[Expat-discuss] RFH: Patch for CVE-2009-3560 in expat breaks the Perl XML parser

[Niko Tyni]

On Wed, Dec 23, 2009 at 02:51:04PM -0500, Karl Waclawek wrote:
> Daniel Leidert wrote:
> > x-post to expat-discuss, debian-devel and debian-perl

> > The security issue known as CVE-2009-3560 [1] has been fixed in expats
> > source code some time ago [2]. Now a Debian user informed [3] me, that
> > the fix breaks parsing XML files with entities using Perls XML parser.
> > Also several tests of the suite then fail (attached build log). So this
> > makes the problem RC for us Debian and creates a problem in the *stable
> > suites.

> > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
> > [2] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
> > [3] http://bugs.debian.org/561658

> Could you please run the failing tests with Expat directly, instead of the
> Perl parser?

I'm able to reproduce (at least part of) the problem without the Perl
bindings, using the 'xmlwf' example tool from the expat source (shipped
in the 'expat' package on Debian.)

I'm attaching an example XML document and the external DTD it
references. Without the CVE-2009-3560 patch, the test 'xmlwf -p t.xml'
silently passes. With the patch, the output is

 t.dtd:4:3: syntax error
 t.xml:2:28: error in processing external entity reference

(The DTD was copied verbatim from the example at
 http://www.w3.org/TR/REC-xml/#sec-condition-sect )
-- 
Niko Tyni   ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: t.xml
Type: application/xml
Size: 60 bytes
Desc: not available
URL: <http://mail.libexpat.org/pipermail/expat-discuss/attachments/20091229/3ca94143/attachment.xml>
-------------- next part --------------
<!ENTITY % draft 'INCLUDE' >
<!ENTITY % final 'IGNORE' >

<![%draft;[
<!ELEMENT book (comments*, title, body, supplements?)>
]]>
<![%final;[
<!ELEMENT book (title, body, supplements?)>
]]>