Re: Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/#review59243 --- This review has been submitted with commit d4fca9ffb31a2383459c89b27f81b10b7ddece1a by Luigi Toscano to branch KDE/4.13. - Commit Hook On June 3, 2014, 1:50 p.m., Luigi Toscano wrote: --- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- (Updated June 3, 2014, 1:50 p.m.) Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, Luc Menut, and Rex Dieter. Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
Re: Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- (Updated June 4, 2014, 8:40 p.m.) Status -- This change has been marked as submitted. Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, Luc Menut, and Rex Dieter. Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
Re: Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- (Updated June 3, 2014, 3:50 p.m.) Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, Luc Menut, and Rex Dieter. Changes --- Add Luc, who could have missed the last update Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
Re: Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- (Updated May 31, 2014, 2:07 a.m.) Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, and Rex Dieter. Changes --- Sorry for the delay. I followed the suggestion and updated the patch to not load from network. After the changes, meinproc4 seems to work correctly. Could you please confirm it? Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs (updated) - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
Re: Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/#review58671 --- yes working good, update going through ubuntu now https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1324066 - Jonathan Riddell On May 23, 2014, 8:24 p.m., Luigi Toscano wrote: --- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- (Updated May 23, 2014, 8:24 p.m.) Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, and Rex Dieter. Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
Re: Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/#review58411 --- Thanks for the fix, it seems to work fine. I built KDE SC 4.13.1 (Mageia Cauldron) with it with both original and patched libxml2; in the 2 cases, results are the same, and the same as original meinproc4 with unpatched libxml2. Do we need ressources from network? If all the resources are supposed to be on the local machine, perhaps we should use XML_PARSE_NONET (Forbid network access) option? It is often suggested/recommended to use this option with DTDLOAD and NOENT when it's possible. https://bugzilla.redhat.com/show_bug.cgi?id=863166#c3 - Luc Menut On May 23, 2014, 8:24 p.m., Luigi Toscano wrote: --- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- (Updated May 23, 2014, 8:24 p.m.) Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, and Rex Dieter. Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
Re: Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- (Updated May 23, 2014, 10:24 p.m.) Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, and Rex Dieter. Changes --- Adding docs group as well Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
--- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118270/ --- Review request for KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, and Rex Dieter. Bugs: 335001 http://bugs.kde.org/show_bug.cgi?id=335001 Repository: kdelibs Description --- Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Without this change meinproc4 complains (see the referenced bug) The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group. My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well? Diffs - kdoctools/meinproc.cpp 0894d63 kdoctools/xslt.cpp a7265ca Diff: https://git.reviewboard.kde.org/r/118270/diff/ Testing --- meinproc4 works again Thanks, Luigi Toscano ___ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel