summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch')
-rw-r--r--meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch37
1 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch
new file mode 100644
index 0000000000..1c05ae649e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch
@@ -0,0 +1,37 @@
1From: Daniel Veillard <veillard@redhat.com>
2Date: Tue, 22 Apr 2014 15:30:56 +0800
3Subject: Do not fetch external parameter entities
4
5Unless explicitely asked for when validating or replacing entities
6with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com>
7
8Upstream-Status: Backport
9Reference: https://access.redhat.com/security/cve/CVE-2014-0191
10
11Signed-off-by: Daniel Veillard <veillard@redhat.com>
12Signed-off-by: Maxin B. John <maxin.john@enea.com>
13---
14diff -Naur libxml2-2.9.1-orig/parser.c libxml2-2.9.1/parser.c
15--- libxml2-2.9.1-orig/parser.c 2013-04-16 15:39:18.000000000 +0200
16+++ libxml2-2.9.1/parser.c 2014-05-07 13:35:46.883687946 +0200
17@@ -2595,6 +2595,20 @@
18 xmlCharEncoding enc;
19
20 /*
21+ * Note: external parsed entities will not be loaded, it is
22+ * not required for a non-validating parser, unless the
23+ * option of validating, or substituting entities were
24+ * given. Doing so is far more secure as the parser will
25+ * only process data coming from the document entity by
26+ * default.
27+ */
28+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
29+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
30+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
31+ (ctxt->validate == 0))
32+ return;
33+
34+ /*
35 * handle the extra spaces added before and after
36 * c.f. http://www.w3.org/TR/REC-xml#as-PE
37 * this is done independently.