diff --git a/SOURCES/libxml2-Do-not-fetch-external-parameter-entities.patch b/SOURCES/libxml2-Do-not-fetch-external-parameter-entities.patch new file mode 100644 index 0000000..7676940 --- /dev/null +++ b/SOURCES/libxml2-Do-not-fetch-external-parameter-entities.patch @@ -0,0 +1,34 @@ +commit 84b04b03bd6d31316fd5f0ad1c9cd31952671998 +Author: Daniel Veillard +Date: Tue Apr 22 15:30:56 2014 +0800 + + Do not fetch external parameter entities + + Unless explicitely asked for when validating or replacing entities + with their value. Problem pointed out by Daniel Berrange + +diff --git a/parser.c b/parser.c +index 3c72cbb..32f1475 100644 +--- a/parser.c ++++ b/parser.c +@@ -2622,6 +2622,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. diff --git a/SOURCES/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/SOURCES/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch new file mode 100644 index 0000000..7efc515 --- /dev/null +++ b/SOURCES/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch @@ -0,0 +1,26 @@ +commit 27a93eff49526aacd34192258c19ff5d69d18c00 +Author: Daniel Veillard +Date: Thu Oct 23 11:35:36 2014 +0800 + + Fix missing entities after CVE-2014-3660 fix + + For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + + The fix for CVE-2014-3660 introduced a regression in some case + where entity substitution is required and the entity is used + first in anotther entity referenced from an attribute value + +diff --git a/parser.c b/parser.c +index b58c2f0..f70d2b5 100644 +--- a/parser.c ++++ b/parser.c +@@ -7226,7 +7226,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; diff --git a/SOURCES/libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch b/SOURCES/libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch new file mode 100644 index 0000000..dfd16e6 --- /dev/null +++ b/SOURCES/libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch @@ -0,0 +1,57 @@ +commit 41b0d17368565b56677455be61b2c892bd665a27 +Author: Daniel Veillard +Date: Wed Jun 11 16:54:32 2014 +0800 + + Fix regressions introduced by CVE-2014-0191 patch + + A number of issues have been raised after the fix, and this patch + tries to correct all of them, though most were related to + postvalidation. + https://bugzilla.gnome.org/show_bug.cgi?id=730290 + and other reports on list, off-list and on Red Hat bugzilla + +diff --git a/parser.c b/parser.c +index 32f1475..b58c2f0 100644 +--- a/parser.c ++++ b/parser.c +@@ -2622,8 +2622,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* +- * Note: external parsed entities will not be loaded, it is +- * not required for a non-validating parser, unless the ++ * Note: external parameter entities will not be loaded, it ++ * is not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by +@@ -2632,6 +2632,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && + (ctxt->validate == 0)) + return; + +@@ -12643,6 +12646,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ +@@ -12770,6 +12776,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec index 0ecf6d7..82d6207 100644 --- a/SPECS/libxml2.spec +++ b/SPECS/libxml2.spec @@ -4,7 +4,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.1 -Release: 5%{?dist}%{?extra_release}.1 +Release: 5%{?dist}%{?extra_release}.2 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -16,6 +16,9 @@ Patch1: libxml2-2.9.0-do-not-check-crc.patch Patch100: libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch Patch101: CVE-2014-3660-rhel7.patch +Patch102: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch +Patch103: libxml2-Do-not-fetch-external-parameter-entities.patch +Patch104: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch %description This library allows to manipulate XML files. It includes support @@ -80,6 +83,9 @@ at parse time or later once the document has been modified. %patch100 -p1 %patch101 -p1 +%patch102 -p1 +%patch103 -p1 +%patch104 -p1 %build %configure @@ -162,6 +168,11 @@ rm -fr %{buildroot} %doc doc/python.html %changelog +* Mon Mar 23 2015 Daniel Veillard - 2.9.1-5.2 +- Fix missing entities after CVE-2014-3660 fix +- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195649) +- Fix regressions introduced by CVE-2014-0191 patch + * Sat Oct 11 2014 Daniel Veillard - 2.9.1-5.1 - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087)