[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser
From: Daniel Leidert <daniel.leidert.spam () gmx ! net>
Date: 2009-12-23 14:05:30
Message-ID: 1261577130.19144.26.camel () haktar ! wgdd ! de
[Download RAW message or body]
x-post to expat-discuss, debian-devel and debian-perl
Hi,
The security issue known as CVE-2009-3560 [1] has been fixed in expats
source code some time ago [2]. Now a Debian user informed [3] me, that
the fix breaks parsing XML files with entities using Perls XML parser.
Also several tests of the suite then fail (attached build log). So this
makes the problem RC for us Debian and creates a problem in the *stable
suites.
I guess, the Perl XML parser needs to be fixed and not expat. But I'm
not familiar with the Perl module. I wonder if you (expat developers)
have been informed about this? Unfortunately the author of the Perl XML
parser module seems not active anymore (CCed him tough).
Is someone able to help to track this down? Any help is appreciated.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
[2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3] http://bugs.debian.org/561658
Regards, Daniel
["libxml-parser-perl_2.36-1.2_amd64.build" (libxml-parser-perl_2.36-1.2_amd64.build)]
dpkg-buildpackage -rfakeroot -D -us -uc
dpkg-buildpackage: setze CFLAGS auf Standardwert: -g -O2
dpkg-buildpackage: setze CPPFLAGS auf Standardwert:
dpkg-buildpackage: setze LDFLAGS auf Standardwert:
dpkg-buildpackage: setze FFLAGS auf Standardwert: -g -O2
dpkg-buildpackage: setze CXXFLAGS auf Standardwert: -g -O2
dpkg-buildpackage: Quellpaket libxml-parser-perl
dpkg-buildpackage: Quellversion 2.36-1.2
dpkg-buildpackage: Quellen geändert durch Daniel Leidert (dale) \
<daniel.leidert@wgdd.de>
dpkg-buildpackage: Host-Architektur amd64
fakeroot debian/rules clean
dh_testdir
dh_testroot
[ ! -f Makefile ] || /usr/bin/make realclean
make[1]: Entering directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
/usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make clean'\'' if -f \
'\''Makefile'\'';' -- make[2]: Entering directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' \
rm -f \
*.a core \
core.[0-9] ../blib/arch/auto/XML/Parser/Expat/extralibs.all \
core.[0-9][0-9] Expat.bso \
pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \
Expat.x Expat.bs \
perl tmon.out \
*.o pm_to_blib \
../blib/arch/auto/XML/Parser/Expat/extralibs.ld blibdirs.ts \
core.[0-9][0-9][0-9][0-9][0-9] Expat.c \
*perl.core core.*perl.*.? \
Makefile.aperl perl \
Expat.def core.[0-9][0-9][0-9] \
mon.out libExpat.def \
perlmain.c perl.exe \
so_locations Expat.exp
rm -rf \
blib
mv Makefile Makefile.old > /dev/null 2>&1
make[2]: Leaving directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' \
rm -f \
*.a core \
core.[0-9] blib/arch/auto/XML/Parser/extralibs.all \
core.[0-9][0-9] Parser.bso \
pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \
Parser.x \
perl tmon.out \
*.o pm_to_blib \
blib/arch/auto/XML/Parser/extralibs.ld blibdirs.ts \
core.[0-9][0-9][0-9][0-9][0-9] *perl.core \
core.*perl.*.? Makefile.aperl \
Parser.def perl \
core.[0-9][0-9][0-9] mon.out \
libParser.def perl.exe \
perlmain.c so_locations \
Parser.exp
rm -rf \
blib
mv Makefile Makefile.old > /dev/null 2>&1
/usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make -f Makefile.old \
realclean'\'' if -f '\''Makefile.old'\'';' -- make[2]: Entering directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' \
rm -f \
*.a core \
core.[0-9] ../blib/arch/auto/XML/Parser/Expat/extralibs.all \
core.[0-9][0-9] Expat.bso \
pm_to_blib.ts core.[0-9][0-9][0-9][0-9] \
Expat.x Expat.bs \
perl tmon.out \
*.o pm_to_blib \
../blib/arch/auto/XML/Parser/Expat/extralibs.ld blibdirs.ts \
core.[0-9][0-9][0-9][0-9][0-9] Expat.c \
*perl.core core.*perl.*.? \
Makefile.aperl perl \
Expat.def core.[0-9][0-9][0-9] \
mon.out libExpat.def \
perlmain.c perl.exe \
so_locations Expat.exp
rm -rf \
blib
mv Makefile Makefile.old > /dev/null 2>&1
make[2]: [clean] Fehler 1 (ignoriert)
rm -f \
Expat.o Makefile.old \
Makefile
rm -rf \
make[2]: Leaving directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat'
/usr/bin/perl -e 'chdir '\''Expat'\''; system '\''make -f Makefile \
realclean'\'' if -f '\''Makefile'\'';' -- rm -f \
Makefile.old Makefile
rm -rf \
XML-Parser-2.36
make[1]: Leaving directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' \
dh_clean README.Encodings build-stamp install-stamp \ \
Parser/Encodings/iso-8859-1.enc Parser/Encodings/iso-8859-6.enc \
Parser/Encodings/iso-8859-10.enc Parser/Encodings/iso-8859-11.enc \
Parser/Encodings/iso-8859-13.enc Parser/Encodings/iso-8859-14.enc \
Parser/Encodings/iso-8859-15.enc Parser/Encodings/iso-8859-16.enc \
Parser/Encodings/windows-1251.enc
dh_clean: Compatibility levels before 5 are deprecated.
dpkg-source -b libxml-parser-perl-2.36
dpkg-source: Information: verwende Quellformat »1.0 «
dpkg-source: Information: baue libxml-parser-perl unter Benutzung des \
existierenden libxml-parser-perl_2.36.orig.tar.gz
dpkg-source: Information: baue libxml-parser-perl in \
libxml-parser-perl_2.36-1.2.diff.gz
dpkg-source: Warnung: der Diff verändert die folgenden Dateien der \
Originalautoren: Expat/Expat.xs
samples/canonical
samples/xmlcomments
samples/xmlfilter
samples/xmlstats
dpkg-source: Information: verwenden Sie das Format »3.0 (quilt) «, um \
separate und dokumentierte Änderungen an den Dateien der Originalautoren \
zu erhalten, siehe dpkg-source(1)
dpkg-source: Information: baue libxml-parser-perl in \
libxml-parser-perl_2.36-1.2.dsc debian/rules build
dh_testdir
uudecode -o Parser/Encodings/iso-8859-1.enc \
debian/encodings/iso-8859-1.uuenc ; uudecode -o \
Parser/Encodings/iso-8859-6.enc debian/encodings/iso-8859-6.uuenc ; \
uudecode -o Parser/Encodings/iso-8859-10.enc \
debian/encodings/iso-8859-10.uuenc ; uudecode -o \
Parser/Encodings/iso-8859-11.enc debian/encodings/iso-8859-11.uuenc ; \
uudecode -o Parser/Encodings/iso-8859-13.enc \
debian/encodings/iso-8859-13.uuenc ; uudecode -o \
Parser/Encodings/iso-8859-14.enc debian/encodings/iso-8859-14.uuenc ; \
uudecode -o Parser/Encodings/iso-8859-15.enc \
debian/encodings/iso-8859-15.uuenc ; uudecode -o \
Parser/Encodings/iso-8859-16.enc debian/encodings/iso-8859-16.uuenc ; \
uudecode -o Parser/Encodings/windows-1251.enc \
debian/encodings/windows-1251.uuenc ; perl Makefile.PL INSTALLDIRS=vendor
Checking if your kit is complete...
Looks good
Writing Makefile for XML::Parser::Expat
Writing Makefile for XML::Parser
/usr/bin/make OPTIMIZE="-Wall -g -O2"
make[1]: Entering directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' cp \
Parser/Encodings/x-sjis-cp932.enc \
blib/lib/XML/Parser/Encodings/x-sjis-cp932.enc cp \
Parser/Encodings/iso-8859-7.enc \
blib/lib/XML/Parser/Encodings/iso-8859-7.enc cp \
Parser/Encodings/iso-8859-10.enc \
blib/lib/XML/Parser/Encodings/iso-8859-10.enc cp Parser/Style/Tree.pm \
blib/lib/XML/Parser/Style/Tree.pm cp Parser/Encodings/iso-8859-9.enc \
blib/lib/XML/Parser/Encodings/iso-8859-9.enc cp \
Parser/Encodings/iso-8859-11.enc \
blib/lib/XML/Parser/Encodings/iso-8859-11.enc cp \
Parser/Encodings/x-euc-jp-unicode.enc \
blib/lib/XML/Parser/Encodings/x-euc-jp-unicode.enc cp \
Parser/Encodings/iso-8859-14.enc \
blib/lib/XML/Parser/Encodings/iso-8859-14.enc cp \
Parser/Encodings/iso-8859-1.enc \
blib/lib/XML/Parser/Encodings/iso-8859-1.enc cp Parser/Encodings/big5.enc \
blib/lib/XML/Parser/Encodings/big5.enc cp Parser/Encodings/iso-8859-6.enc \
blib/lib/XML/Parser/Encodings/iso-8859-6.enc cp \
Parser/Encodings/iso-8859-15.enc \
blib/lib/XML/Parser/Encodings/iso-8859-15.enc cp \
Parser/Encodings/x-sjis-jdk117.enc \
blib/lib/XML/Parser/Encodings/x-sjis-jdk117.enc cp \
Parser/Encodings/x-sjis-unicode.enc \
blib/lib/XML/Parser/Encodings/x-sjis-unicode.enc cp Parser/LWPExternEnt.pl \
blib/lib/XML/Parser/LWPExternEnt.pl cp Parser/Style/Debug.pm \
blib/lib/XML/Parser/Style/Debug.pm cp Parser/Encodings/windows-1251.enc \
blib/lib/XML/Parser/Encodings/windows-1251.enc cp \
Parser/Encodings/iso-8859-5.enc \
blib/lib/XML/Parser/Encodings/iso-8859-5.enc cp Parser/Encodings/README \
blib/lib/XML/Parser/Encodings/README cp Parser/Encodings/euc-kr.enc \
blib/lib/XML/Parser/Encodings/euc-kr.enc cp \
Parser/Encodings/windows-1250.enc \
blib/lib/XML/Parser/Encodings/windows-1250.enc cp \
Parser/Encodings/windows-1252.enc \
blib/lib/XML/Parser/Encodings/windows-1252.enc cp \
Parser/Encodings/Japanese_Encodings.msg \
blib/lib/XML/Parser/Encodings/Japanese_Encodings.msg cp \
Parser/Encodings/iso-8859-3.enc \
blib/lib/XML/Parser/Encodings/iso-8859-3.enc cp \
Parser/Encodings/iso-8859-8.enc \
blib/lib/XML/Parser/Encodings/iso-8859-8.enc cp \
Parser/Encodings/x-euc-jp-jisx0221.enc \
blib/lib/XML/Parser/Encodings/x-euc-jp-jisx0221.enc cp \
Parser/Encodings/iso-8859-4.enc \
blib/lib/XML/Parser/Encodings/iso-8859-4.enc cp \
Parser/Encodings/iso-8859-13.enc \
blib/lib/XML/Parser/Encodings/iso-8859-13.enc cp Parser/Style/Subs.pm \
blib/lib/XML/Parser/Style/Subs.pm cp Parser/Encodings/iso-8859-16.enc \
blib/lib/XML/Parser/Encodings/iso-8859-16.enc cp \
Parser/Encodings/iso-8859-2.enc \
blib/lib/XML/Parser/Encodings/iso-8859-2.enc cp Parser/Style/Objects.pm \
blib/lib/XML/Parser/Style/Objects.pm cp Parser.pm blib/lib/XML/Parser.pm
cp Parser/Encodings/x-sjis-jisx0221.enc \
blib/lib/XML/Parser/Encodings/x-sjis-jisx0221.enc cp Parser/Style/Stream.pm \
blib/lib/XML/Parser/Style/Stream.pm make[2]: Entering directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' \
cp Expat.pm ../blib/lib/XML/Parser/Expat.pm
/usr/bin/perl /usr/share/perl/5.10.1/ExtUtils/xsubpp -noprototypes -typemap \
/usr/share/perl/5.10/ExtUtils/typemap -typemap typemap Expat.xs > \
Expat.xsc && mv Expat.xsc Expat.c cc -c -D_REENTRANT -D_GNU_SOURCE \
-DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include \
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -g -O2 \
-DVERSION=\"2.36\" -DXS_VERSION=\"2.36\" -fPIC "-I/usr/lib/perl/5.10/CORE" \
Expat.c
Expat.xs: In function ‘append_error':
Expat.xs:220: warning: format ‘%d' expects type ‘int', but argument 4 \
has type ‘XML_Size' Expat.xs:220: warning: format ‘%d' expects type \
‘int', but argument 5 has type ‘XML_Size' Expat.xs:220: warning: format \
‘%d' expects type ‘int', but argument 6 has type \
‘XML_Index'
Expat.xs: In function ‘generate_model':
Expat.xs:255: warning: value computed is not used
Expat.xs:257: warning: value computed is not used
Expat.xs:262: warning: value computed is not used
Expat.xs:277: warning: value computed is not used
Expat.xs:260: warning: enumeration value ‘XML_CTYPE_EMPTY' not handled in \
switch Expat.xs:260: warning: enumeration value ‘XML_CTYPE_ANY' not \
handled in switch
Expat.xs: In function ‘parse_stream':
Expat.xs:298: warning: unused variable ‘buff'
Expat.xs: In function ‘startElement':
Expat.xs:486: warning: unused variable ‘pnslst'
Expat.xs:485: warning: unused variable ‘pnstab'
Expat.xs:482: warning: unused variable ‘pcontext'
Expat.xs: In function ‘externalEntityRef':
Expat.xs:1029: warning: value computed is not used
Expat.xs: In function ‘unknownEncoding':
Expat.xs:1148: warning: unused variable ‘count'
Expat.xs: In function ‘XS_XML__Parser__Expat_ParseStream':
Expat.xs:1464: warning: unused variable ‘delimsv'
Expat.xs: In function ‘XS_XML__Parser__Expat_ParsePartial':
Expat.xs:1490: warning: unused variable ‘cbv'
Expat.xs: In function ‘XS_XML__Parser__Expat_SetDoctypeHandler':
Expat.xs:1742: warning: unused variable ‘set'
Expat.c: In function ‘XS_XML__Parser__Expat_GetBase':
Expat.c:2225: warning: unused variable ‘RETVAL'
Expat.xs: In function ‘XS_XML__Parser__Expat_DefaultCurrent':
Expat.xs:1922: warning: unused variable ‘cbv'
Expat.c: In function ‘XS_XML__Parser__Expat_ErrorString':
Expat.c:2564: warning: unused variable ‘targ'
Expat.c:2563: warning: unused variable ‘RETVAL'
Expat.xs: In function ‘XS_XML__Parser__Expat_LoadEncoding':
Expat.xs:2072: warning: value computed is not used
Expat.xs: In function ‘XS_XML__Parser__Expat_Do_External_Parse':
Expat.xs:2207: warning: unused variable ‘pret'
Expat.xs:2196: warning: unused variable ‘cbv'
Expat.xs:2194: warning: unused variable ‘type'
Expat.xs: In function ‘parse_stream':
Expat.xs:291: warning: ‘linebuff' may be used uninitialized in this \
function Expat.xs:290: warning: ‘tsiz' may be used uninitialized in this \
function Expat.xs:289: warning: ‘tbuff' may be used uninitialized in this \
function
Expat.c: In function ‘XS_XML__Parser__Expat_Do_External_Parse':
Expat.c:2911: warning: ‘RETVAL' may be used uninitialized in this \
function Running Mkbootstrap for XML::Parser::Expat ()
chmod 644 Expat.bs
rm -f ../blib/arch/auto/XML/Parser/Expat/Expat.so
cc -shared -O2 -g -L/usr/local/lib -fstack-protector Expat.o -o \
../blib/arch/auto/XML/Parser/Expat/Expat.so \
-lexpat \
chmod 755 ../blib/arch/auto/XML/Parser/Expat/Expat.so
cp Expat.bs ../blib/arch/auto/XML/Parser/Expat/Expat.bs
chmod 644 ../blib/arch/auto/XML/Parser/Expat/Expat.bs
Manifying ../blib/man3/XML::Parser::Expat.3pm
make[2]: Leaving directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' \
Manifying blib/man3/XML::Parser::Style::Objects.3pm Manifying \
blib/man3/XML::Parser::Style::Debug.3pm Manifying blib/man3/XML::Parser.3pm
Manifying blib/man3/XML::Parser::Style::Subs.3pm
Manifying blib/man3/XML::Parser::Style::Tree.3pm
Manifying blib/man3/XML::Parser::Style::Stream.3pm
make[1]: Leaving directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
/usr/bin/make test
make[1]: Entering directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36' \
make[2]: Entering directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' \
make[2]: Leaving directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/Expat' \
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" \
"test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/astress.t ....... ok
t/cdata.t ......... ok
syntax error at line 14, column 3, byte 214:
%ext;
<![%bar;[
==^
<!ATTLIST bar xyz (a|b|c) 'b'>
]]>
error in processing external entity reference at line 21, column 3, byte \
3161: <!ELEMENT bar ANY>
<!ATTLIST bar big CDATA 'This is a large string value to test whether \
the declaration parser still works when the entity or attribute default \
value may be broken into multiple calls to the default handler. \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
01234567890123456789012345678901234567890123456789012345678901234567890123456789 \
'> ]>
==^
<foo/>
at /usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/blib/lib/XML/Parser.pm \
line 187 t/decl.t ..........
Dubious, test returned 9 (wstat 2304, 0x900)
Failed 29/30 subtests
t/defaulted.t ..... ok
t/encoding.t ...... ok
t/external_ent.t .. ok
t/file.t .......... ok
t/finish.t ........ ok
t/namespaces.t .... ok
error in processing external entity reference at line 8, column 0, byte \
173: <!ENTITY more SYSTEM "t/ext2.ent">
]
>
^
<foo>Happy, happy
<bar>&joy;, &joy;</bar>
at /usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36/blib/lib/XML/Parser.pm \
line 187 t/parament.t ......
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 11/12 subtests
t/partial.t ....... ok
t/skip.t .......... ok
t/stream.t ........ ok
t/styles.t ........ ok
Test Summary Report
-------------------
t/decl.t (Wstat: 2304 Tests: 1 Failed: 0)
Non-zero exit status: 9
Parse errors: Bad plan. You planned 30 tests but ran 1.
t/parament.t (Wstat: 65280 Tests: 1 Failed: 0)
Non-zero exit status: 255
Parse errors: Bad plan. You planned 12 tests but ran 1.
Files=14, Tests=90, 0 wallclock secs ( 0.06 usr 0.02 sys + 0.38 cusr \
0.08 csys = 0.54 CPU)
Result: FAIL
Failed 2/14 test programs. 0/90 subtests failed.
make[1]: *** [test_dynamic] Fehler 255
make[1]: Leaving directory \
`/usr/local/src/packages/libxml-parser-perl/libxml-parser-perl-2.36'
make: *** [build-stamp] Fehler 2
dpkg-buildpackage: Fehler: debian/rules build gab Fehler-Exitstatus 2
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic