Your message dated Fri, 11 Feb 2022 20:40:05 +0000 with message-id <e1nici5-000df9...@fasolo.debian.org> and subject line Bug#1005281: fixed in libxml-libxml-perl 2.0207+dfsg+really+2.0134-1 has caused the Debian Bug report #1005281, regarding libxml-libxml-perl: breaks validation, which succeeds even though the DTD could not be loaded to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1005281: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005281 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libxml-libxml-perl Version: 2.0207+dfsg-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> The recent change about load_ext_dtd introduced an unexpected issue, with possible security implications: when one sets validation to 1 without also setting load_ext_dtd to 1, the document is always regarded as valid. It is probable that existing scripts that set validation to 1 do not explicitly set load_ext_dtd to 1, because load_ext_dtd = 1 was the default and also because it is rather obvious that if the user wants validation, he also wants to load the DTD, which is needed for the validation. So this silently breaks validation. This may have security implications as validation can normally be used to check that input from untrusted source does not contain unexpected contents (e.g. contents that is likely to yield data injection). See for instance: https://cwe.mitre.org/data/definitions/112.html Example: ------------------------------------------------------------ #!/usr/bin/env perl # Update the xhtml directory. use strict; use XML::LibXML; my $s = <<EOF; <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root SYSTEM "does-not-exist.dtd"> <root/> EOF my $parser = XML::LibXML->new(); $parser->validation(1); my $doc = $parser->parse_string($s); ------------------------------------------------------------ With libxml-libxml-perl 2.0134+dfsg-2, the fact that the DTD could not be loaded was properly reported, with a fatal error: :2: I/O error : failed to load external entity "does-not-exist.dtd" <!DOCTYPE root SYSTEM "does-not-exist.dtd"> ^ :3: validity error : Validation failed: no DTD found ! <root/> ^ -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-1-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libxml-libxml-perl depends on: ii libc6 2.33-5 ii libxml-namespacesupport-perl 1.12-1.1 ii libxml-sax-perl 1.02+dfsg-3 ii libxml2 2.9.12+dfsg-5+b1 ii perl 5.32.1-6 ii perl-base [perlapi-5.32.1] 5.32.1-6 libxml-libxml-perl recommends no packages. libxml-libxml-perl suggests no packages. -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- End Message ---
--- Begin Message ---Source: libxml-libxml-perl Source-Version: 2.0207+dfsg+really+2.0134-1 Done: Niko Tyni <nt...@debian.org> We believe that the bug you reported is fixed in the latest version of libxml-libxml-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1005...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niko Tyni <nt...@debian.org> (supplier of updated libxml-libxml-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 11 Feb 2022 21:29:49 +0200 Source: libxml-libxml-perl Architecture: source Version: 2.0207+dfsg+really+2.0134-1 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Niko Tyni <nt...@debian.org> Closes: 1003761 1003810 1005281 Changes: libxml-libxml-perl (2.0207+dfsg+really+2.0134-1) unstable; urgency=medium . * Team upload . [ Helmut Grohne ] * Fix FTCBFS: Use the host architecture pkg-config (Closes: #1003761) . [ Yadd ] * Add lintian overrides . [ Niko Tyni] * Temporarily revert to upstream version 2.0134 while changes in external DTD handling are revisited upstream. Thanks to Vincent Lefevre for the reports. (Closes: #1005281, #1003810) Checksums-Sha1: 61fe2ba04ce7cf1894f354e82a2cde3c325a2fbe 2452 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1.dsc 57cb34532d75e8d46853dfdf957deb3744d3ebd0 287864 libxml-libxml-perl_2.0207+dfsg+really+2.0134.orig.tar.xz 15e544139580c1f42664bddb2defac3bf8513fbc 11688 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1.debian.tar.xz c0131abc12e9858aeb393300926e4fbf47816899 6419 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1_source.buildinfo Checksums-Sha256: 77cff7401bf70a3ef5377531444c8a14436ec7c5c3c8904b8083dcb5af665d27 2452 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1.dsc a27332a4a8ea4103fb0562bc8cf3aba4d28bdccb5331a59fd8fe2befb9e965fb 287864 libxml-libxml-perl_2.0207+dfsg+really+2.0134.orig.tar.xz c1ebfcc650822715cba9de3cc661599feed244bd4740bd5e039cee16c537fc75 11688 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1.debian.tar.xz 5d423c0a97d71a0f8872cf9935f69867c09c6d4e2805a60c67de04027b351a4e 6419 libxml-libxml-perl_2.0207+dfsg+really+2.0134-1_source.buildinfo Files: 706ab98a334f818b4d112afb249f0c08 2452 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-1.dsc 11f3550f44aacb323c01c394229b6333 287864 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134.orig.tar.xz deea166bdae925e47480685eee150899 11688 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-1.debian.tar.xz f7adfffaf53837bfb2c7703ca2f6047f 6419 perl optional libxml-libxml-perl_2.0207+dfsg+really+2.0134-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmIGuV0RHG50eW5pQGRl Ymlhbi5vcmcACgkQLsD/s7cwGx+IUw//Y432kH6GaSuTJdyhVEtOZ5zUyF/T2fJG NcTRhrDhRsLl+nHhBOJW0MiF4/U692S0J7Ur3Y8VhqCohzOHrgfveNEBO1wHz336 HN6qRJOLmW6Ln26LAWS4uJ2TqW/gaRLOd0rkV7ZbjETsyXX6bCABpG17M6tlBfwz nIY0AJ384THJkVwFrOV0BvJfQaZXhdsKjvVJ80/k4gatjodtaT/VZcQ3y0iSflmh MQML0RPzu1MNsNl3eeMVYFGK5DdwFfQgaAwJTAwW4or0XsQd6bCHXfIspPQnV2Vs 4oRSi34dLHRUdE3FK9XQvuPM+hc6gzJB3QkuS9N87Ko35p6i0fh0Zupju2U+scD9 qGincgCH8prhHCxJgw/geTG7XMPioMk5UDvId6pPXLalUyoN0GuMWS1WIYaTwSJe DDf8CdHP4OuobKtldOI2L67wvBb0JttO3b3j2E9hhqRJyyxuw7wbIvS6+osox7lq p7pS5AGogvksCVNnKn63yx/sYbziigqnZXiRLAPCayKoIp/mTSknCNZ3X5yjBfOh LOEL+SdMV4C72H6UwpTz/EYfkaUmmONGf3ETvVj7FNZ0I70cwUhbtQSoXQsSMnGp KoDfWJrOATTmUHBhOgkt6d26ja6c6L2c2fuTlk8fcYinqSLL06rYXAap1O8BjaZL U0jHsaxs5Rc= =lN8W -----END PGP SIGNATURE-----
--- End Message ---
