2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 7fb2644416..60bb6b8539 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -18,6 +18,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://ansidecl.patch \
           file://runtest.patch \
           file://run-ptest \
+           file://libxml2-CVE-2014-0191-fix.patch \
          "
 inherit autotools pkgconfig binconfig pythonnative ptest
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch
new file mode 100644
index 0000000000..1c05ae649e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch
@@ -0,0 +1,37 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 22 Apr 2014 15:30:56 +0800
+Subject: Do not fetch external parameter entities
+Unless explicitely asked for when validating or replacing entities
+with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com>
+Upstream-Status: Backport
+Reference: https://access.redhat.com/security/cve/CVE-2014-0191
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+diff -Naur libxml2-2.9.1-orig/parser.c libxml2-2.9.1/parser.c
+--- libxml2-2.9.1-orig/parser.c 2013-04-16 15:39:18.000000000 +0200
+++ libxml2-2.9.1/parser.c      2014-05-07 13:35:46.883687946 +0200
+@@ -2595,6 +2595,20 @@
+                    xmlCharEncoding enc;
+ 
+                    /*
+                    * Note: external parsed entities will not be loaded, it is
+                    * not required for a non-validating parser, unless the
+                    * option of validating, or substituting entities were
+                    * given. Doing so is far more secure as the parser will
+                    * only process data coming from the document entity by
+                    * default.
+                    */
+                    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                       ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+                       ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+                       (ctxt->validate == 0))
+                       return;
+
+                   /*
+                     * handle the extra spaces added before and after
+                     * c.f. http://www.w3.org/TR/REC-xml#as-PE
+                     * this is done independently.

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 7fb2644416..60bb6b8539 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc
@@ -18,6 +18,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
18	file://ansidecl.patch \	18	file://ansidecl.patch \
19	file://runtest.patch \	19	file://runtest.patch \
20	file://run-ptest \	20	file://run-ptest \
		21	file://libxml2-CVE-2014-0191-fix.patch \
21	"	22	"
22		23
23	inherit autotools pkgconfig binconfig pythonnative ptest	24	inherit autotools pkgconfig binconfig pythonnative ptest


diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch new file mode 100644 index 0000000000..1c05ae649e --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch
@@ -0,0 +1,37 @@
		1	From: Daniel Veillard <veillard@redhat.com>
		2	Date: Tue, 22 Apr 2014 15:30:56 +0800
		3	Subject: Do not fetch external parameter entities
		4
		5	Unless explicitely asked for when validating or replacing entities
		6	with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com>
		7
		8	Upstream-Status: Backport
		9	Reference: https://access.redhat.com/security/cve/CVE-2014-0191
		10
		11	Signed-off-by: Daniel Veillard <veillard@redhat.com>
		12	Signed-off-by: Maxin B. John <maxin.john@enea.com>
		13	---
		14	diff -Naur libxml2-2.9.1-orig/parser.c libxml2-2.9.1/parser.c
		15	--- libxml2-2.9.1-orig/parser.c 2013-04-16 15:39:18.000000000 +0200
		16	+++ libxml2-2.9.1/parser.c 2014-05-07 13:35:46.883687946 +0200
		17	@@ -2595,6 +2595,20 @@
		18	xmlCharEncoding enc;
		19
		20	/*
		21	+ * Note: external parsed entities will not be loaded, it is
		22	+ * not required for a non-validating parser, unless the
		23	+ * option of validating, or substituting entities were
		24	+ * given. Doing so is far more secure as the parser will
		25	+ * only process data coming from the document entity by
		26	+ * default.
		27	+ */
		28	+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
		29	+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
		30	+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
		31	+ (ctxt->validate == 0))
		32	+ return;
		33	+
		34	+ /*
		35	* handle the extra spaces added before and after
		36	* c.f. http://www.w3.org/TR/REC-xml#as-PE
		37	* this is done independently.