[Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser

Karl Waclawek karl at waclawek.net
Wed Dec 23 20:51:04 CET 2009


Daniel Leidert wrote:
> x-post to expat-discuss, debian-devel and debian-perl
> 
> Hi,
> 
> The security issue known as CVE-2009-3560 [1] has been fixed in expats
> source code some time ago [2]. Now a Debian user informed [3] me, that
> the fix breaks parsing XML files with entities using Perls XML parser.
> Also several tests of the suite then fail (attached build log). So this
> makes the problem RC for us Debian and creates a problem in the *stable
> suites.
> 
> I guess, the Perl XML parser needs to be fixed and not expat. But I'm
> not familiar with the Perl module. I wonder if you (expat developers)
> have been informed about this? Unfortunately the author of the Perl XML
> parser module seems not active anymore (CCed him tough).

No, I haven't heard about the Perl issue before.

> 
> Is someone able to help to track this down? Any help is appreciated.
> 
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
> [2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
> [3] http://bugs.debian.org/561658
> 

Could you please run the failing tests with Expat directly, instead of the
Perl parser?

Karl


More information about the Expat-discuss mailing list