Bug 556415

Summary: Regression in fix for CVE-2009-3560 [rhel-5]
Product: Red Hat Enterprise Linux 5 Reporter: Joe Orton <jorton>
Component: expatAssignee: Joe Orton <jorton>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: urgent    
Version: 5.0CC: appfault, erobertstad, juanino, lindahl, psplicha, syeghiay, thatsafunnyname, thoger, tony
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 556422 556427 (view as bug list) Environment:
Last Closed: 2013-09-23 11:18:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 556422, 556424, 556427, 618744    

Description Joe Orton 2010-01-18 10:48:18 UTC 
Description:
The fix for CVE-2009-3560 caused a regression.

Parsing some external DTD definitions now fails.

http://mail.libexpat.org/pipermail/expat-discuss/2009-December/002646.html

Version:
expat-1.95.8-8.3.el5_4.2
Comment 4 Peter Edwards 2010-02-18 11:14:00 UTC 
I created an entry on rt.cpan.org for XML-Parser as it has tests that fail when trying to use expat-1.95.8-8.3.el5_4.2, I linked to this bug.

  https://rt.cpan.org/Ticket/Display.html?id=54747

Also see:

  http://mail.libexpat.org/pipermail/expat-discuss/2009-December/thread.html

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561658

  http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166
  http://expat.cvs.sourceforge.net/viewvc/expat/expa/lib/xmlparse.c?view=log#rev1.166
  http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166&view=patch

Version:
expat-1.95.8-8.3.el5_4.2

Thanks.
Comment 5 Jerry Uanino 2010-02-18 13:00:54 UTC 
I have a fairly large deployment of redhat systems waiting on this as well.  I haven't called  this into RedHat as I see the public bug already matches what I would call in.
Comment 7 Joe Orton 2010-02-18 17:09:42 UTC 
Peter: I do not think there is a bug in XML::Parser here that needs to be reported upstream.  With the fix for the regression applied, the test suite does pass again.
Comment 8 Peter Edwards 2010-02-18 17:36:00 UTC 
Joe: You are correct that a bug in XML::Parser does not need to be reported upstream.  I attempted to make the rt.cpan.org ticket entry I created:

  https://rt.cpan.org/Ticket/Display.html?id=54747

a pointer to this bug, and not a bug report in itself.
Comment 9 Joe Orton 2010-03-17 14:07:32 UTC 
*** Bug 573035 has been marked as a duplicate of this bug. ***
Comment 10 Tony Howat 2010-05-27 11:27:22 UTC 
I'm having the same problems here - this is critical for me, I have large applications built around Frontier::Daemon which relies on CPAN XML::Parser. 

Any progress?
Comment 14 lindahl 2010-07-01 23:17:19 UTC 
With RHEL 5.5, the previous (working) version is no longer easily available with "yum downgrade".