Bug#721221: php-openid: diff for NMU version 2.2.2-1.2

Mon, 16 Sep 2013 13:17:53 -0700 

tags 721221 + patch pending
thanks


Dear maintainer,

I've prepared an NMU for php-openid (versioned as 2.2.2-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru php-openid-2.2.2/debian/changelog php-openid-2.2.2/debian/changelog
--- php-openid-2.2.2/debian/changelog	2012-04-29 11:13:22.000000000 +0200
+++ php-openid-2.2.2/debian/changelog	2013-09-11 17:04:41.000000000 +0200
@@ -1,3 +1,13 @@
+php-openid (2.2.2-1.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/CVE-2013-4701.patch:
+    - Disable external XML entities and libxml errors. Fixes
+      security issue. (Closes: #721221)
+    - CVE-2013-4701
+
+ -- Artur Rona <ari-tc...@tlen.pl>  Wed, 11 Sep 2013 16:57:40 +0200
+
 php-openid (2.2.2-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru php-openid-2.2.2/debian/patches/CVE-2013-4701.patch php-openid-2.2.2/debian/patches/CVE-2013-4701.patch
--- php-openid-2.2.2/debian/patches/CVE-2013-4701.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-openid-2.2.2/debian/patches/CVE-2013-4701.patch	2013-09-11 16:56:12.000000000 +0200
@@ -0,0 +1,26 @@
+From: Artur Rona <ari-tc...@tlen.pl>
+Description: Disable external XML entities and libxml errors. Fixes CVE-2013-4701.
+Bug: http://jvn.jp/en/jp/JVN24713981/index.html
+Bug-Debian: http://bugs.debian.org/721221
+Origin: upstream, https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9
+Author: Kousuke Ebihara
+
+diff -pruN -x '*~' php-openid-2.2.2.orig/Auth/Yadis/XML.php php-openid-2.2.2/Auth/Yadis/XML.php
+--- php-openid-2.2.2.orig/Auth/Yadis/XML.php	2010-04-29 22:41:05.000000000 +0200
++++ php-openid-2.2.2/Auth/Yadis/XML.php	2013-09-11 16:43:00.000000000 +0200
+@@ -234,7 +234,14 @@ class Auth_Yadis_dom extends Auth_Yadis_
+             return false;
+         }
+ 
+-        if (!@$this->doc->loadXML($xml_string)) {
++        // disable external entities and libxml errors
++        $loader = libxml_disable_entity_loader(true);
++        $errors = libxml_use_internal_errors(true);
++        $parse_result = @$this->doc->loadXML($xml_string);
++        libxml_disable_entity_loader($loader);
++        libxml_use_internal_errors($errors);
++
++        if (!$parse_result) { 
+             return false;
+         }
+ 
diff -Nru php-openid-2.2.2/debian/patches/series php-openid-2.2.2/debian/patches/series
--- php-openid-2.2.2/debian/patches/series	2012-04-29 11:16:21.000000000 +0200
+++ php-openid-2.2.2/debian/patches/series	2013-09-11 16:57:06.000000000 +0200
@@ -1 +1,2 @@
 fixes-call-time-pass-by-reference
+CVE-2013-4701.patch

Reply via email to