Bug#498671: Is libxml-rsslite really suitable for stable?
Anthony DeRobertis
anthony at derobert.net
Fri Sep 12 03:47:26 UTC 2008
Package: libxml-rsslite-perl
Version: 0.11-3
Severity: serious
File: /usr/share/perl5/XML/RSSLite.pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(1) It seems abandoned upstream — the last update is Feb 2003 according
to CPAN.
(2) bug 443629 (CDATA handling) makes it useles for a large number of
feeds, and worse even feeds that work now may break at any time — CDATA
is standard XML, after all.
(3) bug 443629 is not just a CDATA problem. Its actually a
nearly-arbitrary regexp injection. e.g.,
<f(?2)o>{hello}</f(?2)o>
gives
Reference to nonexistent group in regex; marked by <-- HERE in
m/f(?2) <-- HERE o/ at /usr/share/perl5/XML/RSSLite.pm line 266.
Thankfully, { and } are changed to spaces, so (?{code}) is not
possible, so its probably just a DoS attack (e.g., via exponential time
regexp).
(4) libxml-rsslite-perl has no reverse dependencies in lenny or sid.
(5) popcon data:
vote
13 http://qa.debian.org/popcon.php?package=libxml-rsslite-perl
357 http://qa.debian.org/popcon.php?package=libxml-rss-perl
1 http://qa.debian.org/popcon.php?package=libxml-feedpp-perl [new]
Overall, the module isn't very widely used, is of questionable quality,
is probably a security issue, is abandoned upstream, and I suggest
doesn't belong in lenny.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjJ5ksACgkQ+z+IwlXqWf7iLACeL5Z91gwVbOZ64Ij6diC9x+4w
xdgAnRn0EgGawHND3/zsOX0dcEgUiojh
=VoDC
-----END PGP SIGNATURE-----
More information about the pkg-perl-maintainers
mailing list