thanks ! Yes, I have now pushed it in master, this should solve all the issues which got reported for that CVE-2014-0191 patch
https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825 feedback welcome ! Daniel On Tue, Jun 10, 2014 at 02:18:19PM -0700, Alexey Neyman wrote: > Hi Daniel, > > Your patch works for me, thanks! One more thing you missed though: > s/parsed/parameter/ in the copy-pasted comment :) > > Regards, > Alexey. > > On Monday, June 09, 2014 07:06:02 am Daniel Veillard wrote: > > Pong, sorry, but was distracted with other things and I accumulated > > feedback from different places on this issue, I would rather not have to > > push 3 different patches to cover this :-) > > > > I ended up with a rather similar but slightly more complex patch > > (attached), the DTD may have to be loaded in other different conditions > > wna while you apparently covered xmlIOParseDTD, one of the case I got > > also pointed to xmlSAXParseDTD so both need to be fixed. Also I'm > > doing an incremental bit fix rather than overwriting the full context > > option which could also cause regressions. > > > > I will also push separately an update to xmlInitParserCtxt() setting > > up the options based on the global variable settings (it's evil but > > needed for compatibility), but it's more of a cleanup than an actual > > fix for the issue so not in that patch, > > > > give it a try, > > > > thanks, > > > > Daniel > > > > On Sun, Jun 08, 2014 at 06:31:57PM -0700, Alexey Neyman wrote: > > > PING! > > > > > > On Tuesday, May 20, 2014 10:06:27 PM Alexey Neyman wrote: > > > > [More investigation follows. Writing from a different machine, so > > > > cannot reply to my own email] > > > > > > > > The issue, brief summary: upgrade of libxml2 from 2.7.6-14.el6 to > > > > 2.7.6-14.el6_5.1 (RHEL6) broke the --postvalid/--dtdvalid options. > > > > > > > > Minimal test case: > > > > > > > > [a.xml] > > > > <?xml version="1.0"?> > > > > <!-- vi: set sw=2 : --> > > > > <!DOCTYPE a SYSTEM "a.dtd"> > > > > <a> > > > > > > > > <b/> > > > > > > > > </a> > > > > > > > > > > > > [a.dtd] > > > > <!ELEMENT a (b|c)> > > > > <!ENTITY % base.dtd SYSTEM "b.dtd"> > > > > %base.dtd; > > > > > > > > > > > > [b.dtd] > > > > <!ELEMENT b EMPTY> > > > > <!ELEMENT c EMPTY> > > > > > > > > This command works: > > > > xmllint --valid --noout --dtdvalid a.dtd a.xml > > > > > > > > This command doesn't: > > > > xmllint --postvalid --noout --dtdvalid a.dtd a.xml > > > > a.xml:5: element b: validity error : No declaration for element b > > > > Document a.xml does not validate against a.dtd > > > > > > > > The problem: > > > > 1. With --postvalid (and similarly treated options --dtdvalid, > > > > --dtdvalidfpi) the XML_PARSE_DTDVALID is not set. Instead, > > > > XML_PARSE_DTDLOAD is set (the validation is performed after loading of > > > > the XML document). Solution: the > > > > xmlParserHandlePEReference() should also check for XML_PARSE_DTDLOAD or > > > > the parsed entities defined in the nested DTDs will not load. > > > > > > > > 2. Even with parsed entities loaded, the validation then fails: the > > > > xmlParserHandlePEReference() is called during the post-validation with > > > > the ctxt->options equal to zero when loading a separate DTD (e.g. due > > > > to --dtdvalid option) via the xmlSAXParseDTD(). Solution: > > > > xmlSAXParseDTD() should set the ctxt->options to XML_PARSE_DTDLOAD - > > > > after all, xmlSAXParseDTD *is* loading the DTD. > > > > > > > > 3. The comment in the xmlParserHandlePEReference() is an obvious > > > > copy-paste: it refers to parsed entities while the code actually > > > > handles parameter entities. Solution: fix the comment :) > > > > > > > > Updated patch attached (against RHEL version of 2.7.6 - will update to > > > > git version of libxml2 if needed). > > > > > > > > Regards, > > > > Alexey. > > > > > > _______________________________________________ > > > xml mailing list, project page http://xmlsoft.org/ > > > xml@gnome.org > > > https://mail.gnome.org/mailman/listinfo/xml -- Daniel Veillard | Open Source and Standards, Red Hat veill...@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ _______________________________________________ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
