diff options
Diffstat (limited to 'debian/patches/0031-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch')
| -rw-r--r-- | debian/patches/0031-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/debian/patches/0031-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch b/debian/patches/0031-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch new file mode 100644 index 0000000..d9fc108 --- /dev/null +++ b/debian/patches/0031-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch @@ -0,0 +1,58 @@ +From: Daniel Veillard <veillard@redhat.com> +Date: Wed, 11 Jun 2014 16:54:32 +0800 +Subject: Fix regressions introduced by CVE-2014-0191 patch + +A number of issues have been raised after the fix, and this patch +tries to correct all of them, though most were related to +postvalidation. +https://bugzilla.gnome.org/show_bug.cgi?id=730290 +and other reports on list, off-list and on Red Hat bugzilla +--- + parser.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 8aad7b4..ea0ea65 100644 +--- a/parser.c ++++ b/parser.c +@@ -2595,8 +2595,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* +- * Note: external parsed entities will not be loaded, it is +- * not required for a non-validating parser, unless the ++ * Note: external parameter entities will not be loaded, it ++ * is not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by +@@ -2605,6 +2605,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && + (ctxt->validate == 0)) + return; + +@@ -12609,6 +12612,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ +@@ -12736,6 +12742,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ |