Bug#842893: libxml-twig-perl: diff for NMU version 1:3.50-1.1

[gregor herrmann]

Control: tags 842893 + pending


Dear maintainer,

I've prepared an NMU for libxml-twig-perl (versioned as 1:3.50-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.


-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   

diff -Nru libxml-twig-perl-3.50/debian/changelog libxml-twig-perl-3.50/debian/changelog
--- libxml-twig-perl-3.50/debian/changelog	2016-08-04 18:52:02.000000000 +0200
+++ libxml-twig-perl-3.50/debian/changelog	2019-03-31 22:18:27.000000000 +0200
@@ -1,3 +1,15 @@
+libxml-twig-perl (1:3.50-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix "CVE-2016-9180: expand_external_ents fails to work as
+    documented": add patch CVE-2016-9180.patch:
+    - update documentation about expand_external_ents and no_xxe
+    - add test for expand_external_ents and no_xxe
+    Additionally add build dependency on libtest-exception-perl.
+    (Closes: #842893)
+
+ -- gregor herrmann <gre...@debian.org>  Sun, 31 Mar 2019 22:18:27 +0200
+
 libxml-twig-perl (1:3.50-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libxml-twig-perl-3.50/debian/control libxml-twig-perl-3.50/debian/control
--- libxml-twig-perl-3.50/debian/control	2016-08-04 18:52:02.000000000 +0200
+++ libxml-twig-perl-3.50/debian/control	2019-03-30 19:36:50.000000000 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Bart Martens <ba...@debian.org>
 Standards-Version: 3.9.8
-Build-Depends-Indep: perl (>= 5.6.0-16), libxml-parser-perl, libunicode-map8-perl, libunicode-string-perl, libtie-ixhash-perl, libxml-xpathengine-perl | libxml-xpath-perl, libtest-pod-perl, libtest-pod-coverage-perl (>= 1.00), libxml-handler-yawriter-perl, libxml-sax-machines-perl, libxml-simple-perl, libyaml-perl
+Build-Depends-Indep: perl (>= 5.6.0-16), libxml-parser-perl, libunicode-map8-perl, libunicode-string-perl, libtie-ixhash-perl, libxml-xpathengine-perl | libxml-xpath-perl, libtest-pod-perl, libtest-pod-coverage-perl (>= 1.00), libxml-handler-yawriter-perl, libxml-sax-machines-perl, libxml-simple-perl, libyaml-perl, libtest-exception-perl
 Build-Depends: debhelper (>= 8.0.0), expat
 Homepage: http://www.xmltwig.org/
 
diff -Nru libxml-twig-perl-3.50/debian/patches/CVE-2016-9180.patch libxml-twig-perl-3.50/debian/patches/CVE-2016-9180.patch
--- libxml-twig-perl-3.50/debian/patches/CVE-2016-9180.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml-twig-perl-3.50/debian/patches/CVE-2016-9180.patch	2019-03-31 01:06:09.000000000 +0100
@@ -0,0 +1,85 @@
+Description: Update documentation for XML::Twig.
+ Mention problems with expand_external_ents and add
+ information about new no_xxe argument.
+ .
+ Additionally add tests for both expand_external_ents and no_xxe.
+Origin: vendor
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
+Bug-Debian: https://bugs.debian.org/842893
+Author: gregor herrmann <gre...@debian.org>
+Last-Update: 2019-03-30
+
+--- a/Twig_pm.slow
++++ b/Twig_pm.slow
+@@ -10454,6 +10454,15 @@
+ pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
+ cases.  
+ 
++B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
++as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
++To completelty turn off expanding external entities use C<no_xxe>.
++
++=item no_xxe
++
++If this argument is set to a true value, expanding of external entities is
++turned off.
++
+ =item load_DTD
+ 
+ If this argument is set to a true value, C<parse> or C<parsefile> on the twig
+--- /dev/null
++++ b/t/CVE-2016-9180.t
+@@ -0,0 +1,41 @@
++#!/usr/bin/perl
++
++use strict;
++use warnings;
++use Test::More;
++use Test::Exception;
++
++BEGIN { use_ok('XML::Twig'); }
++
++my $twig = XML::Twig->new( expand_external_ents => 1 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++my $result = $twig->sprint;
++like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
++
++TODO: {
++    local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
++
++$twig = XML::Twig->new( expand_external_ents => 0 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++unlike( $result, qr/Boom/,
++    'external entity not expanded (expand_external_ents 0)' );
++
++$twig = XML::Twig->new( expand_external_ents => -1 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++unlike( $result, qr/Boom/,
++    'external entity not expanded and no fail (expand_external_ents -1)' );
++
++}
++
++$twig = XML::Twig->new( no_xxe => 1 );
++throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
++    'external entity not expanded (no_xxe 1)';
++
++$twig = XML::Twig->new( no_xxe => 0 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
++
++done_testing();
+--- /dev/null
++++ b/t/CVE-2016-9180.txt
+@@ -0,0 +1 @@
++Boom
+--- /dev/null
++++ b/t/CVE-2016-9180.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE foo [
++	<!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
++]>
++<root>&xxe;</root>
diff -Nru libxml-twig-perl-3.50/debian/patches/series libxml-twig-perl-3.50/debian/patches/series
--- libxml-twig-perl-3.50/debian/patches/series	2014-01-06 08:46:06.000000000 +0100
+++ libxml-twig-perl-3.50/debian/patches/series	2019-03-30 17:56:37.000000000 +0100
@@ -1,3 +1,4 @@
 03_cosmetics.diff
 06_spelling.diff
 07_691028.diff
+CVE-2016-9180.patch

signature.asc
Description: Digital Signature