[PATCH] libxml2: Backport fix for CVE introduced entity issues

[PATCH] libxml2: Backport fix for CVE introduced entity issues

[Richard Purdie]

The CVE fix introduced problems with entity issues, we observed this
when building the Yocto Docs in particular. Backport the fix from
upstream so we can build our docs correctly.

[YOCTO #7134]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
new file mode 100644
index 0000000..10a8112
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
@@ -0,0 +1,30 @@
+From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 23 Oct 2014 11:35:36 +0800
+Subject: Fix missing entities after CVE-2014-3660 fix
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=738805
+
+The fix for CVE-2014-3660 introduced a regression in some case
+where entity substitution is required and the entity is used
+first in anotther entity referenced from an attribute value
+
+Upstream-Status: Backport
+
+diff --git a/parser.c b/parser.c
+index 67c9dfd..a8d1b67 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+      * far more secure as the parser will only process data coming from
+      * the document entity by default.
+      */
+-    if ((ent->checked == 0) &&
++    if (((ent->checked == 0) ||
++         ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
+         ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
+          (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
+ 	unsigned long oldnbent = ctxt->nbentities;
+-- 
+cgit v0.10.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index f0cfa59..1affff1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -1,6 +1,7 @@
 require libxml2.inc
 
-SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar"
+SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
+            file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch"
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
 SRC_URI[libtar.sha256sum] = "5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc"

Re: [PATCH] libxml2: Backport fix for CVE introduced entity issues

[akuster808]

this will be required for dizzy when I pull in the cve fix ( which i 
missed)..



On 01/15/2015 01:37 AM, Richard Purdie wrote:
> The CVE fix introduced problems with entity issues, we observed this
> when building the Yocto Docs in particular. Backport the fix from
> upstream so we can build our docs correctly.
>
> [YOCTO #7134]
>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>
> diff --git a/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
> new file mode 100644
> index 0000000..10a8112
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
> @@ -0,0 +1,30 @@
> +From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Thu, 23 Oct 2014 11:35:36 +0800
> +Subject: Fix missing entities after CVE-2014-3660 fix
> +
> +For https://bugzilla.gnome.org/show_bug.cgi?id=738805
> +
> +The fix for CVE-2014-3660 introduced a regression in some case
> +where entity substitution is required and the entity is used
> +first in anotther entity referenced from an attribute value
> +
> +Upstream-Status: Backport
> +
> +diff --git a/parser.c b/parser.c
> +index 67c9dfd..a8d1b67 100644
> +--- a/parser.c
> ++++ b/parser.c
> +@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
> +      * far more secure as the parser will only process data coming from
> +      * the document entity by default.
> +      */
> +-    if ((ent->checked == 0) &&
> ++    if (((ent->checked == 0) ||
> ++         ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
> +         ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
> +          (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
> + 	unsigned long oldnbent = ctxt->nbentities;
> +--
> +cgit v0.10.1
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
> index f0cfa59..1affff1 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
> @@ -1,6 +1,7 @@
>   require libxml2.inc
>
> -SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar"
> +SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
> +            file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch"
>
>   SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
>   SRC_URI[libtar.sha256sum] = "5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc"
>
>

Re: [PATCH] libxml2: Backport fix for CVE introduced entity issues

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 201 bytes --]

On 15 January 2015 at 16:36, akuster808 <akuster808@gmail.com> wrote:

> this will be required for dizzy when I pull in the cve fix ( which i
> missed)..
>

Yes, the CVE fix was broken.

Ross

[-- Attachment #2: Type: text/html, Size: 676 bytes --]