Debian Bug report logs - #552531
libhtml-parser-perl: decode_entities confused by trailing incomplete entity can lead to DoS attacks

version graph

Package: libhtml-parser-perl; Maintainer for libhtml-parser-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libhtml-parser-perl is src:libhtml-parser-perl.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 27 Oct 2009 09:45:03 UTC

Severity: grave

Tags: confirmed, patch, security

Merged with 552551

Found in versions libhtml-parser-perl/3.55-1, libhtml-parser-perl/3.56-1, libhtml-parser-perl/3.62-1

Fixed in versions libhtml-parser-perl/3.64-1, libhtml-parser-perl/3.56-1+lenny1, libhtml-parser-perl/3.55-1+etch1

Done: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#552531; Package libhtml-parser-perl. (Tue, 27 Oct 2009 09:45:07 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: libhtml-parser-perl: decode_entities confused by trailing incomplete entity can lead to DoS attacks
Date: Mon, 26 Oct 2009 22:53:09 -0600
Package: libhtml-parser-perl
Version: 3.62-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was published for 
libhtml-parser-perl: CVE-2009-3627.

Quoting the commit fixing the bug[1]:
> decode_entities confused by trailing incomplete entity
>
> Mark Martinec reported crashed when running SpamAssassin, given a
> particular HTML junk mail to parse.  The problem was caused by
> HTML::Parsers decode_entities function confusing itself when it
> encountered strings with incomplete entities at the end of the string.

If you fix the vulnerability please also make sure to include the CVE id in 
your changelog entry. All the versions in the archive seem to be affected, as 
per the test case provided by upstream.

For further information see:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3627
 http://security-tracker.debian.org/tracker/CVE-2009-3627

[1]http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#552531; Package libhtml-parser-perl. (Tue, 27 Oct 2009 21:30:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 27 Oct 2009 21:30:12 GMT) Full text and rfc822 format available.

Message #8 received at 552531@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
To: Raphael Geissert <geissert@debian.org>, 552531@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#552531: libhtml-parser-perl: decode_entities confused by trailing incomplete entity can lead to DoS attacks
Date: Tue, 27 Oct 2009 12:34:56 +0100
[Message part 1 (text/plain, inline)]
tag 552531 + confirmed
found 552531 3.56-1
found 552531 3.55-1

thanks

Hi Raphael

On Mon, Oct 26, 2009 at 10:53:09PM -0600, Raphael Geissert wrote:
> Package: libhtml-parser-perl
> Version: 3.62-1
> Severity: grave
> Tags: security patch
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was published for 
> libhtml-parser-perl: CVE-2009-3627.
> 
> Quoting the commit fixing the bug[1]:
> > decode_entities confused by trailing incomplete entity
> >
> > Mark Martinec reported crashed when running SpamAssassin, given a
> > particular HTML junk mail to parse.  The problem was caused by
> > HTML::Parsers decode_entities function confusing itself when it
> > encountered strings with incomplete entities at the end of the string.
> 
> If you fix the vulnerability please also make sure to include the CVE id in 
> your changelog entry. All the versions in the archive seem to be affected, as 
> per the test case provided by upstream.
> 
> For further information see:
> 
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3627
>  http://security-tracker.debian.org/tracker/CVE-2009-3627
> 
> [1]http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c

There is already a package for unstable which unfortunately was taged
before this. It is 3.64-1 thus the unstable version does not contain a
note on this in the changelog.

I will try to prepare also a fixed versions.

Bests
Salvatore
[signature.asc (application/pgp-signature, inline)]

Added tag(s) confirmed. Request was from Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com> to control@bugs.debian.org. (Tue, 27 Oct 2009 21:30:14 GMT) Full text and rfc822 format available.

Bug Marked as found in versions libhtml-parser-perl/3.56-1. Request was from Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com> to control@bugs.debian.org. (Tue, 27 Oct 2009 21:30:15 GMT) Full text and rfc822 format available.

Bug Marked as found in versions libhtml-parser-perl/3.55-1. Request was from Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com> to control@bugs.debian.org. (Tue, 27 Oct 2009 21:30:16 GMT) Full text and rfc822 format available.

Merged 552531 552551. Request was from Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com> to control@bugs.debian.org. (Wed, 28 Oct 2009 00:30:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#552531; Package libhtml-parser-perl. (Wed, 28 Oct 2009 18:06:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 28 Oct 2009 18:06:15 GMT) Full text and rfc822 format available.

Message #21 received at 552531@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
To: 552531@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: libhtml-parser-perl: decode_entities confused by trailing incomplete entity can lead to DoS attacks
Date: Tue, 27 Oct 2009 22:02:21 +0100
[Message part 1 (text/plain, inline)]
Hi 

I have now prepared and updated the patch for the version in lenny,
attached to this mail is the debdiff to the current version in stable.

Security Team, could you review the changes? If you agree, how to to 
proceed? (Note: I cannot upload it then by myself since I'm not yet a
DD).

Bests
Salvatore
[debdiff_libhtml-parser-perl_3.56-1_3.5.6-1+lenny1.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#552531; Package libhtml-parser-perl. (Wed, 28 Oct 2009 18:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 28 Oct 2009 18:21:04 GMT) Full text and rfc822 format available.

Message #26 received at 552531@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
To: 552531@bugs.debian.org, team@security.debian.org
Subject: Updated debdiff for lenny
Date: Tue, 27 Oct 2009 22:48:47 +0100
[Message part 1 (text/plain, inline)]
Hi

As discussed with Giuseppe Iuculano on IRC on #debian-it I updated the
debdiff as needed, removing myself again from Uploaders and updating
the remaining changelog accordingly.

The current debdiff is attached, for the lenny version (etch version
is still missing).

Bests and thanks for reviewing
Salvatore
[debdiff_libhtml-parser-perl_3.56-1_3.5.6-1+lenny1.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#552531; Package libhtml-parser-perl. (Thu, 29 Oct 2009 03:36:29 GMT) Full text and rfc822 format available.

Message #29 received at 552531@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 552531@bugs.debian.org, 552531-submitter@bugs.debian.org
Subject: Bug in fixed in revision 46467
Date: Tue, 27 Oct 2009 22:02:17 +0000
tag 552531 + pending
thanks

Some bugs are closed in revision 46467
by Salvatore Bonaccorso (carnil-guest)

Commit message:

Fix decode_entities which can be confused by trailing incomplete entity
and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531).




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 29 Oct 2009 03:36:32 GMT) Full text and rfc822 format available.

Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#552531. (Thu, 29 Oct 2009 03:37:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#552531; Package libhtml-parser-perl. (Thu, 29 Oct 2009 04:42:40 GMT) Full text and rfc822 format available.

Message #37 received at 552531@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 552531@bugs.debian.org, 552531-submitter@bugs.debian.org
Subject: Bug in fixed in revision 46478
Date: Wed, 28 Oct 2009 08:19:54 +0000
tag 552531 + pending
thanks

Some bugs are closed in revision 46478
by Salvatore Bonaccorso (carnil-guest)

Commit message:

Fix decode_entities which can be confused by trailing incomplete entity
and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531). 




Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#552531. (Thu, 29 Oct 2009 04:42:46 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
You have taken responsibility. (Tue, 03 Nov 2009 06:57:07 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Tue, 03 Nov 2009 06:57:07 GMT) Full text and rfc822 format available.

Message #45 received at 552531-done@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
To: 552531-done@bugs.debian.org
Subject: Closing bug manually
Date: Tue, 3 Nov 2009 07:38:43 +0100
[Message part 1 (text/plain, inline)]
Package: libhtml-parser-perl
Version: 3.64-1

Hi Raphael

For unstable this bug a fix was included in the 3.64-1 upload.
upstream fixed it in 3.63-1, and 3.63-1 was prepared in pkg-perl svn.
Since there was no upload, this was included in 3.64-1 and uploaded
before this bugreport was reported. Thus closing manually.

Bests
Salvatore
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
You have taken responsibility. (Tue, 03 Nov 2009 06:57:08 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
Bug acknowledged by developer. (Tue, 03 Nov 2009 06:57:09 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
You have taken responsibility. (Sat, 05 Dec 2009 21:27:04 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sat, 05 Dec 2009 21:27:04 GMT) Full text and rfc822 format available.

Message #55 received at 552531-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
To: 552531-close@bugs.debian.org
Subject: Bug#552531: fixed in libhtml-parser-perl 3.56-1+lenny1
Date: Sat, 05 Dec 2009 21:25:20 +0000
Source: libhtml-parser-perl
Source-Version: 3.56-1+lenny1

We believe that the bug you reported is fixed in the latest version of
libhtml-parser-perl, which is due to be installed in the Debian FTP archive:

libhtml-parser-perl_3.56-1+lenny1.diff.gz
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.56-1+lenny1.diff.gz
libhtml-parser-perl_3.56-1+lenny1.dsc
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.56-1+lenny1.dsc
libhtml-parser-perl_3.56-1+lenny1_i386.deb
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.56-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552531@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com> (supplier of updated libhtml-parser-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 27 Oct 2009 21:43:51 +0100
Source: libhtml-parser-perl
Binary: libhtml-parser-perl
Architecture: source i386
Version: 3.56-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Catalyst Maintainers <pkg-catalyst-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
Description: 
 libhtml-parser-perl - A collection of modules that parse HTML text documents
Closes: 552531
Changes: 
 libhtml-parser-perl (3.56-1+lenny1) stable-security; urgency=high
 .
   * Fix decode_entities which can be confused by trailing incomplete entity
     and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531).
Checksums-Sha1: 
 7ff4e273d5f0a7b7bddb817dad4a2c6a0d5ddfde 1316 libhtml-parser-perl_3.56-1+lenny1.dsc
 846408ee953f1386b85acc63cd15e9f913e161a6 86040 libhtml-parser-perl_3.56.orig.tar.gz
 35883413788f553f9bd8244fcbf63c4281f9d6e1 6147 libhtml-parser-perl_3.56-1+lenny1.diff.gz
 5b264328d0c15360aa237e2e2952238742a33caa 109680 libhtml-parser-perl_3.56-1+lenny1_i386.deb
Checksums-Sha256: 
 12d0e8e48a8ec6e19e34b6f4dcc94df50c66aec1399b22248c54460affea748a 1316 libhtml-parser-perl_3.56-1+lenny1.dsc
 503c53657263a0adacc81141ecb52f2ca9f82551b49ec82ff6042b52b2203074 86040 libhtml-parser-perl_3.56.orig.tar.gz
 06741d27f3c999a5a52663fedf82ff21d73321219fbcd90a16d05deac567aa2c 6147 libhtml-parser-perl_3.56-1+lenny1.diff.gz
 b88fd6f3ecfddae89324ae49816fab8bb782686573d1e799c60b4070567eb52a 109680 libhtml-parser-perl_3.56-1+lenny1_i386.deb
Files: 
 5a923d6089e2ffddf050ea5b017a7956 1316 perl optional libhtml-parser-perl_3.56-1+lenny1.dsc
 bddc432e5ed9df4d4153a62234f04fc2 86040 perl optional libhtml-parser-perl_3.56.orig.tar.gz
 18b2407d8b26d6225b82a880b16a0e05 6147 perl optional libhtml-parser-perl_3.56-1+lenny1.diff.gz
 da9426f29d77127b954a77263a5b7665 109680 perl optional libhtml-parser-perl_3.56-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkroth8ACgkQNxpp46476armTgCffw9LsQ+qonC/dXtXvsEOqpGN
GYEAnjW2lUrLU63dH4Gzl07dlx541D/X
=xea+
-----END PGP SIGNATURE-----





Reply sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
You have taken responsibility. (Sat, 05 Dec 2009 21:27:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
Bug acknowledged by developer. (Sat, 05 Dec 2009 21:27:05 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
You have taken responsibility. (Sat, 05 Dec 2009 22:21:05 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sat, 05 Dec 2009 22:21:05 GMT) Full text and rfc822 format available.

Message #65 received at 552531-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
To: 552531-close@bugs.debian.org
Subject: Bug#552531: fixed in libhtml-parser-perl 3.55-1+etch1
Date: Sat, 05 Dec 2009 22:17:47 +0000
Source: libhtml-parser-perl
Source-Version: 3.55-1+etch1

We believe that the bug you reported is fixed in the latest version of
libhtml-parser-perl, which is due to be installed in the Debian FTP archive:

libhtml-parser-perl_3.55-1+etch1.diff.gz
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.55-1+etch1.diff.gz
libhtml-parser-perl_3.55-1+etch1.dsc
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.55-1+etch1.dsc
libhtml-parser-perl_3.55-1+etch1_i386.deb
  to main/libh/libhtml-parser-perl/libhtml-parser-perl_3.55-1+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552531@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com> (supplier of updated libhtml-parser-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Oct 2009 09:03:59 +0100
Source: libhtml-parser-perl
Binary: libhtml-parser-perl
Architecture: source i386
Version: 3.55-1+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Catalyst Maintainers <pkg-catalyst-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
Description: 
 libhtml-parser-perl - A collection of modules that parse HTML text documents
Closes: 552531
Changes: 
 libhtml-parser-perl (3.55-1+etch1) oldstable-security; urgency=high
 .
   * Fix decode_entities which can be confused by trailing incomplete entity
     and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531).
Files: 
 0f38d699bda26190ea4764aa74eac2c8 882 perl optional libhtml-parser-perl_3.55-1+etch1.dsc
 75eb683f1fb7aa7c0ffa46ded4564b54 84746 perl optional libhtml-parser-perl_3.55.orig.tar.gz
 8c713a84e3df953ae77d83d9f2cff5bc 6136 perl optional libhtml-parser-perl_3.55-1+etch1.diff.gz
 b542502d5b1d4fff66c2d730e8c02790 108032 perl optional libhtml-parser-perl_3.55-1+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkros7IACgkQNxpp46476apcsgCdEs5BZ7f0ANDByeTL2BirBIv1
RAsAmwfCpb8xwNvR7kQVfTZQd+0PErhu
=vYMt
-----END PGP SIGNATURE-----





Reply sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
You have taken responsibility. (Sat, 05 Dec 2009 22:21:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>:
Bug acknowledged by developer. (Sat, 05 Dec 2009 22:21:06 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:32:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:54:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.