oss-sec mailing list archives
Re: CVE Request: XML entity expansion in the XML::Atom Perl module
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 04 Mar 2012 20:10:48 -0700
On 03/04/2012 09:07 AM, Florian Weimer wrote:
I would like to request a CVE name for this security fix: | 0.39 2011.06.20 | * Disabled external entities and network to avoid possible security flaw (yannk) <http://cpansearch.perl.org/src/MIYAGAWA/XML-Atom-0.39/Changes> Thanks.
Please use CVE-2012-1102 for this issue. PS in future if you could include information like the following that would be helpful to all: --- XML-Atom-0.38/lib/XML/Atom.pm 2011-05-22 23:35:44.000000000 -0600 +++ XML-Atom-0.39/lib/XML/Atom.pm 2011-06-20 23:35:51.000000000 -0600 @@ -4,7 +4,7 @@ use strict; use 5.008_001; -our $VERSION = '0.38'; +our $VERSION = '0.39'; BEGIN { @XML::Atom::EXPORT = qw( LIBXML DATETIME); @@ -35,6 +35,26 @@ $XML::Atom::DefaultVersion = 0.3; } +sub libxml_parser { + ## uses old XML::LibXML < 1.70 interface for compat reasons + return XML::LibXML->new( + #no_network => 1, # v1.63+ + expand_xinclude => 0, + expand_entities => 1, + load_ext_dtd => 0, + ext_ent_handler => sub { warn "External entities disabled."; '' }, + ); +} + +sub expat_parser { + return XML::Parser->new( + Handlers => { + ExternEnt => sub { warn "External Entities disabled."; '' }, + ExternEntFin => sub {}, + }, + ); +} + use base qw( XML::Atom::ErrorHandler Exporter ); package XML::Atom::Namespace; -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- CVE Request: XML entity expansion in the XML::Atom Perl module Florian Weimer (Mar 04)
- Re: CVE Request: XML entity expansion in the XML::Atom Perl module Florian Weimer (Mar 04)
- Re: CVE Request: XML entity expansion in the XML::Atom Perl module Kurt Seifried (Mar 04)