From: akuster808 <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] libxml2: Backport fix for CVE introduced entity issues
Date: Thu, 15 Jan 2015 08:36:06 -0800 [thread overview]
Message-ID: <54B7EC76.9090306@gmail.com> (raw)
In-Reply-To: <1421314636.31262.42.camel@linuxfoundation.org>
this will be required for dizzy when I pull in the cve fix ( which i
missed)..
On 01/15/2015 01:37 AM, Richard Purdie wrote:
> The CVE fix introduced problems with entity issues, we observed this
> when building the Yocto Docs in particular. Backport the fix from
> upstream so we can build our docs correctly.
>
> [YOCTO #7134]
>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>
> diff --git a/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
> new file mode 100644
> index 0000000..10a8112
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
> @@ -0,0 +1,30 @@
> +From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Thu, 23 Oct 2014 11:35:36 +0800
> +Subject: Fix missing entities after CVE-2014-3660 fix
> +
> +For https://bugzilla.gnome.org/show_bug.cgi?id=738805
> +
> +The fix for CVE-2014-3660 introduced a regression in some case
> +where entity substitution is required and the entity is used
> +first in anotther entity referenced from an attribute value
> +
> +Upstream-Status: Backport
> +
> +diff --git a/parser.c b/parser.c
> +index 67c9dfd..a8d1b67 100644
> +--- a/parser.c
> ++++ b/parser.c
> +@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
> + * far more secure as the parser will only process data coming from
> + * the document entity by default.
> + */
> +- if ((ent->checked == 0) &&
> ++ if (((ent->checked == 0) ||
> ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
> + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
> + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
> + unsigned long oldnbent = ctxt->nbentities;
> +--
> +cgit v0.10.1
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
> index f0cfa59..1affff1 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
> @@ -1,6 +1,7 @@
> require libxml2.inc
>
> -SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar"
> +SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
> + file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch"
>
> SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
> SRC_URI[libtar.sha256sum] = "5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc"
>
>
next prev parent reply other threads:[~2015-01-15 16:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-15 9:37 [PATCH] libxml2: Backport fix for CVE introduced entity issues Richard Purdie
2015-01-15 16:36 ` akuster808 [this message]
2015-01-15 17:07 ` Burton, Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54B7EC76.9090306@gmail.com \
--to=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.