libxml2: Backport fix for CVE introduced entity issues

The CVE fix introduced problems with entity issues, we observed this when building the Yocto Docs in particular. Backport the fix from upstream so we can build our docs correctly. [YOCTO #7134] (From OE-Core rev: af501bd51f9a86edd34e0405bc32dabe21312229) (From OE-Core rev: 9aa93835d19159ffd7cb212680044fc7f914a68f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-01-15 09:37:16 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-02-11 17:40:05 +0000
commit: 64090cf0d881023ed8908f3feff2a6039d183226 (patch)
tree: 610cd5b3aae39a2f5a6faf96d2566fe7f1a2542c /meta/recipes-core
parent: 41cca6fbe76206c4909dede4c8b8467e616e0c2b (diff)
download: poky-64090cf0d881023ed8908f3feff2a6039d183226.tar.gz
2 files changed, 32 insertions, 1 deletions
diff --git a/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
new file mode 100644
index 0000000000..10a8112b58
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
@@ -0,0 +1,30 @@
+From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 23 Oct 2014 11:35:36 +0800
+Subject: Fix missing entities after CVE-2014-3660 fix
+For https://bugzilla.gnome.org/show_bug.cgi?id=738805
+The fix for CVE-2014-3660 introduced a regression in some case
+where entity substitution is required and the entity is used
+first in anotther entity referenced from an attribute value
+Upstream-Status: Backport
+diff --git a/parser.c b/parser.c
+index 67c9dfd..a8d1b67 100644
+--- a/parser.c
+++ b/parser.c
+@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+      * far more secure as the parser will only process data coming from
+      * the document entity by default.
+      */
+-    if ((ent->checked == 0) &&
+    if (((ent->checked == 0) ||
+         ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
+         ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
+          (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
+        unsigned long oldnbent = ctxt->nbentities;
+-- 
+cgit v0.10.1
diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
index 0b6ac5d5c6..e087324590 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
@@ -1,6 +1,7 @@
 require libxml2.inc
-SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar"
+SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
+            file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch"
 SRC_URI[libtar.md5sum] = "9c0cfef285d5c4a5c80d00904ddab380"
 SRC_URI[libtar.sha256sum] = "fd3c64cb66f2c4ea27e934d275904d92cec494a8e8405613780cbc8a71680fdb"
author	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-01-15 09:37:16 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-02-11 17:40:05 +0000
commit	64090cf0d881023ed8908f3feff2a6039d183226 (patch)
tree	610cd5b3aae39a2f5a6faf96d2566fe7f1a2542c /meta/recipes-core
parent	41cca6fbe76206c4909dede4c8b8467e616e0c2b (diff)
download	poky-64090cf0d881023ed8908f3feff2a6039d183226.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch new file mode 100644 index 0000000000..10a8112b58 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch
@@ -0,0 +1,30 @@
		1	From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Thu, 23 Oct 2014 11:35:36 +0800
		4	Subject: Fix missing entities after CVE-2014-3660 fix
		5
		6	For https://bugzilla.gnome.org/show_bug.cgi?id=738805
		7
		8	The fix for CVE-2014-3660 introduced a regression in some case
		9	where entity substitution is required and the entity is used
		10	first in anotther entity referenced from an attribute value
		11
		12	Upstream-Status: Backport
		13
		14	diff --git a/parser.c b/parser.c
		15	index 67c9dfd..a8d1b67 100644
		16	--- a/parser.c
		17	+++ b/parser.c
		18	@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
		19	* far more secure as the parser will only process data coming from
		20	* the document entity by default.
		21	*/
		22	- if ((ent->checked == 0) &&
		23	+ if (((ent->checked == 0) \|\|
		24	+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
		25	((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) \|\|
		26	(ctxt->options & (XML_PARSE_NOENT \| XML_PARSE_DTDVALID)))) {
		27	unsigned long oldnbent = ctxt->nbentities;
		28	--
		29	cgit v0.10.1
		30


diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb index 0b6ac5d5c6..e087324590 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
@@ -1,6 +1,7 @@
1	require libxml2.inc	1	require libxml2.inc
2		2
3	SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar"	3	SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
		4	file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch"
4		5
5	SRC_URI[libtar.md5sum] = "9c0cfef285d5c4a5c80d00904ddab380"	6	SRC_URI[libtar.md5sum] = "9c0cfef285d5c4a5c80d00904ddab380"
6	SRC_URI[libtar.sha256sum] = "fd3c64cb66f2c4ea27e934d275904d92cec494a8e8405613780cbc8a71680fdb"	7	SRC_URI[libtar.sha256sum] = "fd3c64cb66f2c4ea27e934d275904d92cec494a8e8405613780cbc8a71680fdb"