[Bug 566434] New: expat XML parser broken
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c0 Summary: expat XML parser broken Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: All Status: ASSIGNED Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: prusnak@novell.com ReportedBy: schwab@linux-m68k.org QAContact: qa@suse.de Found By: --- Blocker: --- expat-2.0.1-92.3.1 has a broken XML parser. + cd XML-Parser-2.36 + /usr/bin/make test make[1]: Entering directory `/usr/src/packages/BUILD/XML-Parser-2.36/Expat' make[1]: Leaving directory `/usr/src/packages/BUILD/XML-Parser-2.36/Expat' PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/astress.........ok t/cdata...........ok t/decl............ syntax error at line 14, column 3, byte 214: %ext; <![%bar;[ ==^ <!ATTLIST bar xyz (a|b|c) 'b'> ]]> error in processing external entity reference at line 21, column 3, byte 3161: <!ELEMENT bar ANY> <!ATTLIST bar big CDATA 'This is a large string value to test whether the declaration parser still works when the entity or attribute default value may be broken into multiple calls to the default handler. 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789 '> ]> ==^ <foo/> at /usr/src/packages/BUILD/XML-Parser-2.36/blib/lib/XML/Parser.pm line 187 dubious Test returned status 9 (wstat 2304, 0x900) DIED. FAILED tests 2-30 Failed 29/30 tests, 3.33% okay -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c1 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@computersalat.de, | |prusnak@novell.com AssignedTo|prusnak@novell.com |anicka@novell.com --- Comment #1 from Pavol Rusnak <prusnak@novell.com> 2009-12-22 01:54:53 CET --- Output from "make check" in expat package: tests/runtests Expat version: expat_2.0.1 100%: Checks: 50, Failed: 0 tests/runtestspp Expat version: expat_2.0.1 100%: Checks: 50, Failed: 0 I guess the problem is in perl-XML-Parser package (I can reproduce testsuite failures with moreorless the same results as in initial comment). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c2 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #2 from Anna Bernathova <anicka@novell.com> 2010-01-04 13:44:48 UTC --- Yes, it looks like perl-XML-Parser issue. But right now I wonder how do you do it. I can run tests in perl-XML-Parser 2.36 from 11.2 successfully on my x86_64 machine, no bug is visible. But I can reproduce it sometimes while building via mbuild. OK, let us see... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c3 --- Comment #3 from Pavol Rusnak <prusnak@novell.com> 2010-01-04 14:56:55 CET --- This is the series of commands I used to reproduce the bug on openSUSE 11.2 (both on i586 and x86_64): $ osc co openSUSE:Factory perl-XML-Parser $ cd openSUSE\:Factory/perl-XML-Parser/ $ quilt setup *spec $ cd XML-Parser-2.36/ $ quilt push $ perl Makefile.PL $ make $ make test -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c4 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mls@novell.com --- Comment #4 from Anna Bernathova <anicka@novell.com> 2010-01-06 16:14:19 UTC --- Michael, could you please also take a look at it? It looks that the problem appears at random machines and I cannot say yet what they do have in common. It is neither their architecture nor perl version, I am going to investigate possibility that some perl patch makes the difference.
From cpan testers it looks that the problem really exists, does not seem to depend on perl version, system or architecture and is quite rare: http://static.cpantesters.org/distro/X/XML-Parser.html#2.36
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c5 --- Comment #5 from Michael Schröder <mls@novell.com> 2010-01-07 12:02:20 UTC --- Hmm, can't really reproduce it. Pavol, do you still get the error if you rename the "openSUSE:Factory" directory to "openSUSE_Factory" so that there is no : character in the path? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c6 --- Comment #6 from Michael Schröder <mls@novell.com> 2010-01-07 12:11:02 UTC --- (The test suite passes @INC as PERL5LIB environment var, so a path containing ':' does not work. Thus, make test picks up files from the system instead of the "blib" directory.) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c7 --- Comment #7 from Pavol Rusnak <prusnak@novell.com> 2010-01-07 13:30:22 CET --- Created an attachment (id=335359) --> (http://bugzilla.novell.com/attachment.cgi?id=335359) make test output I've got the same result while using /tmp/xml path. Attaching the output for reference. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c8 --- Comment #8 from Michael Schröder <mls@novell.com> 2010-01-07 12:54:08 UTC --- Ok, please do 'strace -f -o trace make test' and attach the 'trace' file. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c9 --- Comment #9 from Pavol Rusnak <prusnak@novell.com> 2010-01-07 14:06:26 CET --- Created an attachment (id=335365) --> (http://bugzilla.novell.com/attachment.cgi?id=335365) output of 'strace -f -o trace.txt make test' One trace file, coming up ... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c10 --- Comment #10 from Michael Schröder <mls@novell.com> 2010-01-07 15:17:59 UTC --- Ok, I can reproduce it. The testsuite works with libexpat1-2.0.1-91.11.x86_64, but fails with libexpat1-2.0.1-92.3.1.x86_64.rpm. This might not be a perl problem after all... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c11 --- Comment #11 from Anna Bernathova <anicka@novell.com> 2010-01-08 11:48:50 UTC --- Yes, thanks Michael. Actually it fails with current expat but it works when the last patch (CVE-2009-3560) is removed - it looks that while a security problem is fixed, the bug is introduced. The patch seems to be pretty simple, so I am going to read the expat code. Pavol, could you join me, please? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c12 --- Comment #12 from Pavol Rusnak <prusnak@novell.com> 2010-01-08 13:27:57 CET --- The security update was tracked in bug#558892. I will ask there if other distributions didn't hit the same problem ... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c13 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de --- Comment #13 from Ludwig Nussel <lnussel@novell.com> 2010-01-08 13:57:28 CET --- a fix for the fix might be needed: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c14 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |anicka@novell.com AssignedTo|anicka@novell.com |prusnak@novell.com --- Comment #14 from Anna Bernathova <anicka@novell.com> 2010-01-08 13:36:36 UTC --- Many thanks, Ludwig. Diff between 1.64 and 1.66 fixes not only the CVE, but also this problem. With this patch applied, all the tests are OK. Pavol, bad news, it looks that you will have to do the update once again :( Nothing more to do here for me probably, so I am reassigning the bug back to you. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c15 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #15 from Pavol Rusnak <prusnak@novell.com> 2010-01-08 14:51:51 CET --- Yep, I just confirmed that too. We'll push the updated fix for expat. I'm closing this for now as the rest of the process will be tracked in bug#558892. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c16 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | Summary|expat XML parser broken |VUL-0: expat XML parser | |broken --- Comment #16 from Ludwig Nussel <lnussel@novell.com> 2010-01-08 15:05:43 CET --- as the security issue itself is fixed and we're only fixing a regression let's handle the issue in this bug. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c17 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:30012 --- Comment #17 from Swamp Workflow Management <swamp@suse.com> 2010-01-08 14:09:22 UTC --- The SWAMPID for this issue is 30012. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/30012) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c18 --- Comment #18 from Pavol Rusnak <prusnak@novell.com> 2010-01-08 15:27:12 CET --- New fix submitted to: * Factory (SR#28314) * 11.2 (SR#28315) * 11.1 (SR#28316) * 11.0 (SR#28317) * SLES9 * SLE10-SP2, SLE10-SP3 * SLE11, SLE11-SP1 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c19 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:30012 |maint:running:30012 | |maint:released:11.0:30013 | |maint:released:11.1:30013 | |maint:released:11.2:30013 --- Comment #19 from Swamp Workflow Management <swamp@suse.com> 2010-01-14 11:02:53 UTC --- Update released for: expat, expat-debuginfo, expat-debuginfo-32bit, expat-debuginfo-x86, expat-debugsource, libexpat-devel, libexpat1, libexpat1-debuginfo Products: openSUSE 11.0 (debug, i386, ppc, ppc64, x86_64) openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64) openSUSE 11.2 (debug, i586, x86_64) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c20 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #20 from Ludwig Nussel <lnussel@novell.com> 2010-01-14 13:16:57 CET --- released -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:30012 |maint:released:11.0:30013 |maint:released:11.0:30013 |maint:released:11.1:30013 |maint:released:11.1:30013 |maint:released:11.2:30013 |maint:released:11.2:30013 | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=566434 https://bugzilla.novell.com/show_bug.cgi?id=566434#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.0:30013 |maint:released:11.0:30013 |maint:released:11.1:30013 |maint:released:11.1:30013 |maint:released:11.2:30013 |maint:released:11.2:30013 | |maint:released:sles9-sp3-te | |radata:41958 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=566434 http://bugzilla.novell.com/show_bug.cgi?id=566434#c21 --- Comment #21 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (566434) was mentioned in https://build.opensuse.org/request/show/32961 11.0 / libexpat0 https://build.opensuse.org/request/show/32962 11.1 / libexpat0 https://build.opensuse.org/request/show/32963 11.2 / libexpat0 https://build.opensuse.org/request/show/32964 Factory / libexpat0 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com