Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2014-05-26 10:28:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2013-08-04 16:55:48.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes 2014-05-26 10:28:13.000000000 +0200 @@ -1,0 +2,8 @@ +Fri May 23 15:01:54 UTC 2014 - vci...@suse.com + +- fix for CVE-2014-0191 (bnc#876652) + * libxml2: external parameter entity loaded when entity + substitution is disabled + * added libxml2-CVE-2014-0191.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2014-0191.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.QXKXtu/_old 2014-05-26 10:28:15.000000000 +0200 +++ /var/tmp/diff_new_pack.QXKXtu/_new 2014-05-26 10:28:15.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libxml2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,7 @@ Source: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch0: fix-perl.diff +Patch1: libxml2-CVE-2014-0191.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config BuildRequires: readline-devel @@ -123,6 +124,7 @@ %prep %setup -q %patch0 +%patch1 -p1 %build %configure --disable-static \ ++++++ python-libxml2.spec ++++++ --- /var/tmp/diff_new_pack.QXKXtu/_old 2014-05-26 10:28:15.000000000 +0200 +++ /var/tmp/diff_new_pack.QXKXtu/_new 2014-05-26 10:28:15.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-libxml2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ libxml2-CVE-2014-0191.patch ++++++ >From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veill...@redhat.com> Date: Tue, 22 Apr 2014 15:30:56 +0800 Subject: Do not fetch external parameter entities Unless explicitely asked for when validating or replacing entities with their value. Problem pointed out by Daniel Berrange <berra...@redhat.com> >From 7c3c663e4f844aaecbb0cfc29567fe2ee9506fc4 Mon Sep 17 00:00:00 2001 From: Alexandre Rostovtsev <tetrom...@gentoo.org> Date: Fri, 16 May 2014 22:46:00 -0400 Subject: [PATCH] xmllint: a posteriori validation needs to load exernal entities For https://bugzilla.gnome.org/show_bug.cgi?id=730290 Index: libxml2-2.9.1/parser.c =================================================================== --- libxml2-2.9.1.orig/parser.c 2013-04-16 15:39:18.000000000 +0200 +++ libxml2-2.9.1/parser.c 2014-05-23 11:26:43.344897186 +0200 @@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt xmlCharEncoding enc; /* + * Note: external parsed entities will not be loaded, it is + * not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by + * default. + */ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && + (ctxt->validate == 0)) + return; + + /* * handle the extra spaces added before and after * c.f. http://www.w3.org/TR/REC-xml#as-PE * this is done independently. Index: libxml2-2.9.1/xmllint.c =================================================================== --- libxml2-2.9.1.orig/xmllint.c 2013-03-27 04:31:47.000000000 +0100 +++ libxml2-2.9.1/xmllint.c 2014-05-23 11:26:43.344897186 +0200 @@ -3505,7 +3505,12 @@ main(int argc, char **argv) { xmlLoadExtDtdDefaultValue |= XML_COMPLETE_ATTRS; if (noent != 0) xmlSubstituteEntitiesDefault(1); #ifdef LIBXML_VALID_ENABLED - if (valid != 0) xmlDoValidityCheckingDefaultValue = 1; + /* If we will validate only a posteriori, ensure that entities get loaded, + * but suppress validation messages during initial parsing */ + if (postvalid != 0 && valid == 0) + options |= XML_PARSE_DTDVALID | XML_PARSE_NOERROR | XML_PARSE_NOWARNING; + else if (valid != 0) + xmlDoValidityCheckingDefaultValue = 1; #endif /* LIBXML_VALID_ENABLED */ if ((htmlout) && (!nowrap)) { xmlGenericError(xmlGenericErrorContext, -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org