Bug#498671: This is not abug
Micah Anderson
micah at riseup.net
Sun Oct 5 02:13:01 UTC 2008
This isn't a bug at all, all the reasons cited aren't actually bugs.
> (1) It seems abandoned upstream — the last update is Feb 2003 according
> to CPAN.
Thats not a bug, and doesn't make this package RC.
> (2) bug 443629 (CDATA handling) makes it useles for a large number of
> feeds, and worse even feeds that work now may break at any time — CDATA
> is standard XML, after all.
Each bug stands on its own. Don't file another bug to point at some
other bug.
> (3) bug 443629 is not just a CDATA problem. Its actually a
> nearly-arbitrary regexp injection. e.g.,
> <f(?2)o>{hello}</f(?2)o>
> gives
> Reference to nonexistent group in regex; marked by <-- HERE in
> m/f(?2) <-- HERE o/ at /usr/share/perl5/XML/RSSLite.pm line 266.
> Thankfully, { and } are changed to spaces, so (?{code}) is not
> possible, so its probably just a DoS attack (e.g., via exponential time
> regexp).
See above.
> (4) libxml-rsslite-perl has no reverse dependencies in lenny or sid.
> (5) popcon data:
Not really a bug either.
> Overall, the module isn't very widely used, is of questionable quality,
> is probably a security issue, is abandoned upstream, and I suggest
> doesn't belong in lenny.
If you wanted to file a removal request, that should be done another
way, you've filed a bug that doesn't actually report any bug at
all. Please do file an actual security bug, if there is one, but
'probably a security bug' isn't strong enough to file a bug.
I'm closing this bug, feel free to open a RM request, if you feel thats
the correct way to go.
Micah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20081004/49345a0e/attachment.pgp
More information about the pkg-perl-maintainers
mailing list