This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie
in repository libxml-libxml-perl.

commit 06d986c9dd70726bf8c96c2bf53573631bccc7c5
Author: Salvatore Bonaccorso <car...@debian.org>
Date:   Thu Apr 30 16:18:02 2015 +0200

    Add CVE-2015-3451.patch patch
    
    CVE-2015-3451: expand_entities set to 0 is not preserved after a
    _clone() call.
    
    Closes: #783443
---
 debian/patches/CVE-2015-3451.patch | 80 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 81 insertions(+)

diff --git a/debian/patches/CVE-2015-3451.patch 
b/debian/patches/CVE-2015-3451.patch
new file mode 100644
index 0000000..4af3ffb
--- /dev/null
+++ b/debian/patches/CVE-2015-3451.patch
@@ -0,0 +1,80 @@
+Description: Fix CVE-2015-3451: expand_entities set to 0 is not preserved 
after a _clone() call
+Origin: upstream, 
https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30,
+ 
https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152
+Bug-Debian: https://bugs.debian.org/783443
+Forwarded: not-needed
+Author: Shlomi Fish <shlo...@shlomifish.org>
+Last-Update: 2015-05-01
+Applied-Upstream: 2.0120
+
+--- a/LibXML.pm
++++ b/LibXML.pm
+@@ -396,8 +396,11 @@ sub _clone {
+       line_numbers => $self->{XML_LIBXML_LINENUMBERS},
+       base_uri => $self->{XML_LIBXML_BASE_URI},
+       gdome => $self->{XML_LIBXML_GDOME},
+-      set_parser_flags => $self->{XML_LIBXML_PARSER_OPTIONS},
+     });
++  # The parser options may contain some options that were zeroed from the
++  # defaults so set_parser_flags won't work here. We need to assign them
++  # explicitly.
++  $new->{XML_LIBXML_PARSER_OPTIONS} = $self->{XML_LIBXML_PARSER_OPTIONS};
+   $new->input_callbacks($self->input_callbacks());
+   return $new;
+ }
+--- a/t/43options.t
++++ b/t/43options.t
+@@ -3,7 +3,7 @@
+ use strict;
+ use warnings;
+ 
+-use Test::More tests => 289;
++use Test::More tests => 290;
+ 
+ use XML::LibXML;
+ 
+@@ -125,6 +125,44 @@ no_network
+ }
+ 
+ {
++    my $XML = <<'EOT';
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE title [ <!ELEMENT title ANY >
++<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
++<rss version="2.0">
++<channel>
++    <link>example.com</link>
++    <description>XXE</description>
++    <item>
++        <title>&xxe;</title>
++        <link>example.com</link>
++        <description>XXE here</description>
++    </item>
++</channel>
++</rss>
++EOT
++
++    my $sys_line = <<'EOT';
++<title>&xxe;</title>
++EOT
++
++    chomp ($sys_line);
++
++    my $parser = XML::LibXML->new(
++        expand_entities => 0,
++        load_ext_dtd    => 0,
++        no_network      => 1,
++        expand_xinclude => 0,
++    );
++    my $XML_DOC = $parser->load_xml( string => $XML, );
++
++    # TEST
++    ok (scalar($XML_DOC->toString() =~ m{\Q$sys_line\E}),
++        "expand_entities is preserved after _clone()/etc."
++    );
++}
++
++{
+   my $p = XML::LibXML->new(map { $_=>1 } @all);
+   for my $opt (@all) {
+     # TEST*$all
diff --git a/debian/patches/series b/debian/patches/series
index 872b300..7fedaae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 fail-build-no-libxml2.patch
+CVE-2015-3451.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git

_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits

Reply via email to