Your message dated Sat, 18 Oct 2014 12:06:30 +0100 with message-id <E1XfRqA-0002T7-RJ@jacala> and subject line Closing bugs for updates in 7.7 has caused the Debian Bug report #762644, regarding wheezy-pu: package php-getid3/1.9.3-1+deb7u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 762644: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762644 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package php-getid3/1.9.3-1+deb7u2
- From: David Prévot <taffit@debian.org>
- Date: Tue, 23 Sep 2014 21:22:47 -0400
- Message-id: <20140924012247.GA22317@mikado.tilapin.org>
Package: release.debian.org Severity: normal Tags: wheezy X-Debbugs-Cc: pkg-php-pear@lists.alioth.debian.org, team@security.debian.org User: release.debian.org@packages.debian.org Usertags: pu Hi, Follow up on #744893 from a few months ago: upstream adopted a better fix for CVE-2014-2053, to be published in the upcoming 1.9.9 upstream version. The fix, cherry-picked from the upstream VCS, is included in the 1.9.8-2 Debian package, just uploaded to Sid. Since the security team asked for addressing this via pu instead of a proper DSA last time, I believe this follow up won’t deserve a DSA either (security team X-D-CC in case I’m wrong). Attached the debdiff, and the actual additional patch. Regards David -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -Nru php-getid3-1.9.3/debian/changelog php-getid3-1.9.3/debian/changelog --- php-getid3-1.9.3/debian/changelog 2014-04-15 16:37:02.000000000 -0400 +++ php-getid3-1.9.3/debian/changelog 2014-09-23 19:24:07.000000000 -0400 @@ -1,3 +1,9 @@ +php-getid3 (1.9.3-1+deb7u2) wheezy; urgency=medium + + * Improve fix for XXE security issue [CVE-2014-2053] + + -- David Prévot <taffit@debian.org> Tue, 23 Sep 2014 19:24:07 -0400 + php-getid3 (1.9.3-1+deb7u1) wheezy; urgency=medium * Close potential XXE security issue [CVE-2014-2053] diff -Nru php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch --- php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch 2014-04-14 16:15:43.000000000 -0400 +++ php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch 2014-09-23 19:22:19.000000000 -0400 @@ -6,11 +6,11 @@ Origin: upstream, https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc --- - getid3/getid3.lib.php | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) + getid3/getid3.lib.php | 4 ++++ + 1 file changed, 4 insertions(+) diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php -index 723e2e2..e626027 100644 +index 723e2e2..86f60d6 100644 --- a/getid3/getid3.lib.php +++ b/getid3/getid3.lib.php @@ -523,6 +523,10 @@ class getid3_lib diff -Nru php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch --- php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch 1969-12-31 20:00:00.000000000 -0400 +++ php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch 2014-09-23 19:22:19.000000000 -0400 @@ -0,0 +1,38 @@ +From: James Heinrich <info@silisoftware.com> +Date: Sun, 14 Sep 2014 14:13:30 -0400 +Subject: improved XXE fix (CVE-2014-2053) + +--- + getid3/getid3.lib.php | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php +index 86f60d6..3f7b04d 100644 +--- a/getid3/getid3.lib.php ++++ b/getid3/getid3.lib.php +@@ -521,16 +521,15 @@ class getid3_lib + } + + static function XML2array($XMLstring) { +- if (function_exists('simplexml_load_string')) { +- if (function_exists('get_object_vars')) { +- if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11) +- // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html +- libxml_disable_entity_loader(true); +- } +- $XMLobject = simplexml_load_string($XMLstring); +- return self::SimpleXMLelement2array($XMLobject); +- } +- } ++ if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) { ++ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html ++ // https://core.trac.wordpress.org/changeset/29378 ++ $loader = libxml_disable_entity_loader(true); ++ $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); ++ $return = self::SimpleXMLelement2array($XMLobject); ++ libxml_disable_entity_loader($loader); ++ return $return; ++ } + return false; + } + diff -Nru php-getid3-1.9.3/debian/patches/series php-getid3-1.9.3/debian/patches/series --- php-getid3-1.9.3/debian/patches/series 2014-04-14 16:14:43.000000000 -0400 +++ php-getid3-1.9.3/debian/patches/series 2014-09-23 19:22:19.000000000 -0400 @@ -1 +1,2 @@ 0001-close-potential-XXE-security-issue-CVE-2014-2053.patch +0002-improved-XXE-fix-CVE-2014-2053.patchFrom: James Heinrich <info@silisoftware.com> Date: Sun, 14 Sep 2014 14:13:30 -0400 Subject: improved XXE fix (CVE-2014-2053) --- getid3/getid3.lib.php | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php index 86f60d6..3f7b04d 100644 --- a/getid3/getid3.lib.php +++ b/getid3/getid3.lib.php @@ -521,16 +521,15 @@ class getid3_lib } static function XML2array($XMLstring) { - if (function_exists('simplexml_load_string')) { - if (function_exists('get_object_vars')) { - if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11) - // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html - libxml_disable_entity_loader(true); - } - $XMLobject = simplexml_load_string($XMLstring); - return self::SimpleXMLelement2array($XMLobject); - } - } + if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) { + // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html + // https://core.trac.wordpress.org/changeset/29378 + $loader = libxml_disable_entity_loader(true); + $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); + $return = self::SimpleXMLelement2array($XMLobject); + libxml_disable_entity_loader($loader); + return $return; + } return false; }Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 762644-done@bugs.debian.org
- Subject: Closing bugs for updates in 7.7
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 18 Oct 2014 12:06:30 +0100
- Message-id: <E1XfRqA-0002T7-RJ@jacala>
Version: 7.7 The upload discussed in this bug was included in the 7.7 point release. Regards, Adam
--- End Message ---