FYI RHEL5's expat (1.95.8-8.3.el5_4.2), external DTD test failures [rt.cpan.org #54747]

[toddr]

Migrated from rt.cpan.org#54747 (status was 'new')

Requestors:

From [email protected] on 2010-02-18 10:57:27
:

Hello and Thanks for XML::Parser,

This is not a bug report for XML::Parser, but something that might look
like one.

If you are on RHEL5 and have expat-1.95.8-8.3.el5_4.2 as part of
http://rhn.redhat.com/errata/RHSA-2009-1625.html, see the links in the
errata for the CVE's and bugzilla.  XML-Parser-2.34 (and 2.36) tests
will fail with:

t/decl.t
1..30
ok 1

syntax error at line 14, column 3, byte 214:
%ext;

<![%bar;[
==^
<!ATTLIST bar xyz (a|b|c) 'b'>
]]>

error in processing external entity reference at line 21, column 3, byte
3161:
   <!ELEMENT bar ANY>
   <!ATTLIST bar big CDATA 'This is a large string value to test whether
the declaration parser still works when the entity or attribute default
value may be broken into multiple calls to the default handler.
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789
'>
  ]>
==^
<foo/>
 at
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/XML/Parser.pm
line 187

and also

t/parament.t
1..12
ok 1

error in processing external entity reference at line 8, column 0, byte 173:
  <!ENTITY more SYSTEM "t/ext2.ent">
]
>
^
<foo>Happy, happy
<bar>&joy;, &joy;</bar>
 at
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/XML/Parser.pm
line 187

This fails with RH's perl-XML-Parser (perl-XML-Parser-2.34-6.1.2.2.1),
and when building 2.34 or 2.36 from CPAN src distribution.

From what I have read, there was an issue introduced with the expat
changes for the CVE's, this was subsequently fixed in expat, but has not
made it yet into RH's expat.

I think this is the open bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=556415

Also see:

  http://mail.libexpat.org/pipermail/expat-discuss/2009-December/thread.html

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561658

 
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166
 
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.166
 
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166&view=patch

Cheers,
Peter (Stig) Edwards