Re: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser
Niko Tyni wrote:
>> Could you please run the failing tests with Expat directly, instead of the
>> Perl parser?
> I'm able to reproduce (at least part of) the problem without the Perl
> bindings, using the 'xmlwf' example tool from the expat source (shipped
> in the 'expat' package on Debian.)
> I'm attaching an example XML document and the external DTD it
> references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml'
> silently passes. With the patch, the output is
> t.dtd:4:3: syntax error
> t.xml:2:28: error in processing external entity reference
> (The DTD was copied verbatim from the example at
> http://www.w3.org/TR/REC-xml/#sec-condition-sect )
I revised the patch - see newest revision of xmlparse.c (rev. 166).
May I ask for a favour:
Please discuss these issues directly on the comments of the bug entry on
SourceForge. Without this we will have no clue what things were discussed and
discovered while fixing a bug.