Package: release.debian.org Severity: normal Tags: wheezy X-Debbugs-Cc: pkg-php-pear@lists.alioth.debian.org, team@security.debian.org User: release.debian.org@packages.debian.org Usertags: pu Hi, Follow up on #744893 from a few months ago: upstream adopted a better fix for CVE-2014-2053, to be published in the upcoming 1.9.9 upstream version. The fix, cherry-picked from the upstream VCS, is included in the 1.9.8-2 Debian package, just uploaded to Sid. Since the security team asked for addressing this via pu instead of a proper DSA last time, I believe this follow up won’t deserve a DSA either (security team X-D-CC in case I’m wrong). Attached the debdiff, and the actual additional patch. Regards David -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru php-getid3-1.9.3/debian/changelog php-getid3-1.9.3/debian/changelog
--- php-getid3-1.9.3/debian/changelog 2014-04-15 16:37:02.000000000 -0400
+++ php-getid3-1.9.3/debian/changelog 2014-09-23 19:24:07.000000000 -0400
@@ -1,3 +1,9 @@
+php-getid3 (1.9.3-1+deb7u2) wheezy; urgency=medium
+
+ * Improve fix for XXE security issue [CVE-2014-2053]
+
+ -- David Prévot <taffit@debian.org> Tue, 23 Sep 2014 19:24:07 -0400
+
php-getid3 (1.9.3-1+deb7u1) wheezy; urgency=medium
* Close potential XXE security issue [CVE-2014-2053]
diff -Nru php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch
--- php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch 2014-04-14 16:15:43.000000000 -0400
+++ php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch 2014-09-23 19:22:19.000000000 -0400
@@ -6,11 +6,11 @@
Origin: upstream, https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
---
- getid3/getid3.lib.php | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
+ getid3/getid3.lib.php | 4 ++++
+ 1 file changed, 4 insertions(+)
diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
-index 723e2e2..e626027 100644
+index 723e2e2..86f60d6 100644
--- a/getid3/getid3.lib.php
+++ b/getid3/getid3.lib.php
@@ -523,6 +523,10 @@ class getid3_lib
diff -Nru php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch
--- php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch 1969-12-31 20:00:00.000000000 -0400
+++ php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch 2014-09-23 19:22:19.000000000 -0400
@@ -0,0 +1,38 @@
+From: James Heinrich <info@silisoftware.com>
+Date: Sun, 14 Sep 2014 14:13:30 -0400
+Subject: improved XXE fix (CVE-2014-2053)
+
+---
+ getid3/getid3.lib.php | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
+index 86f60d6..3f7b04d 100644
+--- a/getid3/getid3.lib.php
++++ b/getid3/getid3.lib.php
+@@ -521,16 +521,15 @@ class getid3_lib
+ }
+
+ static function XML2array($XMLstring) {
+- if (function_exists('simplexml_load_string')) {
+- if (function_exists('get_object_vars')) {
+- if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
+- // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+- libxml_disable_entity_loader(true);
+- }
+- $XMLobject = simplexml_load_string($XMLstring);
+- return self::SimpleXMLelement2array($XMLobject);
+- }
+- }
++ if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
++ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
++ // https://core.trac.wordpress.org/changeset/29378
++ $loader = libxml_disable_entity_loader(true);
++ $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
++ $return = self::SimpleXMLelement2array($XMLobject);
++ libxml_disable_entity_loader($loader);
++ return $return;
++ }
+ return false;
+ }
+
diff -Nru php-getid3-1.9.3/debian/patches/series php-getid3-1.9.3/debian/patches/series
--- php-getid3-1.9.3/debian/patches/series 2014-04-14 16:14:43.000000000 -0400
+++ php-getid3-1.9.3/debian/patches/series 2014-09-23 19:22:19.000000000 -0400
@@ -1 +1,2 @@
0001-close-potential-XXE-security-issue-CVE-2014-2053.patch
+0002-improved-XXE-fix-CVE-2014-2053.patch
From: James Heinrich <info@silisoftware.com>
Date: Sun, 14 Sep 2014 14:13:30 -0400
Subject: improved XXE fix (CVE-2014-2053)
---
getid3/getid3.lib.php | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
index 86f60d6..3f7b04d 100644
--- a/getid3/getid3.lib.php
+++ b/getid3/getid3.lib.php
@@ -521,16 +521,15 @@ class getid3_lib
}
static function XML2array($XMLstring) {
- if (function_exists('simplexml_load_string')) {
- if (function_exists('get_object_vars')) {
- if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
- // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
- libxml_disable_entity_loader(true);
- }
- $XMLobject = simplexml_load_string($XMLstring);
- return self::SimpleXMLelement2array($XMLobject);
- }
- }
+ if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
+ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+ // https://core.trac.wordpress.org/changeset/29378
+ $loader = libxml_disable_entity_loader(true);
+ $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
+ $return = self::SimpleXMLelement2array($XMLobject);
+ libxml_disable_entity_loader($loader);
+ return $return;
+ }
return false;
}
Attachment:
signature.asc
Description: Digital signature