old realclean'\'' if -f '\''Makefile.old'\'';' -- make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' rm -f \ *.a core \ core.[0-9] ../blib/arch/auto/XML/Parser/Expat/extralibs.all \ core.[0-9][0-9] Expat.bso \ pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \ Expat.x Expat.bs \ perl tmon.out \ *.o pm_to_blib \ ../blib/arch/auto/XML/Parser/Expat/extralibs.ld blibdirs.ts \ core.[0-9][0-9][0-9][0-9][0-9] Expat.c \ *perl.core core.*perl.*.? \ Makefile.aperl perl \ Expat.def core.[0-9][0-9][0-9] \ mon.out libExpat.def \ perlmain.c perl.exe \ so_locations Expat.exp rm -rf \ blib mv Makefile Makefile.old > /dev/null 2>&1 make[2]: [clean] Fehler 1 (ignoriert) rm -f \ Expat.o Makefile.old \ Makefile rm -rf \ make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' /usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make -f Makefile realclean'\'' if -f '\''Makefile'\'';' -- rm -f \ Makefile.old Makefile rm -rf \ XML-Parser-2.36 make[1]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' dh_clean README.Encodings build-stamp install-stamp \ Parser/Encodings/iso-8859-1.enc Parser/Encodings/iso-8859-6.enc Parser/Encodings/iso-8859-10.enc Parser/Encodings/iso-8859-11.enc Parser/Encodings/iso-8859-13.enc Parser/Encodings/iso-8859-14.enc Parser/Encodings/iso-8859-15.enc Parser/Encodings/iso-8859-16.enc Parser/Encodings/windows-1251.enc dh_clean: Compatibility levels before 5 are deprecated. dpkg-source -b libxml-parser-perl-2.36 dpkg-source: Information: verwende Quellformat ?1.0? dpkg-source: Information: baue libxml-parser-perl unter Benutzung des existierenden libxml-parser-perl_2.36.orig.tar.gz dpkg-source: Information: baue libxml-parser-perl in libxml-parser-perl_2.36-1.2.diff.gz dpkg-source: Warnung: der Diff ver?ndert die folgenden Dateien der Originalautoren: Expat/Expat.xs samples/canonical samples/xmlcomments samples/xmlfilter samples/xmlstats dpkg-source: Information: verwenden Sie das Format ?3.0 (quilt)?, um separate und dokumentierte ?nderungen an den Dateien der Originalautoren zu erhalten, siehe dpkg-source(1) dpkg-source: Information: baue libxml-parser-perl in libxml-parser-perl_2.36-1.2.dsc debian/rules build dh_testdir uudecode -o Parser/Encodings/iso-8859-1.enc debian/encodings/iso-8859-1.uuenc ; uudecode -o Parser/Encodings/iso-8859-6.enc debian/encodings/iso-8859-6.uuenc ; uudecode -o Parser/Encodings/iso-8859-10.enc debian/encodings/iso-8859-10.uuenc ; uudecode -o Parser/Encodings/iso-8859-11.enc debian/encodings/iso-8859-11.uuenc ; uudecode -o Parser/Encodings/iso-8859-13.enc debian/encodings/iso-8859-13.uuenc ; uudecode -o Parser/Encodings/iso-8859-14.enc debian/encodings/iso-8859-14.uuenc ; uudecode -o Parser/Encodings/iso-8859-15.enc debian/encodings/iso-8859-15.uuenc ; uudecode -o Parser/Encodings/iso-8859-16.enc debian/encodings/iso-8859-16.uuenc ; uudecode -o Parser/Encodings/windows-1251.enc debian/encodings/windows-1251.uuenc ; perl Makefile.PL INSTALLDIRS=vendor Checking if your kit is complete... Looks good Writing Makefile for XML::Parser::Expat Writing Makefile for XML::Parser /usr/bin/make OPTIMIZE="-Wall -g -O2" make[1]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' cp Parser/Encodings/x-sjis-cp932.enc blib/lib/XML/Parser/Encodings/x-sjis-cp932.enc cp Parser/Encodings/iso-8859-7.enc blib/lib/XML/Parser/Encodings/iso-8859-7.enc cp Parser/Encodings/iso-8859-10.enc blib/lib/XML/Parser/Encodings/iso-8859-10.enc cp Parser/Style/Tree.pm blib/lib/XML/Parser/Style/Tree.pm cp Parser/Encodings/iso-8859-9.enc blib/lib/XML/Parser/Encodings/iso-8859-9.enc cp Parser/Encodings/iso-8859-11.enc blib/lib/XML/Parser/Encodings/iso-8859-11.enc cp Parser/Encodings/x-euc-jp-unicode.enc blib/lib/XML/Parser/Encodings/x-euc-jp-unicode.enc cp Parser/Encodings/iso-8859-14.enc blib/lib/XML/Parser/Encodings/iso-8859-14.enc cp Parser/Encodings/iso-8859-1.enc blib/lib/XML/Parser/Encodings/iso-8859-1.enc cp Parser/Encodings/big5.enc blib/lib/XML/Parser/Encodings/big5.enc cp Parser/Encodings/iso-8859-6.enc blib/lib/XML/Parser/Encodings/iso-8859-6.enc cp Parser/Encodings/iso-8859-15.enc blib/lib/XML/Parser/Encodings/iso-8859-15.enc cp Parser/Encodings/x-sjis-jdk117.enc blib/lib/XML/Parser/Encodings/x-sjis-jdk117.enc cp Parser/Encodings/x-sjis-unicode.enc blib/lib/XML/Parser/Encodings/x-sjis-unicode.enc cp Parser/LWPExternEnt.pl blib/lib/XML/Parser/LWPExternEnt.pl cp Parser/Style/Debug.pm blib/lib/XML/Parser/Style/Debug.pm cp Parser/Encodings/windows-1251.enc blib/lib/XML/Parser/Encodings/windows-1251.enc cp Parser/Encodings/iso-8859-5.enc blib/lib/XML/Parser/Encodings/iso-8859-5.enc cp Parser/Encodings/README blib/lib/XML/Parser/Encodings/README cp Parser/Encodings/euc-kr.enc blib/lib/XML/Parser/Encodings/euc-kr.enc cp Parser/Encodings/windows-1250.enc blib/lib/XML/Parser/Encodings/windows-1250.enc cp Parser/Encodings/windows-1252.enc blib/lib/XML/Parser/Encodings/windows-1252.enc cp Parser/Encodings/Japanese_Encodings.msg blib/lib/XML/Parser/Encodings/Japanese_Encodings.msg cp Parser/Encodings/iso-8859-3.enc blib/lib/XML/Parser/Encodings/iso-8859-3.enc cp Parser/Encodings/iso-8859-8.enc blib/lib/XML/Parser/Encodings/iso-8859-8.enc cp Parser/Encodings/x-euc-jp-jisx0221.enc blib/lib/XML/Parser/Encodings/x-euc-jp-jisx0221.enc cp Parser/Encodings/iso-8859-4.enc blib/lib/XML/Parser/Encodings/iso-8859-4.enc cp Parser/Encodings/iso-8859-13.enc blib/lib/XML/Parser/Encodings/iso-8859-13.enc cp Parser/Style/Subs.pm blib/lib/XML/Parser/Style/Subs.pm cp Parser/Encodings/iso-8859-16.enc blib/lib/XML/Parser/Encodings/iso-8859-16.enc cp Parser/Encodings/iso-8859-2.enc blib/lib/XML/Parser/Encodings/iso-8859-2.enc cp Parser/Style/Objects.pm blib/lib/XML/Parser/Style/Objects.pm cp Parser.pm blib/lib/XML/Parser.pm cp Parser/Encodings/x-sjis-jisx0221.enc blib/lib/XML/Parser/Encodings/x-sjis-jisx0221.enc cp Parser/Style/Stream.pm blib/lib/XML/Parser/Style/Stream.pm make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' cp Expat.pm ../blib/lib/XML/Parser/Expat.pm /usr/bin/perl /usr/share/perl/5.10.1/ExtUtils/xsubpp -noprototypes -typemap /usr/share/perl/5.10/ExtUtils/typemap -typemap typemap Expat.xs > Expat.xsc && mv Expat.xsc Expat.c cc -c -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -g -O2 -DVERSION=\"2.36\" -DXS_VERSION=\"2.36\" -fPIC "-I/usr/lib/perl/5.10/CORE" Expat.c Expat.xs: In function ?append_error?: Expat.xs:220: warning: format ?%d? expects type ?int?, but argument 4 has type ?XML_Size? Expat.xs:220: warning: format ?%d? expects type ?int?, but argument 5 has type ?XML_Size? Expat.xs:220: warning: format ?%d? expects type ?int?, but argument 6 has type ?XML_Index? Expat.xs: In function ?generate_model?: Expat.xs:255: warning: value computed is not used Expat.xs:257: warning: value computed is not used Expat.xs:262: warning: value computed is not used Expat.xs:277: warning: value computed is not used Expat.xs:260: warning: enumeration value ?XML_CTYPE_EMPTY? not handled in switch Expat.xs:260: warning: enumeration value ?XML_CTYPE_ANY? not handled in switch Expat.xs: In function ?parse_stream?: Expat.xs:298: warning: unused variable ?buff? Expat.xs: In function ?startElement?: Expat.xs:486: warning: unused variable ?pnslst? Expat.xs:485: warning: unused variable ?pnstab? Expat.xs:482: warning: unused variable ?pcontext? Expat.xs: In function ?externalEntityRef?: Expat.xs:1029: warning: value computed is not used Expat.xs: In function ?unknownEncoding?: Expat.xs:1148: warning: unused variable ?count? Expat.xs: In function ?XS_XML__Parser__Expat_ParseStream?: Expat.xs:1464: warning: unused variable ?delimsv? Expat.xs: In function ?XS_XML__Parser__Expat_ParsePartial?: Expat.xs:1490: warning: unused variable ?cbv? Expat.xs: In function ?XS_XML__Parser__Expat_SetDoctypeHandler?: Expat.xs:1742: warning: unused variable ?set? Expat.c: In function ?XS_XML__Parser__Expat_GetBase?: Expat.c:2225: warning: unused variable ?RETVAL? Expat.xs: In function ?XS_XML__Parser__Expat_DefaultCurrent?: Expat.xs:1922: warning: unused variable ?cbv? Expat.c: In function ?XS_XML__Parser__Expat_ErrorString?: Expat.c:2564: warning: unused variable ?targ? Expat.c:2563: warning: unused variable ?RETVAL? Expat.xs: In function ?XS_XML__Parser__Expat_LoadEncoding?: Expat.xs:2072: warning: value computed is not used Expat.xs: In function ?XS_XML__Parser__Expat_Do_External_Parse?: Expat.xs:2207: warning: unused variable ?pret? Expat.xs:2196: warning: unused variable ?cbv? Expat.xs:2194: warning: unused variable ?type? Expat.xs: In function ?parse_stream?: Expat.xs:291: warning: ?linebuff? may be used uninitialized in this function Expat.xs:290: warning: ?tsiz? may be used uninitialized in this function Expat.xs:289: warning: ?tbuff? may be used uninitialized in this function Expat.c: In function ?XS_XML__Parser__Expat_Do_External_Parse?: Expat.c:2911: warning: ?RETVAL? may be used uninitialized in this function Running Mkbootstrap for XML::Parser::Expat () chmod 644 Expat.bs rm -f ../blib/arch/auto/XML/Parser/Expat/Expat.so cc -shared -O2 -g -L/usr/local/lib -fstack-protector Expat.o -o ../blib/arch/auto/XML/Parser/Expat/Expat.so \ -lexpat \ chmod 755 ../blib/arch/auto/XML/Parser/Expat/Expat.so cp Expat.bs ../blib/arch/auto/XML/Parser/Expat/Expat.bs chmod 644 ../blib/arch/auto/XML/Parser/Expat/Expat.bs Manifying ../blib/man3/XML::Parser::Expat.3pm make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' Manifying blib/man3/XML::Parser::Style::Objects.3pm Manifying blib/man3/XML::Parser::Style::Debug.3pm Manifying blib/man3/XML::Parser.3pm Manifying blib/man3/XML::Parser::Style::Subs.3pm Manifying blib/man3/XML::Parser::Style::Tree.3pm Manifying blib/man3/XML::Parser::Style::Stream.3pm make[1]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' /usr/bin/make test make[1]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/astress.t ....... ok t/cdata.t ......... ok syntax error at line 14, column 3, byte 214: %ext; ]]> error in processing external entity reference at line 21, column 3, byte 3161: ]> ==^ at /usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/blib/lib/XML/Parser.pm line 187 t/decl.t .......... Dubious, test returned 9 (wstat 2304, 0x900) Failed 29/30 subtests t/defaulted.t ..... ok t/encoding.t ...... ok t/external_ent.t .. ok t/file.t .......... ok t/finish.t ........ ok t/namespaces.t .... ok error in processing external entity reference at line 8, column 0, byte 173: ] > ^ Happy, happy &joy;, &joy; at /usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/blib/lib/XML/Parser.pm line 187 t/parament.t ...... Dubious, test returned 255 (wstat 65280, 0xff00) Failed 11/12 subtests t/partial.t ....... ok t/skip.t .......... ok t/stream.t ........ ok t/styles.t ........ ok Test Summary Report ------------------- t/decl.t (Wstat: 2304 Tests: 1 Failed: 0) Non-zero exit status: 9 Parse errors: Bad plan. You planned 30 tests but ran 1. t/parament.t (Wstat: 65280 Tests: 1 Failed: 0) Non-zero exit status: 255 Parse errors: Bad plan. You planned 12 tests but ran 1. Files=14, Tests=90, 0 wallclock secs ( 0.06 usr 0.02 sys + 0.38 cusr 0.08 csys = 0.54 CPU) Result: FAIL Failed 2/14 test programs. 0/90 subtests failed. make[1]: *** [test_dynamic] Fehler 255 make[1]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' make: *** [build-stamp] Fehler 2 dpkg-buildpackage: Fehler: debian/rules build gab Fehler-Exitstatus 2 From karl at waclawek.net Wed Dec 23 20:51:04 2009 From: karl at waclawek.net (Karl Waclawek) Date: Wed, 23 Dec 2009 14:51:04 -0500 Subject: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser In-Reply-To: <1261577130.19144.26.camel@haktar.wgdd.de> References: <1261577130.19144.26.camel@haktar.wgdd.de> Message-ID: <4B3274A8.2080904@waclawek.net> Daniel Leidert wrote: > x-post to expat-discuss, debian-devel and debian-perl > > Hi, > > The security issue known as CVE-2009-3560 [1] has been fixed in expats > source code some time ago [2]. Now a Debian user informed [3] me, that > the fix breaks parsing XML files with entities using Perls XML parser. > Also several tests of the suite then fail (attached build log). So this > makes the problem RC for us Debian and creates a problem in the *stable > suites. > > I guess, the Perl XML parser needs to be fixed and not expat. But I'm > not familiar with the Perl module. I wonder if you (expat developers) > have been informed about this? Unfortunately the author of the Perl XML > parser module seems not active anymore (CCed him tough). No, I haven't heard about the Perl issue before. > > Is someone able to help to track this down? Any help is appreciated. > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 > [2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 > [3] http://bugs.debian.org/561658 > Could you please run the failing tests with Expat directly, instead of the Perl parser? Karl From ntyni at debian.org Mon Dec 28 23:58:35 2009 From: ntyni at debian.org (Niko Tyni) Date: Tue, 29 Dec 2009 00:58:35 +0200 Subject: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser In-Reply-To: <4B3274A8.2080904@waclawek.net> References: <1261577130.19144.26.camel@haktar.wgdd.de> <4B3274A8.2080904@waclawek.net> Message-ID: <20091228225835.GA1481@madeleine.local.invalid> On Wed, Dec 23, 2009 at 02:51:04PM -0500, Karl Waclawek wrote: > Daniel Leidert wrote: > > x-post to expat-discuss, debian-devel and debian-perl > > The security issue known as CVE-2009-3560 [1] has been fixed in expats > > source code some time ago [2]. Now a Debian user informed [3] me, that > > the fix breaks parsing XML files with entities using Perls XML parser. > > Also several tests of the suite then fail (attached build log). So this > > makes the problem RC for us Debian and creates a problem in the *stable > > suites. > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 > > [2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 > > [3] http://bugs.debian.org/561658 > Could you please run the failing tests with Expat directly, instead of the > Perl parser? I'm able to reproduce (at least part of) the problem without the Perl bindings, using the 'xmlwf' example tool from the expat source (shipped in the 'expat' package on Debian.) I'm attaching an example XML document and the external DTD it references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml' silently passes. With the patch, the output is t.dtd:4:3: syntax error t.xml:2:28: error in processing external entity reference (The DTD was copied verbatim from the example at http://www.w3.org/TR/REC-xml/#sec-condition-sect ) -- Niko Tyni ntyni at debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: t.xml Type: application/xml Size: 60 bytes Desc: not available URL: -------------- next part -------------- ]]> ]]> From karl at waclawek.net Tue Dec 29 06:17:02 2009 From: karl at waclawek.net (Karl Waclawek) Date: Tue, 29 Dec 2009 00:17:02 -0500 Subject: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser In-Reply-To: <20091228225835.GA1481@madeleine.local.invalid> References: <1261577130.19144.26.camel@haktar.wgdd.de> <4B3274A8.2080904@waclawek.net> <20091228225835.GA1481@madeleine.local.invalid> Message-ID: <4B3990CE.4090204@waclawek.net> Niko Tyni wrote: > I'm attaching an example XML document and the external DTD it > references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml' > silently passes. With the patch, the output is > > t.dtd:4:3: syntax error > t.xml:2:28: error in processing external entity reference > > (The DTD was copied verbatim from the example at > http://www.w3.org/TR/REC-xml/#sec-condition-sect ) I can duplicate this. The patch needs to be revised. Thanks for testing this. Karl From karl at waclawek.net Tue Dec 29 19:45:34 2009 From: karl at waclawek.net (Karl Waclawek) Date: Tue, 29 Dec 2009 13:45:34 -0500 Subject: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser In-Reply-To: <20091228225835.GA1481@madeleine.local.invalid> References: <1261577130.19144.26.camel@haktar.wgdd.de> <4B3274A8.2080904@waclawek.net> <20091228225835.GA1481@madeleine.local.invalid> Message-ID: <4B3A4E4E.3050105@waclawek.net> Niko Tyni wrote: >> Could you please run the failing tests with Expat directly, instead of the >> Perl parser? > > I'm able to reproduce (at least part of) the problem without the Perl > bindings, using the 'xmlwf' example tool from the expat source (shipped > in the 'expat' package on Debian.) > > I'm attaching an example XML document and the external DTD it > references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml' > silently passes. With the patch, the output is > > t.dtd:4:3: syntax error > t.xml:2:28: error in processing external entity reference > > (The DTD was copied verbatim from the example at > http://www.w3.org/TR/REC-xml/#sec-condition-sect ) I revised the patch - see newest revision of xmlparse.c (rev. 166). May I ask for a favour: Please discuss these issues directly on the comments of the bug entry on SourceForge. Without this we will have no clue what things were discussed and discovered while fixing a bug. Thanks, Karl