Hi I have now prepared and updated the patch for the version in lenny, attached to this mail is the debdiff to the current version in stable.
Security Team, could you review the changes? If you agree, how to to proceed? (Note: I cannot upload it then by myself since I'm not yet a DD). Bests Salvatore
diff -u libhtml-parser-perl-3.56/debian/rules libhtml-parser-perl-3.56/debian/rules --- libhtml-parser-perl-3.56/debian/rules +++ libhtml-parser-perl-3.56/debian/rules @@ -1,5 +1,7 @@ #!/usr/bin/make -f +include /usr/share/quilt/quilt.make + PERL=/usr/bin/perl binary: binary-arch @@ -31,7 +33,7 @@ rm -rf debian/libhtml-parser-perl/usr/share/perl5 build: configure-stamp build-stamp -build-stamp: +build-stamp: $(QUILT_STAMPFN) dh_testdir $(MAKE) OPTIMIZE="-O2 -g -Wall" $(MAKE) test @@ -43,7 +45,7 @@ $(PERL) Makefile.PL INSTALLDIRS=vendor touch configure-stamp -clean: +clean: unpatch dh_testdir dh_testroot if [ -e Makefile ]; then $(MAKE) -i distclean; fi diff -u libhtml-parser-perl-3.56/debian/changelog libhtml-parser-perl-3.56/debian/changelog --- libhtml-parser-perl-3.56/debian/changelog +++ libhtml-parser-perl-3.56/debian/changelog @@ -1,3 +1,11 @@ +libhtml-parser-perl (3.56-1+lenny1) stable; urgency=low + + * Add myself to Uploaders. + * Fix decode_entities which can be confused by trailing incomplete entity + and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531). + + -- Salvatore Bonaccorso <salvatore.bonacco...@gmail.com> Tue, 27 Oct 2009 21:43:51 +0100 + libhtml-parser-perl (3.56-1) unstable; urgency=low * New upstream release diff -u libhtml-parser-perl-3.56/debian/control libhtml-parser-perl-3.56/debian/control --- libhtml-parser-perl-3.56/debian/control +++ libhtml-parser-perl-3.56/debian/control @@ -1,9 +1,9 @@ Source: libhtml-parser-perl Maintainer: Debian Catalyst Maintainers <pkg-catalyst-maintain...@lists.alioth.debian.org> -Uploaders: Krzysztof Krzyzaniak (eloy) <e...@debian.org>, Kenneth J. Pronovici <prono...@debian.org>, Florian Ragwitz <r...@debianforum.de> +Uploaders: Krzysztof Krzyzaniak (eloy) <e...@debian.org>, Kenneth J. Pronovici <prono...@debian.org>, Florian Ragwitz <r...@debianforum.de>, Salvatore Bonaccorso <salvatore.bonacco...@gmail.com> Section: perl Priority: optional -Build-Depends: debhelper (>= 5.0.0), perl (>= 5.8.1), libhtml-tagset-perl, libtest-pod-perl, liburi-perl +Build-Depends: debhelper (>= 5.0.0), perl (>= 5.8.1), libhtml-tagset-perl, libtest-pod-perl, liburi-perl, quilt Standards-Version: 3.7.2.1 Package: libhtml-parser-perl only in patch2: unchanged: --- libhtml-parser-perl-3.56.orig/debian/README.source +++ libhtml-parser-perl-3.56/debian/README.source @@ -0,0 +1,5 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +Please see `/usr/share/doc/quilt/README.source' for details. only in patch2: unchanged: --- libhtml-parser-perl-3.56.orig/debian/patches/CVE-2009-3627-fix-decode_entities.patch +++ libhtml-parser-perl-3.56/debian/patches/CVE-2009-3627-fix-decode_entities.patch @@ -0,0 +1,73 @@ +Description: decode_entities confused by trailing incomplete entity + Mark Martinec reported crashed when running SpamAssassin, given a + particular HTML junk mail to parse. The problem was caused by + HTML::Parsers decode_entities function confusing itself when it + encountered strings with incomplete entities at the end of the string. +Origin: upstream, http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c +Bug-Debian: http://bugs.debian.org/552531 +--- a/t/entities.t ++++ b/t/entities.t +@@ -1,6 +1,6 @@ + use HTML::Entities qw(decode_entities encode_entities encode_entities_numeric); + +-use Test::More tests => 12; ++use Test::More tests => 13; + + $a = "Våre norske tegn bør æres"; + +@@ -66,6 +66,8 @@ + is(decode_entities("'"), "'"); + is(encode_entities("'", "'"), "'"); + ++is(decode_entities("Attention Homeοωnөrs...1ѕt Tімe Eνөг"), ++ "Attention Home\x{3BF}\x{3C9}n\x{4E9}rs...1\x{455}t T\x{456}\x{43C}e E\x{3BD}\x{4E9}\x{433}"); + + __END__ + # Quoted from rfc1866.txt +--- a/util.c ++++ b/util.c +@@ -95,14 +95,14 @@ + ent_start = s; + repl = 0; + +- if (*s == '#') { ++ if (s < end && *s == '#') { + UV num = 0; + UV prev = 0; + int ok = 0; + s++; +- if (*s == 'x' || *s == 'X') { ++ if (s < end && (*s == 'x' || *s == 'X')) { + s++; +- while (*s) { ++ while (s < end) { + char *tmp = strchr(PL_hexdigit, *s); + if (!tmp) + break; +@@ -118,7 +118,7 @@ + } + } + else { +- while (isDIGIT(*s)) { ++ while (s < end && isDIGIT(*s)) { + num = num * 10 + (*s - '0'); + if (prev && num < prev) { + /* overflow */ +@@ -181,7 +181,7 @@ + } + else { + char *ent_name = s; +- while (isALNUM(*s)) ++ while (s < end && isALNUM(*s)) + s++; + if (ent_name != s && entity2char) { + SV** svp; +@@ -217,7 +217,7 @@ + + if (repl) { + char *repl_allocated = 0; +- if (*s == ';') ++ if (s < end && *s == ';') + s++; + t--; /* '&' already copied, undo it */ + only in patch2: unchanged: --- libhtml-parser-perl-3.56.orig/debian/patches/series +++ libhtml-parser-perl-3.56/debian/patches/series @@ -0,0 +1 @@ +CVE-2009-3627-fix-decode_entities.patch
signature.asc
Description: Digital signature
