# HG changeset patch # User Petr Sumbera # Date 1406103986 25200 # Node ID 08b56e98755bc741f6844cfd0ee935ee22c4f156 # Parent e94472bb9273ede60149dd09aacd0c2c5dc9f92c 18716498 problem in LIBRARY/LIBXML diff -r e94472bb9273 -r 08b56e98755b components/libxml2/patches/CVE-2014-0191.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/libxml2/patches/CVE-2014-0191.patch Wed Jul 23 01:26:26 2014 -0700 @@ -0,0 +1,152 @@ +Patch origin: upstream +Patch status: will be part of next version + +https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df +https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825 +https://git.gnome.org/browse/libxml2/commit/?id=c35af8b18dddd0bdfb137ad6a056837a3d5ea651 + +From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 22 Apr 2014 15:30:56 +0800 +Subject: Do not fetch external parameter entities + +Unless explicitely asked for when validating or replacing entities +with their value. Problem pointed out by Daniel Berrange + +diff --git a/parser.c b/parser.c +index 9347ac9..c0dea05 100644 +--- a/parser.c ++++ b/parser.c +@@ -2598,6 +2598,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. +-- +cgit v0.10.1 + +From dd8367da17c2948981a51e52c8a6beb445edf825 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Wed, 11 Jun 2014 16:54:32 +0800 +Subject: Fix regressions introduced by CVE-2014-0191 patch + +A number of issues have been raised after the fix, and this patch +tries to correct all of them, though most were related to +postvalidation. +https://bugzilla.gnome.org/show_bug.cgi?id=730290 +and other reports on list, off-list and on Red Hat bugzilla + +diff --git a/parser.c b/parser.c +index c0dea05..ba70f9e 100644 +--- a/parser.c ++++ b/parser.c +@@ -2598,8 +2598,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* +- * Note: external parsed entities will not be loaded, it is +- * not required for a non-validating parser, unless the ++ * Note: external parameter entities will not be loaded, it ++ * is not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by +@@ -2608,6 +2608,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && + (ctxt->validate == 0)) + return; + +@@ -12616,6 +12619,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ +@@ -12743,6 +12749,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ +-- +cgit v0.10.1 + +From c35af8b18dddd0bdfb137ad6a056837a3d5ea651 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Wed, 11 Jun 2014 16:59:16 +0800 +Subject: Fixes for xmlInitParserCtxt + +let's make sure that parser options are updated too when a corrsponding +global variable or other field of the context is set. + +diff --git a/parserInternals.c b/parserInternals.c +index 98a5836..df204fd 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1691,12 +1691,20 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) + ctxt->nsWellFormed = 1; + ctxt->valid = 1; + ctxt->loadsubset = xmlLoadExtDtdDefaultValue; ++ if (ctxt->loadsubset) { ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ } + ctxt->validate = xmlDoValidityCheckingDefaultValue; + ctxt->pedantic = xmlPedanticParserDefaultValue; ++ if (ctxt->pedantic) { ++ ctxt->options |= XML_PARSE_PEDANTIC; ++ } + ctxt->linenumbers = xmlLineNumbersDefaultValue; + ctxt->keepBlanks = xmlKeepBlanksDefaultValue; +- if (ctxt->keepBlanks == 0) ++ if (ctxt->keepBlanks == 0) { + ctxt->sax->ignorableWhitespace = xmlSAX2IgnorableWhitespace; ++ ctxt->options |= XML_PARSE_NOBLANKS; ++ } + + ctxt->vctxt.finishDtd = XML_CTXT_FINISH_DTD_0; + ctxt->vctxt.userData = ctxt; +@@ -1708,8 +1716,12 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) + else + ctxt->vctxt.warning = xmlParserValidityWarning; + ctxt->vctxt.nodeMax = 0; ++ ctxt->options |= XML_PARSE_DTDVALID; + } + ctxt->replaceEntities = xmlSubstituteEntitiesDefaultValue; ++ if (ctxt->replaceEntities) { ++ ctxt->options |= XML_PARSE_NOENT; ++ } + ctxt->record_info = 0; + ctxt->nbChars = 0; + ctxt->checkIndex = 0; +-- +cgit v0.10.1 +