On Wed, Dec 23, 2009 at 02:51:04PM -0500, Karl Waclawek wrote: > Daniel Leidert wrote: > > x-post to expat-discuss, debian-devel and debian-perl
> > The security issue known as CVE-2009-3560 [1] has been fixed in expats > > source code some time ago [2]. Now a Debian user informed [3] me, that > > the fix breaks parsing XML files with entities using Perls XML parser. > > Also several tests of the suite then fail (attached build log). So this > > makes the problem RC for us Debian and creates a problem in the *stable > > suites. > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 > > [2] > > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 > > [3] http://bugs.debian.org/561658 > Could you please run the failing tests with Expat directly, instead of the > Perl parser? I'm able to reproduce (at least part of) the problem without the Perl bindings, using the 'xmlwf' example tool from the expat source (shipped in the 'expat' package on Debian.) I'm attaching an example XML document and the external DTD it references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml' silently passes. With the patch, the output is t.dtd:4:3: syntax error t.xml:2:28: error in processing external entity reference (The DTD was copied verbatim from the example at http://www.w3.org/TR/REC-xml/#sec-condition-sect ) -- Niko Tyni nt...@debian.org
t.xml
Description: XML document
<!ENTITY % draft 'INCLUDE' > <!ENTITY % final 'IGNORE' > <![%draft;[ <!ELEMENT book (comments*, title, body, supplements?)> ]]> <![%final;[ <!ELEMENT book (title, body, supplements?)> ]]>
