1
From dd8367da17c2948981a51e52c8a6beb445edf825 Mon Sep 17 00:00:00 2001
2
From: Daniel Veillard <veillard@redhat.com>
3
Date: Wed, 11 Jun 2014 16:54:32 +0800
4
Subject: Fix regressions introduced by CVE-2014-0191 patch
6
A number of issues have been raised after the fix, and this patch
7
tries to correct all of them, though most were related to
9
https://bugzilla.gnome.org/show_bug.cgi?id=730290
10
and other reports on list, off-list and on Red Hat bugzilla
12
Index: libxml2-2.9.1+dfsg1/parser.c
13
===================================================================
14
--- libxml2-2.9.1+dfsg1.orig/parser.c 2014-06-13 07:26:26.378947533 -0400
15
+++ libxml2-2.9.1+dfsg1/parser.c 2014-06-13 07:26:26.370947533 -0400
20
- * Note: external parsed entities will not be loaded, it is
21
- * not required for a non-validating parser, unless the
22
+ * Note: external parameter entities will not be loaded, it
23
+ * is not required for a non-validating parser, unless the
24
* option of validating, or substituting entities were
25
* given. Doing so is far more secure as the parser will
26
* only process data coming from the document entity by
28
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
29
((ctxt->options & XML_PARSE_NOENT) == 0) &&
30
((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
31
+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
32
+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
33
+ (ctxt->replaceEntities == 0) &&
34
(ctxt->validate == 0))
37
@@ -12609,6 +12612,9 @@
41
+ /* We are loading a DTD */
42
+ ctxt->options |= XML_PARSE_DTDLOAD;
45
* Set-up the SAX context
47
@@ -12736,6 +12742,9 @@
51
+ /* We are loading a DTD */
52
+ ctxt->options |= XML_PARSE_DTDLOAD;
55
* Set-up the SAX context