Bug#552531: marked as done (libhtml-parser-perl: decode_entities confused by trailing incomplete entity can lead to DoS attacks)

Sat, 05 Dec 2009 13:30:14 -0800 

Your message dated Sat, 05 Dec 2009 21:25:20 +0000
with message-id <e1nh280-0002fa...@ries.debian.org>
and subject line Bug#552531: fixed in libhtml-parser-perl 3.56-1+lenny1
has caused the Debian Bug report #552531,
regarding libhtml-parser-perl: decode_entities confused by trailing incomplete 
entity can lead to DoS attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
552531: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libhtml-parser-perl
Version: 3.62-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was published for 
libhtml-parser-perl: CVE-2009-3627.

Quoting the commit fixing the bug[1]:
> decode_entities confused by trailing incomplete entity
>
> Mark Martinec reported crashed when running SpamAssassin, given a
> particular HTML junk mail to parse.  The problem was caused by
> HTML::Parsers decode_entities function confusing itself when it
> encountered strings with incomplete entities at the end of the string.

If you fix the vulnerability please also make sure to include the CVE id in 
your changelog entry. All the versions in the archive seem to be affected, as 
per the test case provided by upstream.

For further information see:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3627
 http://security-tracker.debian.org/tracker/CVE-2009-3627

[1]http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- End Message ---
--- Begin Message --- 
Source: libhtml-parser-perl
Source-Version: 3.56-1+lenny1

We believe that the bug you reported is fixed in the latest version of
libhtml-parser-perl, which is due to be installed in the Debian FTP archive:

libhtml-parser-perl_3.56-1+lenny1.diff.gz
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.56-1+lenny1.diff.gz
libhtml-parser-perl_3.56-1+lenny1.dsc
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.56-1+lenny1.dsc
libhtml-parser-perl_3.56-1+lenny1_i386.deb
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.56-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <salvatore.bonacco...@gmail.com> (supplier of updated 
libhtml-parser-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 27 Oct 2009 21:43:51 +0100
Source: libhtml-parser-perl
Binary: libhtml-parser-perl
Architecture: source i386
Version: 3.56-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Catalyst Maintainers 
<pkg-catalyst-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <salvatore.bonacco...@gmail.com>
Description: 
 libhtml-parser-perl - A collection of modules that parse HTML text documents
Closes: 552531
Changes: 
 libhtml-parser-perl (3.56-1+lenny1) stable-security; urgency=high
 .
   * Fix decode_entities which can be confused by trailing incomplete entity
     and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531).
Checksums-Sha1: 
 7ff4e273d5f0a7b7bddb817dad4a2c6a0d5ddfde 1316 
libhtml-parser-perl_3.56-1+lenny1.dsc
 846408ee953f1386b85acc63cd15e9f913e161a6 86040 
libhtml-parser-perl_3.56.orig.tar.gz
 35883413788f553f9bd8244fcbf63c4281f9d6e1 6147 
libhtml-parser-perl_3.56-1+lenny1.diff.gz
 5b264328d0c15360aa237e2e2952238742a33caa 109680 
libhtml-parser-perl_3.56-1+lenny1_i386.deb
Checksums-Sha256: 
 12d0e8e48a8ec6e19e34b6f4dcc94df50c66aec1399b22248c54460affea748a 1316 
libhtml-parser-perl_3.56-1+lenny1.dsc
 503c53657263a0adacc81141ecb52f2ca9f82551b49ec82ff6042b52b2203074 86040 
libhtml-parser-perl_3.56.orig.tar.gz
 06741d27f3c999a5a52663fedf82ff21d73321219fbcd90a16d05deac567aa2c 6147 
libhtml-parser-perl_3.56-1+lenny1.diff.gz
 b88fd6f3ecfddae89324ae49816fab8bb782686573d1e799c60b4070567eb52a 109680 
libhtml-parser-perl_3.56-1+lenny1_i386.deb
Files: 
 5a923d6089e2ffddf050ea5b017a7956 1316 perl optional 
libhtml-parser-perl_3.56-1+lenny1.dsc
 bddc432e5ed9df4d4153a62234f04fc2 86040 perl optional 
libhtml-parser-perl_3.56.orig.tar.gz
 18b2407d8b26d6225b82a880b16a0e05 6147 perl optional 
libhtml-parser-perl_3.56-1+lenny1.diff.gz
 da9426f29d77127b954a77263a5b7665 109680 perl optional 
libhtml-parser-perl_3.56-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkroth8ACgkQNxpp46476armTgCffw9LsQ+qonC/dXtXvsEOqpGN
GYEAnjW2lUrLU63dH4Gzl07dlx541D/X
=xea+
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to