Bug#762644: marked as done (wheezy-pu: package php-getid3/1.9.3-1+deb7u2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 18 Oct 2014 12:06:30 +0100
with message-id <E1XfRqA-0002T7-RJ@jacala>
and subject line Closing bugs for updates in 7.7
has caused the Debian Bug report #762644,
regarding wheezy-pu: package php-getid3/1.9.3-1+deb7u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
762644: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762644
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wheezy-pu: package php-getid3/1.9.3-1+deb7u2
• From: David Prévot <taffit@debian.org>
• Date: Tue, 23 Sep 2014 21:22:47 -0400
• Message-id: <20140924012247.GA22317@mikado.tilapin.org>

Package: release.debian.org
Severity: normal
Tags: wheezy
X-Debbugs-Cc: pkg-php-pear@lists.alioth.debian.org, team@security.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Follow up on #744893 from a few months ago: upstream adopted a better
fix for CVE-2014-2053, to be published in the upcoming 1.9.9 upstream
version. The fix, cherry-picked from the upstream VCS, is included in
the 1.9.8-2 Debian package, just uploaded to Sid.

Since the security team asked for addressing this via pu instead of a
proper DSA last time, I believe this follow up won’t deserve a DSA
either (security team X-D-CC in case I’m wrong).

Attached the debdiff, and the actual additional patch.

Regards

David

-- System Information:
Debian Release: jessie/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru php-getid3-1.9.3/debian/changelog php-getid3-1.9.3/debian/changelog
--- php-getid3-1.9.3/debian/changelog	2014-04-15 16:37:02.000000000 -0400
+++ php-getid3-1.9.3/debian/changelog	2014-09-23 19:24:07.000000000 -0400
@@ -1,3 +1,9 @@
+php-getid3 (1.9.3-1+deb7u2) wheezy; urgency=medium
+
+  * Improve fix for XXE security issue [CVE-2014-2053]
+
+ -- David Prévot <taffit@debian.org>  Tue, 23 Sep 2014 19:24:07 -0400
+
 php-getid3 (1.9.3-1+deb7u1) wheezy; urgency=medium
 
   * Close potential XXE security issue [CVE-2014-2053]
diff -Nru php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch
--- php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch	2014-04-14 16:15:43.000000000 -0400
+++ php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch	2014-09-23 19:22:19.000000000 -0400
@@ -6,11 +6,11 @@
 
 Origin: upstream, https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
 ---
- getid3/getid3.lib.php | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
+ getid3/getid3.lib.php | 4 ++++
+ 1 file changed, 4 insertions(+)
 
 diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
-index 723e2e2..e626027 100644
+index 723e2e2..86f60d6 100644
 --- a/getid3/getid3.lib.php
 +++ b/getid3/getid3.lib.php
 @@ -523,6 +523,10 @@ class getid3_lib
diff -Nru php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch
--- php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch	1969-12-31 20:00:00.000000000 -0400
+++ php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch	2014-09-23 19:22:19.000000000 -0400
@@ -0,0 +1,38 @@
+From: James Heinrich <info@silisoftware.com>
+Date: Sun, 14 Sep 2014 14:13:30 -0400
+Subject: improved XXE fix (CVE-2014-2053)
+
+---
+ getid3/getid3.lib.php | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
+index 86f60d6..3f7b04d 100644
+--- a/getid3/getid3.lib.php
++++ b/getid3/getid3.lib.php
+@@ -521,16 +521,15 @@ class getid3_lib
+ 	}
+ 
+ 	static function XML2array($XMLstring) {
+-		if (function_exists('simplexml_load_string')) {
+-			if (function_exists('get_object_vars')) {
+-				if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
+-					// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+-					libxml_disable_entity_loader(true);
+-				}
+-				$XMLobject = simplexml_load_string($XMLstring);
+-				return self::SimpleXMLelement2array($XMLobject);
+-			}
+-		}
++		if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
++			// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
++			// https://core.trac.wordpress.org/changeset/29378
++			$loader = libxml_disable_entity_loader(true); 
++			$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); 
++			$return = self::SimpleXMLelement2array($XMLobject); 
++			libxml_disable_entity_loader($loader); 
++			return $return; 
++		} 
+ 		return false;
+ 	}
+ 
diff -Nru php-getid3-1.9.3/debian/patches/series php-getid3-1.9.3/debian/patches/series
--- php-getid3-1.9.3/debian/patches/series	2014-04-14 16:14:43.000000000 -0400
+++ php-getid3-1.9.3/debian/patches/series	2014-09-23 19:22:19.000000000 -0400
@@ -1 +1,2 @@
 0001-close-potential-XXE-security-issue-CVE-2014-2053.patch
+0002-improved-XXE-fix-CVE-2014-2053.patch

From: James Heinrich <info@silisoftware.com>
Date: Sun, 14 Sep 2014 14:13:30 -0400
Subject: improved XXE fix (CVE-2014-2053)

---
 getid3/getid3.lib.php | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
index 86f60d6..3f7b04d 100644
--- a/getid3/getid3.lib.php
+++ b/getid3/getid3.lib.php
@@ -521,16 +521,15 @@ class getid3_lib
 	}
 
 	static function XML2array($XMLstring) {
-		if (function_exists('simplexml_load_string')) {
-			if (function_exists('get_object_vars')) {
-				if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
-					// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
-					libxml_disable_entity_loader(true);
-				}
-				$XMLobject = simplexml_load_string($XMLstring);
-				return self::SimpleXMLelement2array($XMLobject);
-			}
-		}
+		if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
+			// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+			// https://core.trac.wordpress.org/changeset/29378
+			$loader = libxml_disable_entity_loader(true); 
+			$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); 
+			$return = self::SimpleXMLelement2array($XMLobject); 
+			libxml_disable_entity_loader($loader); 
+			return $return; 
+		} 
 		return false;
 	}
 

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 762644-done@bugs.debian.org
• Subject: Closing bugs for updates in 7.7
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 18 Oct 2014 12:06:30 +0100
• Message-id: <E1XfRqA-0002T7-RJ@jacala>

Version: 7.7

The upload discussed in this bug was included in the 7.7 point release.

Regards,

Adam

--- End Message ---