[libxml-libxml-perl] 01/02: Add CVE-2015-3451.patch patch
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch wheezy
in repository libxml-libxml-perl.
commit 9e3c36263f80395c6d8c794788acc24f8533408b
Author: Salvatore Bonaccorso car...@debian.org
Date: Fri May 1 13:47:24 2015 +0200
Add CVE-2015-3451.patch patch
CVE-2015-3451: expand_entities set to 0 is not preserved after a
_clone() call.
Closes: #783443
---
debian/patches/CVE-2015-3451.patch | 80 ++
debian/patches/series | 1 +
2 files changed, 81 insertions(+)
diff --git a/debian/patches/CVE-2015-3451.patch
b/debian/patches/CVE-2015-3451.patch
new file mode 100644
index 000..f12433d
--- /dev/null
+++ b/debian/patches/CVE-2015-3451.patch
@@ -0,0 +1,80 @@
+Description: Fix CVE-2015-3451: expand_entities set to 0 is not preserved
after a _clone() call
+Origin: upstream,
https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd06758076e94640b129ae8930a68a30,
+
https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152
+Bug-Debian: https://bugs.debian.org/783443
+Forwarded: not-needed
+Author: Shlomi Fish shlo...@shlomifish.org
+Last-Update: 2015-05-01
+Applied-Upstream: 2.0120
+
+--- a/LibXML.pm
b/LibXML.pm
+@@ -392,8 +392,11 @@ sub _clone {
+ line_nubers = $self-{XML_LIBXML_LINENUMBERS},
+ base_uri = $self-{XML_LIBXML_BASE_URI},
+ gdome = $self-{XML_LIBXML_GDOME},
+- set_parser_flags = $self-{XML_LIBXML_PARSER_OPTIONS},
+ });
++ # The parser options may contain some options that were zeroed from the
++ # defaults so set_parser_flags won't work here. We need to assign them
++ # explicitly.
++ $new-{XML_LIBXML_PARSER_OPTIONS} = $self-{XML_LIBXML_PARSER_OPTIONS};
+ $new-input_callbacks($self-input_callbacks());
+ return $new;
+ }
+--- a/t/43options.t
b/t/43options.t
+@@ -3,7 +3,7 @@
+ use strict;
+ use warnings;
+
+-use Test::More tests = 289;
++use Test::More tests = 290;
+
+ use XML::LibXML;
+
+@@ -125,6 +125,44 @@ no_network
+ }
+
+ {
++my $XML = 'EOT';
++?xml version=1.0 encoding=UTF-8?
++!DOCTYPE title [ !ELEMENT title ANY
++!ENTITY xxe SYSTEM file:///etc/passwd ]
++rss version=2.0
++channel
++linkexample.com/link
++descriptionXXE/description
++item
++titlexxe;/title
++linkexample.com/link
++descriptionXXE here/description
++/item
++/channel
++/rss
++EOT
++
++my $sys_line = 'EOT';
++titlexxe;/title
++EOT
++
++chomp ($sys_line);
++
++my $parser = XML::LibXML-new(
++expand_entities = 0,
++load_ext_dtd= 0,
++no_network = 1,
++expand_xinclude = 0,
++);
++my $XML_DOC = $parser-load_xml( string = $XML, );
++
++# TEST
++ok (scalar($XML_DOC-toString() =~ m{\Q$sys_line\E}),
++expand_entities is preserved after _clone()/etc.
++);
++}
++
++{
+ my $p = XML::LibXML-new(map { $_=1 } @all);
+ for my $opt (@all) {
+ # TEST*$all
diff --git a/debian/patches/series b/debian/patches/series
index 770c395..fd61da0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
fix-spelling-errors.patch
+CVE-2015-3451.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git
___
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
[libxml-libxml-perl] 01/02: Add CVE-2015-3451.patch patch
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie
in repository libxml-libxml-perl.
commit 06d986c9dd70726bf8c96c2bf53573631bccc7c5
Author: Salvatore Bonaccorso car...@debian.org
Date: Thu Apr 30 16:18:02 2015 +0200
Add CVE-2015-3451.patch patch
CVE-2015-3451: expand_entities set to 0 is not preserved after a
_clone() call.
Closes: #783443
---
debian/patches/CVE-2015-3451.patch | 80 ++
debian/patches/series | 1 +
2 files changed, 81 insertions(+)
diff --git a/debian/patches/CVE-2015-3451.patch
b/debian/patches/CVE-2015-3451.patch
new file mode 100644
index 000..4af3ffb
--- /dev/null
+++ b/debian/patches/CVE-2015-3451.patch
@@ -0,0 +1,80 @@
+Description: Fix CVE-2015-3451: expand_entities set to 0 is not preserved
after a _clone() call
+Origin: upstream,
https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd06758076e94640b129ae8930a68a30,
+
https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152
+Bug-Debian: https://bugs.debian.org/783443
+Forwarded: not-needed
+Author: Shlomi Fish shlo...@shlomifish.org
+Last-Update: 2015-05-01
+Applied-Upstream: 2.0120
+
+--- a/LibXML.pm
b/LibXML.pm
+@@ -396,8 +396,11 @@ sub _clone {
+ line_numbers = $self-{XML_LIBXML_LINENUMBERS},
+ base_uri = $self-{XML_LIBXML_BASE_URI},
+ gdome = $self-{XML_LIBXML_GDOME},
+- set_parser_flags = $self-{XML_LIBXML_PARSER_OPTIONS},
+ });
++ # The parser options may contain some options that were zeroed from the
++ # defaults so set_parser_flags won't work here. We need to assign them
++ # explicitly.
++ $new-{XML_LIBXML_PARSER_OPTIONS} = $self-{XML_LIBXML_PARSER_OPTIONS};
+ $new-input_callbacks($self-input_callbacks());
+ return $new;
+ }
+--- a/t/43options.t
b/t/43options.t
+@@ -3,7 +3,7 @@
+ use strict;
+ use warnings;
+
+-use Test::More tests = 289;
++use Test::More tests = 290;
+
+ use XML::LibXML;
+
+@@ -125,6 +125,44 @@ no_network
+ }
+
+ {
++my $XML = 'EOT';
++?xml version=1.0 encoding=UTF-8?
++!DOCTYPE title [ !ELEMENT title ANY
++!ENTITY xxe SYSTEM file:///etc/passwd ]
++rss version=2.0
++channel
++linkexample.com/link
++descriptionXXE/description
++item
++titlexxe;/title
++linkexample.com/link
++descriptionXXE here/description
++/item
++/channel
++/rss
++EOT
++
++my $sys_line = 'EOT';
++titlexxe;/title
++EOT
++
++chomp ($sys_line);
++
++my $parser = XML::LibXML-new(
++expand_entities = 0,
++load_ext_dtd= 0,
++no_network = 1,
++expand_xinclude = 0,
++);
++my $XML_DOC = $parser-load_xml( string = $XML, );
++
++# TEST
++ok (scalar($XML_DOC-toString() =~ m{\Q$sys_line\E}),
++expand_entities is preserved after _clone()/etc.
++);
++}
++
++{
+ my $p = XML::LibXML-new(map { $_=1 } @all);
+ for my $opt (@all) {
+ # TEST*$all
diff --git a/debian/patches/series b/debian/patches/series
index 872b300..7fedaae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
fail-build-no-libxml2.patch
+CVE-2015-3451.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libxml-libxml-perl.git
___
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
