Your message dated Sat, 16 Sep 2006 00:36:38 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in NMU of libxml-parser-perl 2.34-4.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libxml-parser-perl
Version: 2.34-4
Severity: grave
A heap overflow can be triggered in the Expat library wrapper
when running on an input stream in non-raw mode. This bug has
also been reported at CPAN:
http://rt.cpan.org/Ticket/Display.html?id=19859
The following example program will crash with a segmentation fault
on certain input:
--
use strict;
use encoding 'utf8';
use XML::Parser;
my $parser = XML::Parser->new();
$parser->parse(\*STDIN);
--
The following program generates example input on which the above
program crashes:
--
binmode(STDOUT, ':bytes');
print "<s>\n";
for (my $i = 0; $i < 40000; $i++) { print chr(0xc3) . chr(0xa9); }
print "\n</s>\n";
--
The overflow occurs in libxml-parser-perl-2.34/Expat/Expat.xs, line 388:
Copy(tb, buffer, br, char)
At this point, the Expat wrapper assumes that the number of bytes
copied (br), can not exceed the number of characters read from the
input (buffsize). This assumption is incorrect if the input stream is
in a non-raw mode.
The best solution is to have the Perl programmer set the stream
to raw mode, since libexpat expects raw bytes anyway. In the example
program above, this could be accomplished either by removing the
statement "use encoding 'utf8'" or by adding the statement
"binmode(STDIN,':bytes')".
I think, however, that a segmentation fault is not a good way
to inform a Perl programmer that he made a mistake. So this
buffer overflow must still be fixed.
Since it involves an input-triggered heap overflow, this is
technically a security vulnerability.
Joris.
--- End Message ---
--- Begin Message ---
Version: 2.34-4.2
I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:
> libxml-parser-perl (2.34-4.2) unstable; urgency=medium
> .
> * Non-maintainer upload.
> * Fix buffer overflow when reading UTF-8 data; patch from Joris van
> Rantwijk. (Closes: #378411)
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
