t/1_XMLin.t ............. t/1_XMLin.t ............. 1/132 # Failed test 'successfully read an SRT config file' # at t/1_XMLin.t line 1490. # Structures begin differing at: # $got->{pubpath}{test2}{title} = 'web_source -> web_target1 & web_target2' ------------------------------------------------------------------- This is an unstable amd64 chroot image at a tinderbox (==build bot) name: 17.0-desktop-plasma_libressl_20170716-132802 ------------------------------------------------------------------- gcc-config -l: [1] x86_64-pc-linux-gnu-6.3.0 * llvm-config: 3.9.1 Available Python interpreters, in order of preference: [1] python3.4 [2] python2.7 (fallback) java-config: The following VMs are available for generation-2: *) IcedTea JDK 3.4.0 [icedtea-bin-8] Available Java Virtual Machines: [1] icedtea-bin-8 system-vm
Created attachment 485458 [details] emerge-info.txt
Created attachment 485460 [details] dev-perl:XML-Simple-2.220.0:20170718-035326.log
Created attachment 485462 [details] emerge-history.txt
Created attachment 485464 [details] environment
Created attachment 485466 [details] etc.portage.tbz2
Created attachment 485468 [details] temp.tbz2
Created attachment 485470 [details] tests.tbz2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=176344a770952235f2229bbd28a8078cbb9c3393 commit 176344a770952235f2229bbd28a8078cbb9c3393 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2018-03-28 01:15:10 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2018-03-28 01:16:06 +0000 dev-perl/XML-Simple: Bump to version 2.250.0 - Fix tests failing with XML::LibXML::SAX ( #625538 ) - Purge author tests Upstream: - Improve circular reference detection - Don't initialise PREFERRED_PARSER to undef during load - Disable entity expansion when using XML::Parser - Call to XML::Parser constructor now in isolated method for subclass overriding Bug: https://bugs.gentoo.org/625538 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-perl/XML-Simple/Manifest | 1 + dev-perl/XML-Simple/XML-Simple-2.250.0.ebuild | 27 +++++++++++++ .../files/XML-Simple-2.25-saxtests.patch | 45 ++++++++++++++++++++++ 3 files changed, 73 insertions(+)}
Looks like this failure was introduced by the fix from bug #594614, and even though the workaround employed "works", it means the bug #594614 needs revising. Stated fix doesn't *only* prevent XXE, but also prevents *normal* entity decoding from working properly. There's a lot of horror here: https://metacpan.org/pod/distribution/XML-LibXML/lib/XML/LibXML/Parser.pod#expand_entities > Note that although this flag disables entity substitution, it does not > prevent the parser from loading external entities; > when substitution of an external entity is disabled, the entity will be > represented in the document tree by an XML_ENTITY_REF_NODE node whose subtree > will be the content obtained by parsing the external resource; Although this > nesting is visible from the DOM it is transparent to XPath data model, > so it is possible to match nodes in an unexpanded entity by the same XPath > expression as if the entity were expanded. See also ext_ent_handler. So our security issue might not even be fixed.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db3d92b41b2fb30fec591581c6a0707c51df7a6b commit db3d92b41b2fb30fec591581c6a0707c51df7a6b Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-10-11 19:32:39 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-10-11 19:32:39 +0000 dev-perl/XML-Simple: Remove old Closes: https://bugs.gentoo.org/625538 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> dev-perl/XML-Simple/Manifest | 2 -- dev-perl/XML-Simple/XML-Simple-2.200.0-r1.ebuild | 23 ---------------------- dev-perl/XML-Simple/XML-Simple-2.220.0.ebuild | 25 ------------------------ 3 files changed, 50 deletions(-)
