Bug#923223: marked as done (XML::Parser::parsefile() uses 2-argument open)

Debian Bug Tracking System Thu, 28 Feb 2019 11:09:31 -0800

Your message dated Thu, 28 Feb 2019 19:06:59 +0000
with message-id <e1gzr1h-0007db...@fasolo.debian.org>
and subject line Bug#923223: fixed in libxml-parser-perl 2.44-4
has caused the Debian Bug report #923223,
regarding XML::Parser::parsefile() uses 2-argument open
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
923223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923223
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxml-parser-perl
Version: 2.44-2+b4
Tags: security
Control: affects -1 check-all-the-things duck

The XML::Parser::parsefile function uses 2-argument open().

As a consequence, users of this function can't use it to securely checkfiles with untrusted names. (Unless the users sanitize the filenamesthemselves, which they don't, because AFAICT this behavior is notdocumented.)


Proof of concept:

  $ touch '; false .appdata; cowsay pwned >&2; kill $PPID |'
  $ duck
  sh: 1: ./: Permission denied
   _______
  < pwned >
   -------
          \   ^__^
           \  (oo)\_______
              (__)\       )\/\
                  ||----w |
                  ||     ||
  Terminated


-- System Information:
Architecture: i386

Versions of packages libxml-parser-perl depends on:
ii  perl            5.28.1-4
ii  libc6           2.28-7
ii  libexpat1       2.2.6-1
ii  liburi-perl     1.76-1
ii  libwww-perl     6.36-1

--
Jakub Wilk

--- End Message ---

--- Begin Message ---

Source: libxml-parser-perl
Source-Version: 2.44-4

We believe that the bug you reported is fixed in the latest version of
libxml-parser-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <y...@debian.org> (supplier of updated libxml-parser-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Feb 2019 19:39:53 +0100
Source: libxml-parser-perl
Architecture: source
Version: 2.44-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Xavier Guimard <y...@debian.org>
Closes: 923223
Changes:
 libxml-parser-perl (2.44-4) unstable; urgency=medium
 .
   * Team upload
   * Update patch (Closes: #923223)
Checksums-Sha1: 
 d37bbec34614b04ed20a992b9dfa56ecdda713f0 2109 libxml-parser-perl_2.44-4.dsc
 dd45114475bc0b3630a1cdc5bd1c5f77df89ca06 58064 
libxml-parser-perl_2.44-4.debian.tar.xz
Checksums-Sha256: 
 b9f31511032348e2bc499158c706eaf814e56598b9c308f04f5a557b184ab45e 2109 
libxml-parser-perl_2.44-4.dsc
 40e8a914ba7052c582a28f1e73205b568d8fe5f0888b343d23e377cf855130c3 58064 
libxml-parser-perl_2.44-4.debian.tar.xz
Files: 
 74a223e5edef68ffdfdaa22c9fcd40f3 2109 perl optional 
libxml-parser-perl_2.44-4.dsc
 aa2fb6f6ea3a8849b6d8c47962f3d89e 58064 perl optional 
libxml-parser-perl_2.44-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlx4K7AACgkQ9tdMp8mZ
7umJNA//QiWQ8+xSnndWhEM3uZEVS1DLYjRLLvvHa1fTTGgPh8pGMZA3f4PJSCo5
kj2HM/apfuxLd7BSyOEHX4q/zrJs1R4OxG0C8XxLcduwq0MxkywGFaIuj7YZlVs7
9s/xy0EaeIS/9NiuIohFljDGkZPgu8cPlHaA2S6WiiAc0fEE4/wReo3t09LNyHzh
dE6tBAXtx+aai6YRF02cvD6jbUEbJRZdNHC1EcMnILj5Tih/nbz9pQr6Ctdonarl
1/FghYVMu5+BROqtlf3PJItbOr3Ik5GDsug4l54y0qTgYEMQwIF0LRzFyvv13BJI
lFawKJ/Fp7r4a9Rzy/kZVlilBYmmCPRQOxBe6/duPw7p9bB48mQUJWL05npvyzNH
NZtLjn0++GK+9pdtc7I3Tk3sP83SZAEumYdjdip84Vg6JA7YtZc49daUtKqokegL
6g895eOolanV9WV/j9zytSa1Rs+lMxb2rm4uyqdWaEwKZnnO2mobgSRi6PTJ+JzY
7PTzlKVX1pbDN8SXx4r1MTRIcIVbwZ7QKPt+lkx/F+ldSguoRtYCsGuj513TB4Yc
58O/NOzWCsTZz9HgOwyZtK0E/Fc5tIQ4e6q4KXycRfBQRkKBd3+RdSy5iOF86gxI
bdVzPOwDEkzeHEXSkRzW1joMXoIVpaqXBtqMN/dIr9HBN/qZOOE=
=vKkz
-----END PGP SIGNATURE-----

--- End Message ---

Bug#923223: marked as done (XML::Parser::parsefile() uses 2-argument open)

Reply via email to