[Secure-testing-team] Bug#552551: libhtml-parser-perl: HTML-Parser "decode_entities()" Denial of Service
Salvatore Bonaccorso
salvatore.bonaccorso at gmail.com
Tue Oct 27 08:02:58 UTC 2009
Package: libhtml-parser-perl
Version: 3.62-1
Severity: serious
Tags: security
Justification: potential DoS - user security hole
Hi
There is a security advisory regarding libhtml-parser-perl
officially; this is CVE-2009-3627
A vulnerability has been reported in HTML-Parser, which can be
exploited by malicious people to cause a DoS (Denial of Service)
The vulnerability is caused due to an error within the
"decode_entities()" function in utils.c, which can be exploited to
cause an infinite loop by tricking an application into processing a
specially crafted string using this library.
The vulnerability is reported in versions prior to 3.63.
See [1]. Further Informations is in the CPAN RT System, and the Bug is
closed in version 3.63. 3.64 is already packaged by the Debian Perl
Group but not yet uploaded, already taged, and thus missing a Closes
entry for this bug.
[1] http://secunia.com/advisories/37155/
[2] http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c
Bests
Salvatore
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libhtml-parser-perl depends on:
ii libc6 2.10.1-2 GNU C Library: Shared libraries
ii libhtml-tagset-perl 3.20-2 Data tables pertaining to HTML
ii liburi-perl 1.37+dfsg-1 Manipulates and accesses URI strin
ii perl 5.10.1-5 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.10.0] 5.10.1-5 minimal Perl system
libhtml-parser-perl recommends no packages.
Versions of packages libhtml-parser-perl suggests:
pn libdata-dump-perl <none> (no description available)
-- no debconf information
More information about the Secure-testing-team
mailing list