Package: release.debian.org Severity: normal Tags: wheezy X-Debbugs-Cc: pkg-php-p...@lists.alioth.debian.org, t...@security.debian.org User: release.debian....@packages.debian.org Usertags: pu
Hi, Follow up on #744893 from a few months ago: upstream adopted a better fix for CVE-2014-2053, to be published in the upcoming 1.9.9 upstream version. The fix, cherry-picked from the upstream VCS, is included in the 1.9.8-2 Debian package, just uploaded to Sid. Since the security team asked for addressing this via pu instead of a proper DSA last time, I believe this follow up won’t deserve a DSA either (security team X-D-CC in case I’m wrong). Attached the debdiff, and the actual additional patch. Regards David -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru php-getid3-1.9.3/debian/changelog php-getid3-1.9.3/debian/changelog --- php-getid3-1.9.3/debian/changelog 2014-04-15 16:37:02.000000000 -0400 +++ php-getid3-1.9.3/debian/changelog 2014-09-23 19:24:07.000000000 -0400 @@ -1,3 +1,9 @@ +php-getid3 (1.9.3-1+deb7u2) wheezy; urgency=medium + + * Improve fix for XXE security issue [CVE-2014-2053] + + -- David Prévot <taf...@debian.org> Tue, 23 Sep 2014 19:24:07 -0400 + php-getid3 (1.9.3-1+deb7u1) wheezy; urgency=medium * Close potential XXE security issue [CVE-2014-2053] diff -Nru php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch --- php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch 2014-04-14 16:15:43.000000000 -0400 +++ php-getid3-1.9.3/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch 2014-09-23 19:22:19.000000000 -0400 @@ -6,11 +6,11 @@ Origin: upstream, https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc --- - getid3/getid3.lib.php | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) + getid3/getid3.lib.php | 4 ++++ + 1 file changed, 4 insertions(+) diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php -index 723e2e2..e626027 100644 +index 723e2e2..86f60d6 100644 --- a/getid3/getid3.lib.php +++ b/getid3/getid3.lib.php @@ -523,6 +523,10 @@ class getid3_lib diff -Nru php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch --- php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch 1969-12-31 20:00:00.000000000 -0400 +++ php-getid3-1.9.3/debian/patches/0002-improved-XXE-fix-CVE-2014-2053.patch 2014-09-23 19:22:19.000000000 -0400 @@ -0,0 +1,38 @@ +From: James Heinrich <i...@silisoftware.com> +Date: Sun, 14 Sep 2014 14:13:30 -0400 +Subject: improved XXE fix (CVE-2014-2053) + +--- + getid3/getid3.lib.php | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php +index 86f60d6..3f7b04d 100644 +--- a/getid3/getid3.lib.php ++++ b/getid3/getid3.lib.php +@@ -521,16 +521,15 @@ class getid3_lib + } + + static function XML2array($XMLstring) { +- if (function_exists('simplexml_load_string')) { +- if (function_exists('get_object_vars')) { +- if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11) +- // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html +- libxml_disable_entity_loader(true); +- } +- $XMLobject = simplexml_load_string($XMLstring); +- return self::SimpleXMLelement2array($XMLobject); +- } +- } ++ if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) { ++ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html ++ // https://core.trac.wordpress.org/changeset/29378 ++ $loader = libxml_disable_entity_loader(true); ++ $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); ++ $return = self::SimpleXMLelement2array($XMLobject); ++ libxml_disable_entity_loader($loader); ++ return $return; ++ } + return false; + } + diff -Nru php-getid3-1.9.3/debian/patches/series php-getid3-1.9.3/debian/patches/series --- php-getid3-1.9.3/debian/patches/series 2014-04-14 16:14:43.000000000 -0400 +++ php-getid3-1.9.3/debian/patches/series 2014-09-23 19:22:19.000000000 -0400 @@ -1 +1,2 @@ 0001-close-potential-XXE-security-issue-CVE-2014-2053.patch +0002-improved-XXE-fix-CVE-2014-2053.patch
From: James Heinrich <i...@silisoftware.com>
Date: Sun, 14 Sep 2014 14:13:30 -0400
Subject: improved XXE fix (CVE-2014-2053)
---
getid3/getid3.lib.php | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
index 86f60d6..3f7b04d 100644
--- a/getid3/getid3.lib.php
+++ b/getid3/getid3.lib.php
@@ -521,16 +521,15 @@ class getid3_lib
}
static function XML2array($XMLstring) {
- if (function_exists('simplexml_load_string')) {
- if (function_exists('get_object_vars')) {
- if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
- // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
- libxml_disable_entity_loader(true);
- }
- $XMLobject = simplexml_load_string($XMLstring);
- return self::SimpleXMLelement2array($XMLobject);
- }
- }
+ if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
+ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+ // https://core.trac.wordpress.org/changeset/29378
+ $loader = libxml_disable_entity_loader(true);
+ $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
+ $return = self::SimpleXMLelement2array($XMLobject);
+ libxml_disable_entity_loader($loader);
+ return $return;
+ }
return false;
}
signature.asc
Description: Digital signature
