[Expat-bugs] [ expat-Bugs-3500861 ] fix for CVE-2012-0876 breaks "xml" default prefix
SourceForge.net
noreply at sourceforge.net
Sat Mar 10 18:31:15 CET 2012
Bugs item #3500861, was opened at 2012-03-09 18:37
Message generated for change (Comment added) made by kwaclaw
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3500861&group_id=10127
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
>Group: Test Required
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Marien Zwart (marienz)
>Assigned to: Karl Waclawek (kwaclaw)
Summary: fix for CVE-2012-0876 breaks "xml" default prefix
Initial Comment:
expat-2.1.0-beta2 will fail a namespace-aware parse of a document relying on the "xml" being bound by default, like the following test document:
<?xml version="1.0"?>
<root xml:whitespace="preserve"/>
xmlwf -n on that document returns "2:0: unbound prefix", while xmlwf from expat 2.0.1 succeeds.
This seems to be caused by the call to setContext(parser, implicitContext) adding that default prefix happening too early (before hash_secret_salt is initialized).
----------------------------------------------------------------------
>Comment By: Karl Waclawek (kwaclaw)
Date: 2012-03-10 09:31
Message:
Yes, your analysis is correct, the hash function was used before the salt
was set.
I will have to move the setContext() call right after the
generate_hash_secret_salt() call.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3500861&group_id=10127
More information about the Expat-bugs
mailing list