[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser

Niko Tyni wrote:

>> Could you please run the failing tests with Expat directly, instead of the
>> Perl parser?
> 
> I'm able to reproduce (at least part of) the problem without the Perl
> bindings, using the 'xmlwf' example tool from the expat source (shipped
> in the 'expat' package on Debian.)
> 
> I'm attaching an example XML document and the external DTD it
> references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml'
> silently passes. With the patch, the output is
> 
>  t.dtd:4:3: syntax error
>  t.xml:2:28: error in processing external entity reference
> 
> (The DTD was copied verbatim from the example at
>  http://www.w3.org/TR/REC-xml/#sec-condition-sect )

I revised the patch - see newest revision of xmlparse.c (rev. 166).

May I ask for a favour:
Please discuss these issues directly on the comments of the bug entry on
SourceForge. Without this we will have no clue what things were discussed and
discovered while fixing a bug.

Thanks,

Karl
Reply to: