[libxml-libxml-perl] 01/02: Add CVE-2015-3451.patch patch
This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch wheezy in repository libxml-libxml-perl. commit 9e3c36263f80395c6d8c794788acc24f8533408b Author: Salvatore Bonaccorso car...@debian.org Date: Fri May 1 13:47:24 2015 +0200 Add CVE-2015-3451.patch patch CVE-2015-3451: expand_entities set to 0 is not preserved after a _clone() call. Closes: #783443 --- debian/patches/CVE-2015-3451.patch | 80 ++ debian/patches/series | 1 + 2 files changed, 81 insertions(+) diff --git a/debian/patches/CVE-2015-3451.patch b/debian/patches/CVE-2015-3451.patch new file mode 100644 index 000..f12433d --- /dev/null +++ b/debian/patches/CVE-2015-3451.patch @@ -0,0 +1,80 @@ +Description: Fix CVE-2015-3451: expand_entities set to 0 is not preserved after a _clone() call +Origin: upstream, https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd06758076e94640b129ae8930a68a30, + https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152 +Bug-Debian: https://bugs.debian.org/783443 +Forwarded: not-needed +Author: Shlomi Fish shlo...@shlomifish.org +Last-Update: 2015-05-01 +Applied-Upstream: 2.0120 + +--- a/LibXML.pm b/LibXML.pm +@@ -392,8 +392,11 @@ sub _clone { + line_nubers = $self-{XML_LIBXML_LINENUMBERS}, + base_uri = $self-{XML_LIBXML_BASE_URI}, + gdome = $self-{XML_LIBXML_GDOME}, +- set_parser_flags = $self-{XML_LIBXML_PARSER_OPTIONS}, + }); ++ # The parser options may contain some options that were zeroed from the ++ # defaults so set_parser_flags won't work here. We need to assign them ++ # explicitly. ++ $new-{XML_LIBXML_PARSER_OPTIONS} = $self-{XML_LIBXML_PARSER_OPTIONS}; + $new-input_callbacks($self-input_callbacks()); + return $new; + } +--- a/t/43options.t b/t/43options.t +@@ -3,7 +3,7 @@ + use strict; + use warnings; + +-use Test::More tests = 289; ++use Test::More tests = 290; + + use XML::LibXML; + +@@ -125,6 +125,44 @@ no_network + } + + { ++my $XML = 'EOT'; ++?xml version=1.0 encoding=UTF-8? ++!DOCTYPE title [ !ELEMENT title ANY ++!ENTITY xxe SYSTEM file:///etc/passwd ] ++rss version=2.0 ++channel ++linkexample.com/link ++descriptionXXE/description ++item ++titlexxe;/title ++linkexample.com/link ++descriptionXXE here/description ++/item ++/channel ++/rss ++EOT ++ ++my $sys_line = 'EOT'; ++titlexxe;/title ++EOT ++ ++chomp ($sys_line); ++ ++my $parser = XML::LibXML-new( ++expand_entities = 0, ++load_ext_dtd= 0, ++no_network = 1, ++expand_xinclude = 0, ++); ++my $XML_DOC = $parser-load_xml( string = $XML, ); ++ ++# TEST ++ok (scalar($XML_DOC-toString() =~ m{\Q$sys_line\E}), ++expand_entities is preserved after _clone()/etc. ++); ++} ++ ++{ + my $p = XML::LibXML-new(map { $_=1 } @all); + for my $opt (@all) { + # TEST*$all diff --git a/debian/patches/series b/debian/patches/series index 770c395..fd61da0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fix-spelling-errors.patch +CVE-2015-3451.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git ___ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
[libxml-libxml-perl] 01/02: Add CVE-2015-3451.patch patch
This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch jessie in repository libxml-libxml-perl. commit 06d986c9dd70726bf8c96c2bf53573631bccc7c5 Author: Salvatore Bonaccorso car...@debian.org Date: Thu Apr 30 16:18:02 2015 +0200 Add CVE-2015-3451.patch patch CVE-2015-3451: expand_entities set to 0 is not preserved after a _clone() call. Closes: #783443 --- debian/patches/CVE-2015-3451.patch | 80 ++ debian/patches/series | 1 + 2 files changed, 81 insertions(+) diff --git a/debian/patches/CVE-2015-3451.patch b/debian/patches/CVE-2015-3451.patch new file mode 100644 index 000..4af3ffb --- /dev/null +++ b/debian/patches/CVE-2015-3451.patch @@ -0,0 +1,80 @@ +Description: Fix CVE-2015-3451: expand_entities set to 0 is not preserved after a _clone() call +Origin: upstream, https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd06758076e94640b129ae8930a68a30, + https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152 +Bug-Debian: https://bugs.debian.org/783443 +Forwarded: not-needed +Author: Shlomi Fish shlo...@shlomifish.org +Last-Update: 2015-05-01 +Applied-Upstream: 2.0120 + +--- a/LibXML.pm b/LibXML.pm +@@ -396,8 +396,11 @@ sub _clone { + line_numbers = $self-{XML_LIBXML_LINENUMBERS}, + base_uri = $self-{XML_LIBXML_BASE_URI}, + gdome = $self-{XML_LIBXML_GDOME}, +- set_parser_flags = $self-{XML_LIBXML_PARSER_OPTIONS}, + }); ++ # The parser options may contain some options that were zeroed from the ++ # defaults so set_parser_flags won't work here. We need to assign them ++ # explicitly. ++ $new-{XML_LIBXML_PARSER_OPTIONS} = $self-{XML_LIBXML_PARSER_OPTIONS}; + $new-input_callbacks($self-input_callbacks()); + return $new; + } +--- a/t/43options.t b/t/43options.t +@@ -3,7 +3,7 @@ + use strict; + use warnings; + +-use Test::More tests = 289; ++use Test::More tests = 290; + + use XML::LibXML; + +@@ -125,6 +125,44 @@ no_network + } + + { ++my $XML = 'EOT'; ++?xml version=1.0 encoding=UTF-8? ++!DOCTYPE title [ !ELEMENT title ANY ++!ENTITY xxe SYSTEM file:///etc/passwd ] ++rss version=2.0 ++channel ++linkexample.com/link ++descriptionXXE/description ++item ++titlexxe;/title ++linkexample.com/link ++descriptionXXE here/description ++/item ++/channel ++/rss ++EOT ++ ++my $sys_line = 'EOT'; ++titlexxe;/title ++EOT ++ ++chomp ($sys_line); ++ ++my $parser = XML::LibXML-new( ++expand_entities = 0, ++load_ext_dtd= 0, ++no_network = 1, ++expand_xinclude = 0, ++); ++my $XML_DOC = $parser-load_xml( string = $XML, ); ++ ++# TEST ++ok (scalar($XML_DOC-toString() =~ m{\Q$sys_line\E}), ++expand_entities is preserved after _clone()/etc. ++); ++} ++ ++{ + my $p = XML::LibXML-new(map { $_=1 } @all); + for my $opt (@all) { + # TEST*$all diff --git a/debian/patches/series b/debian/patches/series index 872b300..7fedaae 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fail-build-no-libxml2.patch +CVE-2015-3451.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git ___ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits