Version in base suite: 3.56-1 Version in overlay suite: (not present) Base version: libhtml-parser-perl_3.56-1 Target version: libhtml-parser-perl_3.56-1+lenny1 Base file: /org/ftp.debian.org/ftp/pool/main/libh/libhtml-parser-perl/libhtml-parser-perl_3.56-1.dsc Target file: /org/ftp.debian.org/queue/p-u-new/libhtml-parser-perl_3.56-1+lenny1.dsc libhtml-parser-perl-3.56/debian/changelog | 7 +++++++ t/entities.t | 4 +++- util.c | 12 ++++++------ 3 files changed, 16 insertions(+), 7 deletions(-) diff -u libhtml-parser-perl-3.56/debian/changelog libhtml-parser-perl-3.56/debian/changelog --- libhtml-parser-perl-3.56/debian/changelog +++ libhtml-parser-perl-3.56/debian/changelog @@ -1,3 +1,10 @@ +libhtml-parser-perl (3.56-1+lenny1) stable-security; urgency=high + + * Fix decode_entities which can be confused by trailing incomplete entity + and leading to potential DoS attacks - CVE-2009-3627 (Closes: #552531). + + -- Salvatore Bonaccorso Tue, 27 Oct 2009 21:43:51 +0100 + libhtml-parser-perl (3.56-1) unstable; urgency=low * New upstream release only in patch2: unchanged: --- libhtml-parser-perl-3.56.orig/util.c +++ libhtml-parser-perl-3.56/util.c @@ -95,14 +95,14 @@ ent_start = s; repl = 0; - if (*s == '#') { + if (s < end && *s == '#') { UV num = 0; UV prev = 0; int ok = 0; s++; - if (*s == 'x' || *s == 'X') { + if (s < end && (*s == 'x' || *s == 'X')) { s++; - while (*s) { + while (s < end) { char *tmp = strchr(PL_hexdigit, *s); if (!tmp) break; @@ -118,7 +118,7 @@ } } else { - while (isDIGIT(*s)) { + while (s < end && isDIGIT(*s)) { num = num * 10 + (*s - '0'); if (prev && num < prev) { /* overflow */ @@ -181,7 +181,7 @@ } else { char *ent_name = s; - while (isALNUM(*s)) + while (s < end && isALNUM(*s)) s++; if (ent_name != s && entity2char) { SV** svp; @@ -217,7 +217,7 @@ if (repl) { char *repl_allocated = 0; - if (*s == ';') + if (s < end && *s == ';') s++; t--; /* '&' already copied, undo it */ only in patch2: unchanged: --- libhtml-parser-perl-3.56.orig/t/entities.t +++ libhtml-parser-perl-3.56/t/entities.t @@ -1,6 +1,6 @@ use HTML::Entities qw(decode_entities encode_entities encode_entities_numeric); -use Test::More tests => 12; +use Test::More tests => 13; $a = "Våre norske tegn bør æres"; @@ -66,6 +66,8 @@ is(decode_entities("'"), "'"); is(encode_entities("'", "'"), "'"); +is(decode_entities("Attention Homeοωnөrs...1ѕt Tімe Eνөг"), + "Attention Home\x{3BF}\x{3C9}n\x{4E9}rs...1\x{455}t T\x{456}\x{43C}e E\x{3BD}\x{4E9}\x{433}"); __END__ # Quoted from rfc1866.txt