Debian Bug report logs - #561658
libexpat1 patch breaks xhtml parsing with a local http doctype definition

version graph

Package: libexpat1; Maintainer for libexpat1 is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for libexpat1 is src:expat.

Reported by: Tuomas Venhola <tuomas.venhola@koripallo.com>

Date: Sat, 19 Dec 2009 10:42:05 UTC

Severity: normal

Fixed in versions expat/2.0.1-7, expat/1.95.8-3.4+etch3, expat/2.0.1-4+lenny3

Done: Daniel Leidert (dale) <daniel.leidert@wgdd.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#561658; Package libexpat1. (Sat, 19 Dec 2009 10:42:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tuomas Venhola <tuomas.venhola@koripallo.com>:
New Bug report received and forwarded. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.

Your message had a Version: pseudo-header with an invalid package version:

1.95.8-3.4+etch2_i386

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Sat, 19 Dec 2009 10:42:08 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tuomas Venhola <tuomas.venhola@koripallo.com>
To: submit@bugs.debian.org
Subject: libexpat1 patch breaks xhtml parsing with a local http doctype definition
Date: Fri, 18 Dec 2009 12:43:12 +0200
Package: libexpat1
Version: 1.95.8-3.4+etch2_i386

After upgrading libexpat1 my perl script which used XPath ceased 
functioning. Downgrading back to 1.95.8-3.4+etch1 fixed the problem, 
meaning the bug was introduced with the patch. I'm using local copy of 
the doctype definition as seen below.

error in processing external entity reference at line 1, column 117, 
byte 117:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.koripallo.com/dtd/xhtml1-transitional.dtd">
======================================================================================
==============================^
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head></head>
 at /usr/lib/perl5/XML/Parser.pm line 187


A small perl script to reproduce the bug (this works in etch1 patch, but 
not in etch2)

#!/usr/bin/perl
use strict;
use DBI;
use DBD::mysql;
use Text::Iconv;
use Getopt::Long;
use Net::HTTP;
use XML::XPath;
use XML::XPath::XMLParser;
my $document = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 
Transitional//EN" "http://www.koripallo.com/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head></head>
<body></body></html>';
my $xp = XML::XPath->new(xml => $document);
my $nodeset = $xp->find('/html/body');
print "Works.\n";




Added indication that bug 561658 blocks 562381 Request was from Daniel Leidert (dale) <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Mon, 28 Dec 2009 19:45:17 GMT) Full text and rfc822 format available.

Reply sent to Daniel Leidert (dale) <daniel.leidert@wgdd.de>:
You have taken responsibility. (Tue, 29 Dec 2009 21:36:11 GMT) Full text and rfc822 format available.

Notification sent to Tuomas Venhola <tuomas.venhola@koripallo.com>:
Bug acknowledged by developer. (Tue, 29 Dec 2009 21:36:11 GMT) Full text and rfc822 format available.

Message #12 received at 561658-close@bugs.debian.org (full text, mbox):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
To: 561658-close@bugs.debian.org
Subject: Bug#561658: fixed in expat 2.0.1-7
Date: Tue, 29 Dec 2009 21:34:55 +0000
Source: expat
Source-Version: 2.0.1-7

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_2.0.1-7.diff.gz
  to main/e/expat/expat_2.0.1-7.diff.gz
expat_2.0.1-7.dsc
  to main/e/expat/expat_2.0.1-7.dsc
expat_2.0.1-7_amd64.deb
  to main/e/expat/expat_2.0.1-7_amd64.deb
libexpat1-dev_2.0.1-7_amd64.deb
  to main/e/expat/libexpat1-dev_2.0.1-7_amd64.deb
libexpat1-udeb_2.0.1-7_amd64.udeb
  to main/e/expat/libexpat1-udeb_2.0.1-7_amd64.udeb
libexpat1_2.0.1-7_amd64.deb
  to main/e/expat/libexpat1_2.0.1-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 561658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 Dec 2009 22:18:35 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.0.1-7
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 lib64expat1 - XML parsing C library - runtime library (64bit)
 lib64expat1-dev - XML parsing C library - development kit (64bit)
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 561658
Changes: 
 expat (2.0.1-7) unstable; urgency=low
 .
   * debian/control (Depends): Fixed debhelper-but-no-misc-depends.
   * debian/patches/560901_CVE_2009_3560.dpatch: Adjusted.
     - lib/xmlparse.c (doProlog): Revised patch for CVE-2009-3560 after
       regressions have been detected (closes: #561658). Many thanks to
       Niko Tyni and Karl Waclawek for their help and the fix.
Checksums-Sha1: 
 5f7452ff6a1d8dd7b2d28a6a4af5f043ae0ab92a 1418 expat_2.0.1-7.dsc
 c9cfabf8d04726a46b914c066f30bd4b88976018 134322 expat_2.0.1-7.diff.gz
 9e27f29ef523c4c709c47b3ee060b8962fec0df6 221468 libexpat1-dev_2.0.1-7_amd64.deb
 71a47e448549431855e0f530f32f601401c14887 137220 libexpat1_2.0.1-7_amd64.deb
 f76fb64756ebf471762b853a47439b24312d57bb 63140 libexpat1-udeb_2.0.1-7_amd64.udeb
 cd0437dc052510f6777a918673b12c525dbe2def 24146 expat_2.0.1-7_amd64.deb
Checksums-Sha256: 
 71c691f66d93b18722c1be53d4553b6d8c0a181217210b6f1e21a0e30389a929 1418 expat_2.0.1-7.dsc
 fe79e2c83d30691c61cf896d2f9130d5d0aa4cbfe8e6f8ca82ec66be3e84c938 134322 expat_2.0.1-7.diff.gz
 0cd5704e7068830a23a2f7292480f1fe47a143907cf0622ab71b814dae4ce24b 221468 libexpat1-dev_2.0.1-7_amd64.deb
 ef8338441080c9fb8961940bd9dd970619b50978532f4aac1eb9972c169f3e24 137220 libexpat1_2.0.1-7_amd64.deb
 961deb2bdca8126e0334c08adad1123e8d481c4825800abff182ae41026a9600 63140 libexpat1-udeb_2.0.1-7_amd64.udeb
 9fb5f228dd221916c779fc4a91524a2e1759a9962d7c644e7efed1a790287edf 24146 expat_2.0.1-7_amd64.deb
Files: 
 9371621ec31f8c025c2a2740d873b509 1418 text optional expat_2.0.1-7.dsc
 3824ad27a2bf6a49c8a38fd49272788c 134322 text optional expat_2.0.1-7.diff.gz
 0b68e9439225797f79527be62099a8d6 221468 libdevel optional libexpat1-dev_2.0.1-7_amd64.deb
 2c3fcf59e61fa9f8025c7ce0c8ec1145 137220 libs optional libexpat1_2.0.1-7_amd64.deb
 891a65ea7251cbf0d7685aeafbcdf014 63140 debian-installer extra libexpat1-udeb_2.0.1-7_amd64.udeb
 7bb1e2c1b44820626ec443801fc419b8 24146 text optional expat_2.0.1-7_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAks6c1cACgkQm0bx+wiPa4wmrwCgufACAjS/fs/s/T46JXMpM1/d
JJoAoIlpRY8NNudnhE3tUyE9e8orv21T
=mDIP
-----END PGP SIGNATURE-----





Reply sent to Daniel Leidert (dale) <daniel.leidert@wgdd.de>:
You have taken responsibility. (Sun, 03 Jan 2010 02:06:04 GMT) Full text and rfc822 format available.

Notification sent to Tuomas Venhola <tuomas.venhola@koripallo.com>:
Bug acknowledged by developer. (Sun, 03 Jan 2010 02:06:04 GMT) Full text and rfc822 format available.

Message #17 received at 561658-close@bugs.debian.org (full text, mbox):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
To: 561658-close@bugs.debian.org
Subject: Bug#561658: fixed in expat 1.95.8-3.4+etch3
Date: Sun, 03 Jan 2010 02:04:10 +0000
Source: expat
Source-Version: 1.95.8-3.4+etch3

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_1.95.8-3.4+etch3.diff.gz
  to main/e/expat/expat_1.95.8-3.4+etch3.diff.gz
expat_1.95.8-3.4+etch3.dsc
  to main/e/expat/expat_1.95.8-3.4+etch3.dsc
expat_1.95.8-3.4+etch3_i386.deb
  to main/e/expat/expat_1.95.8-3.4+etch3_i386.deb
libexpat1-dev_1.95.8-3.4+etch3_i386.deb
  to main/e/expat/libexpat1-dev_1.95.8-3.4+etch3_i386.deb
libexpat1-udeb_1.95.8-3.4+etch3_i386.udeb
  to main/e/expat/libexpat1-udeb_1.95.8-3.4+etch3_i386.udeb
libexpat1_1.95.8-3.4+etch3_i386.deb
  to main/e/expat/libexpat1_1.95.8-3.4+etch3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 561658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 29 Dec 2009 22:47:46 +0100
Source: expat
Binary: libexpat1 libexpat1-dev expat libexpat1-udeb
Architecture: source i386
Version: 1.95.8-3.4+etch3
Distribution: oldstable-security
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 561658
Changes: 
 expat (1.95.8-3.4+etch3) oldstable-security; urgency=low
 .
   * NMU to old stable to fix regressions in last security fix.
   * CVE-2009-3560: Revised patch to fix DoS vulnerability (closes: #561658).
Files: 
 dc4b1744126125076c101096cd8ee0ab 703 text optional expat_1.95.8-3.4+etch3.dsc
 61974eddb0940c5fcbdc6c8e8c7d77ee 413486 text optional expat_1.95.8-3.4+etch3.diff.gz
 990eba22f2b6d8e05b61e0242a03a822 130028 libdevel optional libexpat1-dev_1.95.8-3.4+etch3_i386.deb
 b4ce5489fcb44555acba9aefc022d188 63194 libs optional libexpat1_1.95.8-3.4+etch3_i386.deb
 8b4d6a3739653d5158c527000eb08701 54992 debian-installer extra libexpat1-udeb_1.95.8-3.4+etch3_i386.udeb
 60ee653353eaedddc9390e9747b9d669 21158 text optional expat_1.95.8-3.4+etch3_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLO0Qcbxelr8HyTqQRAiyPAKCUu+D7xGivOB8B1TJhiZ5tE6Oj2wCfQejr
5Z3cxPXcJOKIJDOJh6eICDc=
=6a/t
-----END PGP SIGNATURE-----





Reply sent to Daniel Leidert (dale) <daniel.leidert@wgdd.de>:
You have taken responsibility. (Sun, 03 Jan 2010 02:09:03 GMT) Full text and rfc822 format available.

Notification sent to Tuomas Venhola <tuomas.venhola@koripallo.com>:
Bug acknowledged by developer. (Sun, 03 Jan 2010 02:09:04 GMT) Full text and rfc822 format available.

Message #22 received at 561658-close@bugs.debian.org (full text, mbox):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
To: 561658-close@bugs.debian.org
Subject: Bug#561658: fixed in expat 2.0.1-4+lenny3
Date: Sun, 03 Jan 2010 02:05:56 +0000
Source: expat
Source-Version: 2.0.1-4+lenny3

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_2.0.1-4+lenny3.diff.gz
  to main/e/expat/expat_2.0.1-4+lenny3.diff.gz
expat_2.0.1-4+lenny3.dsc
  to main/e/expat/expat_2.0.1-4+lenny3.dsc
expat_2.0.1-4+lenny3_i386.deb
  to main/e/expat/expat_2.0.1-4+lenny3_i386.deb
lib64expat1-dev_2.0.1-4+lenny3_i386.deb
  to main/e/expat/lib64expat1-dev_2.0.1-4+lenny3_i386.deb
lib64expat1_2.0.1-4+lenny3_i386.deb
  to main/e/expat/lib64expat1_2.0.1-4+lenny3_i386.deb
libexpat1-dev_2.0.1-4+lenny3_i386.deb
  to main/e/expat/libexpat1-dev_2.0.1-4+lenny3_i386.deb
libexpat1-udeb_2.0.1-4+lenny3_i386.udeb
  to main/e/expat/libexpat1-udeb_2.0.1-4+lenny3_i386.udeb
libexpat1_2.0.1-4+lenny3_i386.deb
  to main/e/expat/libexpat1_2.0.1-4+lenny3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 561658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 Dec 2009 22:29:18 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source i386
Version: 2.0.1-4+lenny3
Distribution: stable-security
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 lib64expat1 - XML parsing C library - runtime library (64bit)
 lib64expat1-dev - XML parsing C library - development kit (64bit)
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 561658 562381
Changes: 
 expat (2.0.1-4+lenny3) stable-security; urgency=low
 .
   * Upload to stable to fix regressions in last security fix.
   * debian/patches/560901_CVE_2009_3560.dpatch: Adjusted.
     - lib/xmlparse.c (doProlog): Revised patch for CVE-2009-3560 after
       regressions have been detected (closes: #561658, #562381). Many thanks
       to Niko Tyni and Karl Waclawek for their help and the fix.
Checksums-Sha1: 
 fa35cc4590cfed2283178831e3efb0e02c93205d 1438 expat_2.0.1-4+lenny3.dsc
 040aca1eb03aebafdd844b94b54ab49024dd76a3 134076 expat_2.0.1-4+lenny3.diff.gz
 005ee962eed086aa8c409d4b2b5c31b2a6c334fe 168566 lib64expat1-dev_2.0.1-4+lenny3_i386.deb
 dce16e494647d2b50c3b54d50ea84c4cd1260f3f 136634 lib64expat1_2.0.1-4+lenny3_i386.deb
 a04b55b16c95435685db11aa00740368865fc8fe 210830 libexpat1-dev_2.0.1-4+lenny3_i386.deb
 0b60604702db7cc1c968d9a4fbc9572e7ccaa6fa 132090 libexpat1_2.0.1-4+lenny3_i386.deb
 e85a926868ff9191d82413cbb8e68a061e42c070 60870 libexpat1-udeb_2.0.1-4+lenny3_i386.udeb
 e3075e679cf3a594da9d35e1eee558cd4f887078 23472 expat_2.0.1-4+lenny3_i386.deb
Checksums-Sha256: 
 130425bfc8e9b75846e98929cb075909c927b6358266daddf0d7692821a0b4b2 1438 expat_2.0.1-4+lenny3.dsc
 54a7bd55cba7de577fd0dd8e7d0b8877af21ec41cdf82b6b9cc9b5d8183a54ad 134076 expat_2.0.1-4+lenny3.diff.gz
 9462680bfc56da22f76851a14bc3c94f1f684779110c92410d8e071e2d89457d 168566 lib64expat1-dev_2.0.1-4+lenny3_i386.deb
 62a112c8f9e131421022e454b3a6605cefec2db5d3dea9ae11153390e6f90a53 136634 lib64expat1_2.0.1-4+lenny3_i386.deb
 20db59bc0c92abf8fd4b0d5cb7ddfc35528deee791202e4ff997b1ba2277a5fe 210830 libexpat1-dev_2.0.1-4+lenny3_i386.deb
 a7488d5c32802a92e424c91567318cfdbf0bcb2d4e876661fff1efbdb649b915 132090 libexpat1_2.0.1-4+lenny3_i386.deb
 7e79cf1d3dad8460f187517d7247664565d1ba89368693603a9906745b1eb26b 60870 libexpat1-udeb_2.0.1-4+lenny3_i386.udeb
 1830cf9000f33042e5bb02eb7ba0d8d02fd08959424c5c6205ee528e0ccaa25b 23472 expat_2.0.1-4+lenny3_i386.deb
Files: 
 ad2aa942056412be8b8da88604b39ab8 1438 text optional expat_2.0.1-4+lenny3.dsc
 538ad21eb6bdf5acc8328df18c4cf052 134076 text optional expat_2.0.1-4+lenny3.diff.gz
 60b34707f84117713ace944b333ed771 168566 libdevel optional lib64expat1-dev_2.0.1-4+lenny3_i386.deb
 a845b4395000e0f4b565d32f482ae342 136634 libs optional lib64expat1_2.0.1-4+lenny3_i386.deb
 913c65f97181c1960564743ed23361fe 210830 libdevel optional libexpat1-dev_2.0.1-4+lenny3_i386.deb
 16f40a05b5e246cee5db23215e6f8b13 132090 libs optional libexpat1_2.0.1-4+lenny3_i386.deb
 25a3fb0e0b7e3e38ea75068c6225379d 60870 debian-installer extra libexpat1-udeb_2.0.1-4+lenny3_i386.udeb
 4674856b3fe32f76468e66b6956ab3bd 23472 text optional expat_2.0.1-4+lenny3_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLO0Vybxelr8HyTqQRAvd9AJwL2J9iVvksmVmUuTF/XVfD3Lf2BQCeL1r9
/YemWI1wxUYhCyJ2hCJlcN0=
=U6qV
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 06 Feb 2010 07:32:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:35:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.