RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser
x-post to expat-discuss, debian-devel and debian-perl
Hi,
The security issue known as CVE-2009-3560 [1] has been fixed in expats
source code some time ago [2]. Now a Debian user informed [3] me, that
the fix breaks parsing XML files with entities using Perls XML parser.
Also several tests of the suite then fail (attached build log). So this
makes the problem RC for us Debian and creates a problem in the *stable
suites.
I guess, the Perl XML parser needs to be fixed and not expat. But I'm
not familiar with the Perl module. I wonder if you (expat developers)
have been informed about this? Unfortunately the author of the Perl XML
parser module seems not active anymore (CCed him tough).
Is someone able to help to track this down? Any help is appreciated.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
[2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3] http://bugs.debian.org/561658
Regards, Daniel
dpkg-buildpackage -rfakeroot -D -us -uc
dpkg-buildpackage: setze CFLAGS auf Standardwert: -g -O2
dpkg-buildpackage: setze CPPFLAGS auf Standardwert:
dpkg-buildpackage: setze LDFLAGS auf Standardwert:
dpkg-buildpackage: setze FFLAGS auf Standardwert: -g -O2
dpkg-buildpackage: setze CXXFLAGS auf Standardwert: -g -O2
dpkg-buildpackage: Quellpaket libxml-parser-perl
dpkg-buildpackage: Quellversion 2.36-1.2
dpkg-buildpackage: Quellen geändert durch Daniel Leidert (dale) <daniel.leidert@wgdd.de>
dpkg-buildpackage: Host-Architektur amd64
fakeroot debian/rules clean
dh_testdir
dh_testroot
[ ! -f Makefile ] || /usr/bin/make realclean
make[1]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
/usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make clean'\'' if -f '\''Makefile'\'';' --
make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
rm -f \
*.a core \
core.[0-9] ../blib/arch/auto/XML/Parser/Expat/extralibs.all \
core.[0-9][0-9] Expat.bso \
pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \
Expat.x Expat.bs \
perl tmon.out \
*.o pm_to_blib \
../blib/arch/auto/XML/Parser/Expat/extralibs.ld blibdirs.ts \
core.[0-9][0-9][0-9][0-9][0-9] Expat.c \
*perl.core core.*perl.*.? \
Makefile.aperl perl \
Expat.def core.[0-9][0-9][0-9] \
mon.out libExpat.def \
perlmain.c perl.exe \
so_locations Expat.exp
rm -rf \
blib
mv Makefile Makefile.old > /dev/null 2>&1
make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
rm -f \
*.a core \
core.[0-9] blib/arch/auto/XML/Parser/extralibs.all \
core.[0-9][0-9] Parser.bso \
pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \
Parser.x \
perl tmon.out \
*.o pm_to_blib \
blib/arch/auto/XML/Parser/extralibs.ld blibdirs.ts \
core.[0-9][0-9][0-9][0-9][0-9] *perl.core \
core.*perl.*.? Makefile.aperl \
Parser.def perl \
core.[0-9][0-9][0-9] mon.out \
libParser.def perl.exe \
perlmain.c so_locations \
Parser.exp
rm -rf \
blib
mv Makefile Makefile.old > /dev/null 2>&1
/usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make -f Makefile.old realclean'\'' if -f '\''Makefile.old'\'';' --
make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
rm -f \
*.a core \
core.[0-9] ../blib/arch/auto/XML/Parser/Expat/extralibs.all \
core.[0-9][0-9] Expat.bso \
pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \
Expat.x Expat.bs \
perl tmon.out \
*.o pm_to_blib \
../blib/arch/auto/XML/Parser/Expat/extralibs.ld blibdirs.ts \
core.[0-9][0-9][0-9][0-9][0-9] Expat.c \
*perl.core core.*perl.*.? \
Makefile.aperl perl \
Expat.def core.[0-9][0-9][0-9] \
mon.out libExpat.def \
perlmain.c perl.exe \
so_locations Expat.exp
rm -rf \
blib
mv Makefile Makefile.old > /dev/null 2>&1
make[2]: [clean] Fehler 1 (ignoriert)
rm -f \
Expat.o Makefile.old \
Makefile
rm -rf \
make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
/usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make -f Makefile realclean'\'' if -f '\''Makefile'\'';' --
rm -f \
Makefile.old Makefile
rm -rf \
XML-Parser-2.36
make[1]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
dh_clean README.Encodings build-stamp install-stamp \
Parser/Encodings/iso-8859-1.enc Parser/Encodings/iso-8859-6.enc Parser/Encodings/iso-8859-10.enc Parser/Encodings/iso-8859-11.enc Parser/Encodings/iso-8859-13.enc Parser/Encodings/iso-8859-14.enc Parser/Encodings/iso-8859-15.enc Parser/Encodings/iso-8859-16.enc Parser/Encodings/windows-1251.enc
dh_clean: Compatibility levels before 5 are deprecated.
dpkg-source -b libxml-parser-perl-2.36
dpkg-source: Information: verwende Quellformat »1.0«
dpkg-source: Information: baue libxml-parser-perl unter Benutzung des existierenden libxml-parser-perl_2.36.orig.tar.gz
dpkg-source: Information: baue libxml-parser-perl in libxml-parser-perl_2.36-1.2.diff.gz
dpkg-source: Warnung: der Diff verändert die folgenden Dateien der Originalautoren:
Expat/Expat.xs
samples/canonical
samples/xmlcomments
samples/xmlfilter
samples/xmlstats
dpkg-source: Information: verwenden Sie das Format »3.0 (quilt)«, um separate und dokumentierte Änderungen an den Dateien der Originalautoren zu erhalten, siehe dpkg-source(1)
dpkg-source: Information: baue libxml-parser-perl in libxml-parser-perl_2.36-1.2.dsc
debian/rules build
dh_testdir
uudecode -o Parser/Encodings/iso-8859-1.enc debian/encodings/iso-8859-1.uuenc ; uudecode -o Parser/Encodings/iso-8859-6.enc debian/encodings/iso-8859-6.uuenc ; uudecode -o Parser/Encodings/iso-8859-10.enc debian/encodings/iso-8859-10.uuenc ; uudecode -o Parser/Encodings/iso-8859-11.enc debian/encodings/iso-8859-11.uuenc ; uudecode -o Parser/Encodings/iso-8859-13.enc debian/encodings/iso-8859-13.uuenc ; uudecode -o Parser/Encodings/iso-8859-14.enc debian/encodings/iso-8859-14.uuenc ; uudecode -o Parser/Encodings/iso-8859-15.enc debian/encodings/iso-8859-15.uuenc ; uudecode -o Parser/Encodings/iso-8859-16.enc debian/encodings/iso-8859-16.uuenc ; uudecode -o Parser/Encodings/windows-1251.enc debian/encodings/windows-1251.uuenc ;
perl Makefile.PL INSTALLDIRS=vendor
Checking if your kit is complete...
Looks good
Writing Makefile for XML::Parser::Expat
Writing Makefile for XML::Parser
/usr/bin/make OPTIMIZE="-Wall -g -O2"
make[1]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
cp Parser/Encodings/x-sjis-cp932.enc blib/lib/XML/Parser/Encodings/x-sjis-cp932.enc
cp Parser/Encodings/iso-8859-7.enc blib/lib/XML/Parser/Encodings/iso-8859-7.enc
cp Parser/Encodings/iso-8859-10.enc blib/lib/XML/Parser/Encodings/iso-8859-10.enc
cp Parser/Style/Tree.pm blib/lib/XML/Parser/Style/Tree.pm
cp Parser/Encodings/iso-8859-9.enc blib/lib/XML/Parser/Encodings/iso-8859-9.enc
cp Parser/Encodings/iso-8859-11.enc blib/lib/XML/Parser/Encodings/iso-8859-11.enc
cp Parser/Encodings/x-euc-jp-unicode.enc blib/lib/XML/Parser/Encodings/x-euc-jp-unicode.enc
cp Parser/Encodings/iso-8859-14.enc blib/lib/XML/Parser/Encodings/iso-8859-14.enc
cp Parser/Encodings/iso-8859-1.enc blib/lib/XML/Parser/Encodings/iso-8859-1.enc
cp Parser/Encodings/big5.enc blib/lib/XML/Parser/Encodings/big5.enc
cp Parser/Encodings/iso-8859-6.enc blib/lib/XML/Parser/Encodings/iso-8859-6.enc
cp Parser/Encodings/iso-8859-15.enc blib/lib/XML/Parser/Encodings/iso-8859-15.enc
cp Parser/Encodings/x-sjis-jdk117.enc blib/lib/XML/Parser/Encodings/x-sjis-jdk117.enc
cp Parser/Encodings/x-sjis-unicode.enc blib/lib/XML/Parser/Encodings/x-sjis-unicode.enc
cp Parser/LWPExternEnt.pl blib/lib/XML/Parser/LWPExternEnt.pl
cp Parser/Style/Debug.pm blib/lib/XML/Parser/Style/Debug.pm
cp Parser/Encodings/windows-1251.enc blib/lib/XML/Parser/Encodings/windows-1251.enc
cp Parser/Encodings/iso-8859-5.enc blib/lib/XML/Parser/Encodings/iso-8859-5.enc
cp Parser/Encodings/README blib/lib/XML/Parser/Encodings/README
cp Parser/Encodings/euc-kr.enc blib/lib/XML/Parser/Encodings/euc-kr.enc
cp Parser/Encodings/windows-1250.enc blib/lib/XML/Parser/Encodings/windows-1250.enc
cp Parser/Encodings/windows-1252.enc blib/lib/XML/Parser/Encodings/windows-1252.enc
cp Parser/Encodings/Japanese_Encodings.msg blib/lib/XML/Parser/Encodings/Japanese_Encodings.msg
cp Parser/Encodings/iso-8859-3.enc blib/lib/XML/Parser/Encodings/iso-8859-3.enc
cp Parser/Encodings/iso-8859-8.enc blib/lib/XML/Parser/Encodings/iso-8859-8.enc
cp Parser/Encodings/x-euc-jp-jisx0221.enc blib/lib/XML/Parser/Encodings/x-euc-jp-jisx0221.enc
cp Parser/Encodings/iso-8859-4.enc blib/lib/XML/Parser/Encodings/iso-8859-4.enc
cp Parser/Encodings/iso-8859-13.enc blib/lib/XML/Parser/Encodings/iso-8859-13.enc
cp Parser/Style/Subs.pm blib/lib/XML/Parser/Style/Subs.pm
cp Parser/Encodings/iso-8859-16.enc blib/lib/XML/Parser/Encodings/iso-8859-16.enc
cp Parser/Encodings/iso-8859-2.enc blib/lib/XML/Parser/Encodings/iso-8859-2.enc
cp Parser/Style/Objects.pm blib/lib/XML/Parser/Style/Objects.pm
cp Parser.pm blib/lib/XML/Parser.pm
cp Parser/Encodings/x-sjis-jisx0221.enc blib/lib/XML/Parser/Encodings/x-sjis-jisx0221.enc
cp Parser/Style/Stream.pm blib/lib/XML/Parser/Style/Stream.pm
make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
cp Expat.pm ../blib/lib/XML/Parser/Expat.pm
/usr/bin/perl /usr/share/perl/5.10.1/ExtUtils/xsubpp -noprototypes -typemap /usr/share/perl/5.10/ExtUtils/typemap -typemap typemap Expat.xs > Expat.xsc && mv Expat.xsc Expat.c
cc -c -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -g -O2 -DVERSION=\"2.36\" -DXS_VERSION=\"2.36\" -fPIC "-I/usr/lib/perl/5.10/CORE" Expat.c
Expat.xs: In function ‘append_error’:
Expat.xs:220: warning: format ‘%d’ expects type ‘int’, but argument 4 has type ‘XML_Size’
Expat.xs:220: warning: format ‘%d’ expects type ‘int’, but argument 5 has type ‘XML_Size’
Expat.xs:220: warning: format ‘%d’ expects type ‘int’, but argument 6 has type ‘XML_Index’
Expat.xs: In function ‘generate_model’:
Expat.xs:255: warning: value computed is not used
Expat.xs:257: warning: value computed is not used
Expat.xs:262: warning: value computed is not used
Expat.xs:277: warning: value computed is not used
Expat.xs:260: warning: enumeration value ‘XML_CTYPE_EMPTY’ not handled in switch
Expat.xs:260: warning: enumeration value ‘XML_CTYPE_ANY’ not handled in switch
Expat.xs: In function ‘parse_stream’:
Expat.xs:298: warning: unused variable ‘buff’
Expat.xs: In function ‘startElement’:
Expat.xs:486: warning: unused variable ‘pnslst’
Expat.xs:485: warning: unused variable ‘pnstab’
Expat.xs:482: warning: unused variable ‘pcontext’
Expat.xs: In function ‘externalEntityRef’:
Expat.xs:1029: warning: value computed is not used
Expat.xs: In function ‘unknownEncoding’:
Expat.xs:1148: warning: unused variable ‘count’
Expat.xs: In function ‘XS_XML__Parser__Expat_ParseStream’:
Expat.xs:1464: warning: unused variable ‘delimsv’
Expat.xs: In function ‘XS_XML__Parser__Expat_ParsePartial’:
Expat.xs:1490: warning: unused variable ‘cbv’
Expat.xs: In function ‘XS_XML__Parser__Expat_SetDoctypeHandler’:
Expat.xs:1742: warning: unused variable ‘set’
Expat.c: In function ‘XS_XML__Parser__Expat_GetBase’:
Expat.c:2225: warning: unused variable ‘RETVAL’
Expat.xs: In function ‘XS_XML__Parser__Expat_DefaultCurrent’:
Expat.xs:1922: warning: unused variable ‘cbv’
Expat.c: In function ‘XS_XML__Parser__Expat_ErrorString’:
Expat.c:2564: warning: unused variable ‘targ’
Expat.c:2563: warning: unused variable ‘RETVAL’
Expat.xs: In function ‘XS_XML__Parser__Expat_LoadEncoding’:
Expat.xs:2072: warning: value computed is not used
Expat.xs: In function ‘XS_XML__Parser__Expat_Do_External_Parse’:
Expat.xs:2207: warning: unused variable ‘pret’
Expat.xs:2196: warning: unused variable ‘cbv’
Expat.xs:2194: warning: unused variable ‘type’
Expat.xs: In function ‘parse_stream’:
Expat.xs:291: warning: ‘linebuff’ may be used uninitialized in this function
Expat.xs:290: warning: ‘tsiz’ may be used uninitialized in this function
Expat.xs:289: warning: ‘tbuff’ may be used uninitialized in this function
Expat.c: In function ‘XS_XML__Parser__Expat_Do_External_Parse’:
Expat.c:2911: warning: ‘RETVAL’ may be used uninitialized in this function
Running Mkbootstrap for XML::Parser::Expat ()
chmod 644 Expat.bs
rm -f ../blib/arch/auto/XML/Parser/Expat/Expat.so
cc -shared -O2 -g -L/usr/local/lib -fstack-protector Expat.o -o ../blib/arch/auto/XML/Parser/Expat/Expat.so \
-lexpat \
chmod 755 ../blib/arch/auto/XML/Parser/Expat/Expat.so
cp Expat.bs ../blib/arch/auto/XML/Parser/Expat/Expat.bs
chmod 644 ../blib/arch/auto/XML/Parser/Expat/Expat.bs
Manifying ../blib/man3/XML::Parser::Expat.3pm
make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
Manifying blib/man3/XML::Parser::Style::Objects.3pm
Manifying blib/man3/XML::Parser::Style::Debug.3pm
Manifying blib/man3/XML::Parser.3pm
Manifying blib/man3/XML::Parser::Style::Subs.3pm
Manifying blib/man3/XML::Parser::Style::Tree.3pm
Manifying blib/man3/XML::Parser::Style::Stream.3pm
make[1]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
/usr/bin/make test
make[1]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
make[2]: Entering directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
make[2]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/astress.t ....... ok
t/cdata.t ......... ok
syntax error at line 14, column 3, byte 214:
%ext;
<![%bar;[
==^
<!ATTLIST bar xyz (a|b|c) 'b'>
]]>
error in processing external entity reference at line 21, column 3, byte 3161:
<!ELEMENT bar ANY>
<!ATTLIST bar big CDATA 'This is a large string value to test whether the declaration parser still works when the entity or attribute default value may be broken into multiple calls to the default handler. 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 '>
]>
==^
<foo/>
at /usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/blib/lib/XML/Parser.pm line 187
t/decl.t ..........
Dubious, test returned 9 (wstat 2304, 0x900)
Failed 29/30 subtests
t/defaulted.t ..... ok
t/encoding.t ...... ok
t/external_ent.t .. ok
t/file.t .......... ok
t/finish.t ........ ok
t/namespaces.t .... ok
error in processing external entity reference at line 8, column 0, byte 173:
<!ENTITY more SYSTEM "t/ext2.ent">
]
>
^
<foo>Happy, happy
<bar>&joy;, &joy;</bar>
at /usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/blib/lib/XML/Parser.pm line 187
t/parament.t ......
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 11/12 subtests
t/partial.t ....... ok
t/skip.t .......... ok
t/stream.t ........ ok
t/styles.t ........ ok
Test Summary Report
-------------------
t/decl.t (Wstat: 2304 Tests: 1 Failed: 0)
Non-zero exit status: 9
Parse errors: Bad plan. You planned 30 tests but ran 1.
t/parament.t (Wstat: 65280 Tests: 1 Failed: 0)
Non-zero exit status: 255
Parse errors: Bad plan. You planned 12 tests but ran 1.
Files=14, Tests=90, 0 wallclock secs ( 0.06 usr 0.02 sys + 0.38 cusr 0.08 csys = 0.54 CPU)
Result: FAIL
Failed 2/14 test programs. 0/90 subtests failed.
make[1]: *** [test_dynamic] Fehler 255
make[1]: Leaving directory `/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
make: *** [build-stamp] Fehler 2
dpkg-buildpackage: Fehler: debian/rules build gab Fehler-Exitstatus 2
Reply to: