| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From: Daniel Veillard <veillard@redhat.com> |
| 2 | Date: Tue, 22 Apr 2014 15:30:56 +0800 |
| 3 | Subject: Do not fetch external parameter entities |
| 4 | |
| 5 | Unless explicitely asked for when validating or replacing entities |
| 6 | with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com> |
| 7 | |
| 8 | Upstream-Status: Backport |
| 9 | Reference: https://access.redhat.com/security/cve/CVE-2014-0191 |
| 10 | |
| 11 | Signed-off-by: Daniel Veillard <veillard@redhat.com> |
| 12 | Signed-off-by: Maxin B. John <maxin.john@enea.com> |
| 13 | --- |
| 14 | diff -Naur libxml2-2.9.1-orig/parser.c libxml2-2.9.1/parser.c |
| 15 | --- libxml2-2.9.1-orig/parser.c 2013-04-16 15:39:18.000000000 +0200 |
| 16 | +++ libxml2-2.9.1/parser.c 2014-05-07 13:35:46.883687946 +0200 |
| 17 | @@ -2595,6 +2595,20 @@ |
| 18 | xmlCharEncoding enc; |
| 19 | |
| 20 | /* |
| 21 | + * Note: external parsed entities will not be loaded, it is |
| 22 | + * not required for a non-validating parser, unless the |
| 23 | + * option of validating, or substituting entities were |
| 24 | + * given. Doing so is far more secure as the parser will |
| 25 | + * only process data coming from the document entity by |
| 26 | + * default. |
| 27 | + */ |
| 28 | + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && |
| 29 | + ((ctxt->options & XML_PARSE_NOENT) == 0) && |
| 30 | + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && |
| 31 | + (ctxt->validate == 0)) |
| 32 | + return; |
| 33 | + |
| 34 | + /* |
| 35 | * handle the extra spaces added before and after |
| 36 | * c.f. http://www.w3.org/TR/REC-xml#as-PE |
| 37 | * this is done independently. |