Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hi, As agreed with the security team, we’d like to address CVE-2014-2053 in stable (oldstable being not affected) via pu instead of a proper DSA because php-getid3 is a leaf package in stable and the vulnerability likely hard to be exposed in practice. php-getid3 1.9.7-2 fixed the issue in unstable. Regards David -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-trunk-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog index 1c63cbd..0351463 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +php-getid3 (1.9.3-1+deb7u1) wheezy; urgency=medium + + * Close potential XXE security issue [CVE-2014-2053] + * Add gbp config file + + -- David Prévot <taf...@debian.org> Tue, 15 Apr 2014 16:36:53 -0400 + php-getid3 (1.9.3-1) unstable; urgency=low * New upstream release (closes: #615946). diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..a475fbf --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +pristine-tar = True +debian-branch = wheezy diff --git a/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch b/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch new file mode 100644 index 0000000..8e6807c --- /dev/null +++ b/debian/patches/0001-close-potential-XXE-security-issue-CVE-2014-2053.patch @@ -0,0 +1,26 @@ +From: James Heinrich <i...@silisoftware.com> +Date: Wed, 12 Mar 2014 08:25:28 -0500 +Subject: close potential XXE security issue (CVE-2014-2053) + +http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html + +Origin: upstream, https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc +--- + getid3/getid3.lib.php | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php +index 723e2e2..e626027 100644 +--- a/getid3/getid3.lib.php ++++ b/getid3/getid3.lib.php +@@ -523,6 +523,10 @@ class getid3_lib + static function XML2array($XMLstring) { + if (function_exists('simplexml_load_string')) { + if (function_exists('get_object_vars')) { ++ if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11) ++ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html ++ libxml_disable_entity_loader(true); ++ } + $XMLobject = simplexml_load_string($XMLstring); + return self::SimpleXMLelement2array($XMLobject); + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..cb3bc0d --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001-close-potential-XXE-security-issue-CVE-2014-2053.patch
signature.asc
Description: Digital signature
