Daniel Leidert wrote: > x-post to expat-discuss, debian-devel and debian-perl > > Hi, > > The security issue known as CVE-2009-3560 [1] has been fixed in expats > source code some time ago [2]. Now a Debian user informed [3] me, that > the fix breaks parsing XML files with entities using Perls XML parser. > Also several tests of the suite then fail (attached build log). So this > makes the problem RC for us Debian and creates a problem in the *stable > suites. > > I guess, the Perl XML parser needs to be fixed and not expat. But I'm > not familiar with the Perl module. I wonder if you (expat developers) > have been informed about this? Unfortunately the author of the Perl XML > parser module seems not active anymore (CCed him tough).
No, I haven't heard about the Perl issue before. > > Is someone able to help to track this down? Any help is appreciated. > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 > [2] > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 > [3] http://bugs.debian.org/561658 > Could you please run the failing tests with Expat directly, instead of the Perl parser? Karl -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
