Bug#552531: marked as done (libhtml-parser-perl: decode_entities confused by trailing incomplete entity can lead to DoS attacks)

Mon, 02 Nov 2009 22:58:44 -0800 

Your message dated Tue, 3 Nov 2009 07:38:43 +0100
with message-id <20091103063843.ga5...@faerie>
and subject line Closing bug manually
has caused the Debian Bug report #552531,
regarding libhtml-parser-perl: decode_entities confused by trailing incomplete 
entity can lead to DoS attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
552531: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libhtml-parser-perl
Version: 3.62-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was published for 
libhtml-parser-perl: CVE-2009-3627.

Quoting the commit fixing the bug[1]:
> decode_entities confused by trailing incomplete entity
>
> Mark Martinec reported crashed when running SpamAssassin, given a
> particular HTML junk mail to parse.  The problem was caused by
> HTML::Parsers decode_entities function confusing itself when it
> encountered strings with incomplete entities at the end of the string.

If you fix the vulnerability please also make sure to include the CVE id in 
your changelog entry. All the versions in the archive seem to be affected, as 
per the test case provided by upstream.

For further information see:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3627
 http://security-tracker.debian.org/tracker/CVE-2009-3627

[1]http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- End Message ---
--- Begin Message --- 
Package: libhtml-parser-perl
Version: 3.64-1

Hi Raphael

For unstable this bug a fix was included in the 3.64-1 upload.
upstream fixed it in 3.63-1, and 3.63-1 was prepared in pkg-perl svn.
Since there was no upload, this was included in 3.64-1 and uploaded
before this bugreport was reported. Thus closing manually.

Bests
Salvatore

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to