Re: CVE Request: XML entity expansion in the XML::Atom Perl module

[Kurt Seifried <kseifried () redhat com>]

On 03/04/2012 09:07 AM, Florian Weimer wrote:
> I would like to request a CVE name for this security fix:
>
> | 0.39  2011.06.20
> |     * Disabled external entities and network to avoid possible security flaw (yannk)
>
> <http://cpansearch.perl.org/src/MIYAGAWA/XML-Atom-0.39/Changes>
>
> Thanks.

Please use CVE-2012-1102 for this issue. PS in future if you could
include information like the following that would be helpful to all:

--- XML-Atom-0.38/lib/XML/Atom.pm       2011-05-22 23:35:44.000000000 -0600
+++ XML-Atom-0.39/lib/XML/Atom.pm       2011-06-20 23:35:51.000000000 -0600
@@ -4,7 +4,7 @@
 use strict;

 use 5.008_001;
-our $VERSION = '0.38';
+our $VERSION = '0.39';

 BEGIN {
     @XML::Atom::EXPORT = qw( LIBXML DATETIME);
@@ -35,6 +35,26 @@
     $XML::Atom::DefaultVersion = 0.3;
 }

+sub libxml_parser {
+    ## uses old XML::LibXML < 1.70 interface for compat reasons
+    return XML::LibXML->new(
+        #no_network      => 1, # v1.63+
+        expand_xinclude => 0,
+        expand_entities => 1,
+        load_ext_dtd    => 0,
+        ext_ent_handler => sub { warn "External entities disabled."; '' },
+    );
+}
+
+sub expat_parser {
+    return XML::Parser->new(
+        Handlers => {
+            ExternEnt => sub { warn "External Entities disabled."; '' },
+            ExternEntFin => sub {},
+        },
+    );
+}
+
 use base qw( XML::Atom::ErrorHandler Exporter );

 package XML::Atom::Namespace;



-- 
Kurt Seifried Red Hat Security Response Team (SRT)