[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser

On Wed, Dec 23, 2009 at 02:51:04PM -0500, Karl Waclawek wrote:
> Daniel Leidert wrote:
> > x-post to expat-discuss, debian-devel and debian-perl

> > The security issue known as CVE-2009-3560 [1] has been fixed in expats
> > source code some time ago [2]. Now a Debian user informed [3] me, that
> > the fix breaks parsing XML files with entities using Perls XML parser.
> > Also several tests of the suite then fail (attached build log). So this
> > makes the problem RC for us Debian and creates a problem in the *stable
> > suites.

> > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
> > [2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
> > [3] http://bugs.debian.org/561658

> Could you please run the failing tests with Expat directly, instead of the
> Perl parser?

I'm able to reproduce (at least part of) the problem without the Perl
bindings, using the 'xmlwf' example tool from the expat source (shipped
in the 'expat' package on Debian.)

I'm attaching an example XML document and the external DTD it
references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml'
silently passes. With the patch, the output is

 t.dtd:4:3: syntax error
 t.xml:2:28: error in processing external entity reference

(The DTD was copied verbatim from the example at
 http://www.w3.org/TR/REC-xml/#sec-condition-sect )
Niko Tyni   ntyni@debian.org

Attachment: t.xml
Description: XML document

<!ENTITY % draft 'INCLUDE' >
<!ENTITY % final 'IGNORE' >

<!ELEMENT book (comments*, title, body, supplements?)>
<!ELEMENT book (title, body, supplements?)>

Reply to: