[libxml2/f20] CVE-2014-0191 do not load parameter entity
Daniel Veillard
veillard at fedoraproject.org
Mon Mar 23 12:57:05 UTC 2015
commit 755217bfa13220cdd3a5dcd959a678331c6983f6
Author: Daniel Veillard <veillard at redhat.com>
Date: Mon Mar 23 20:55:38 2015 +0800
CVE-2014-0191 do not load parameter entity
also fix a few related bugs
...-Do-not-fetch-external-parameter-entities.patch | 34 +++++++++++++
...-missing-entities-after-CVE-2014-3660-fix.patch | 26 ++++++++++
...ix-regression-introduced-by-CVE-2014-0191.patch | 57 ++++++++++++++++++++++
...top-parsing-on-entities-boundaries-errors.patch | 27 ++++++++++
libxml2.spec | 16 +++++-
5 files changed, 159 insertions(+), 1 deletion(-)
---
diff --git a/libxml2-Do-not-fetch-external-parameter-entities.patch b/libxml2-Do-not-fetch-external-parameter-entities.patch
new file mode 100644
index 0000000..7676940
--- /dev/null
+++ b/libxml2-Do-not-fetch-external-parameter-entities.patch
@@ -0,0 +1,34 @@
+commit 84b04b03bd6d31316fd5f0ad1c9cd31952671998
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Tue Apr 22 15:30:56 2014 +0800
+
+ Do not fetch external parameter entities
+
+ Unless explicitely asked for when validating or replacing entities
+ with their value. Problem pointed out by Daniel Berrange <berrange at redhat.com>
+
+diff --git a/parser.c b/parser.c
+index 3c72cbb..32f1475 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2622,6 +2622,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+ xmlCharEncoding enc;
+
+ /*
++ * Note: external parsed entities will not be loaded, it is
++ * not required for a non-validating parser, unless the
++ * option of validating, or substituting entities were
++ * given. Doing so is far more secure as the parser will
++ * only process data coming from the document entity by
++ * default.
++ */
++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++ (ctxt->validate == 0))
++ return;
++
++ /*
+ * handle the extra spaces added before and after
+ * c.f. http://www.w3.org/TR/REC-xml#as-PE
+ * this is done independently.
diff --git a/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
new file mode 100644
index 0000000..7efc515
--- /dev/null
+++ b/libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
@@ -0,0 +1,26 @@
+commit 27a93eff49526aacd34192258c19ff5d69d18c00
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Thu Oct 23 11:35:36 2014 +0800
+
+ Fix missing entities after CVE-2014-3660 fix
+
+ For https://bugzilla.gnome.org/show_bug.cgi?id=738805
+
+ The fix for CVE-2014-3660 introduced a regression in some case
+ where entity substitution is required and the entity is used
+ first in anotther entity referenced from an attribute value
+
+diff --git a/parser.c b/parser.c
+index b58c2f0..f70d2b5 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7226,7 +7226,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ * far more secure as the parser will only process data coming from
+ * the document entity by default.
+ */
+- if ((ent->checked == 0) &&
++ if (((ent->checked == 0) ||
++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
+ ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
+ (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
+ unsigned long oldnbent = ctxt->nbentities;
diff --git a/libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch b/libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
new file mode 100644
index 0000000..dfd16e6
--- /dev/null
+++ b/libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
@@ -0,0 +1,57 @@
+commit 41b0d17368565b56677455be61b2c892bd665a27
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Wed Jun 11 16:54:32 2014 +0800
+
+ Fix regressions introduced by CVE-2014-0191 patch
+
+ A number of issues have been raised after the fix, and this patch
+ tries to correct all of them, though most were related to
+ postvalidation.
+ https://bugzilla.gnome.org/show_bug.cgi?id=730290
+ and other reports on list, off-list and on Red Hat bugzilla
+
+diff --git a/parser.c b/parser.c
+index 32f1475..b58c2f0 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2622,8 +2622,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+ xmlCharEncoding enc;
+
+ /*
+- * Note: external parsed entities will not be loaded, it is
+- * not required for a non-validating parser, unless the
++ * Note: external parameter entities will not be loaded, it
++ * is not required for a non-validating parser, unless the
+ * option of validating, or substituting entities were
+ * given. Doing so is far more secure as the parser will
+ * only process data coming from the document entity by
+@@ -2632,6 +2632,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
++ (ctxt->replaceEntities == 0) &&
+ (ctxt->validate == 0))
+ return;
+
+@@ -12643,6 +12646,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input,
+ return(NULL);
+ }
+
++ /* We are loading a DTD */
++ ctxt->options |= XML_PARSE_DTDLOAD;
++
+ /*
+ * Set-up the SAX context
+ */
+@@ -12770,6 +12776,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID,
+ return(NULL);
+ }
+
++ /* We are loading a DTD */
++ ctxt->options |= XML_PARSE_DTDLOAD;
++
+ /*
+ * Set-up the SAX context
+ */
diff --git a/libxml2-Stop-parsing-on-entities-boundaries-errors.patch b/libxml2-Stop-parsing-on-entities-boundaries-errors.patch
new file mode 100644
index 0000000..83984b9
--- /dev/null
+++ b/libxml2-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,27 @@
+commit a7dfab7411cbf545f359dd3157e5df1eb0e7ce31
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Mon Feb 23 11:17:35 2015 +0800
+
+ Stop parsing on entities boundaries errors
+
+ For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+ There are times, like on unterminated entities that it's preferable to
+ stop parsing, even if that means less error reporting. Entities are
+ feeding the parser on further processing, and if they are ill defined
+ then it's possible to get the parser to bug. Also do the same on
+ Conditional Sections if the input is broken, as the structure of
+ the document can't be guessed.
+
+diff --git a/parser.c b/parser.c
+index a8d1b67..bbe97eb 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ if (RAW != '>') {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ "xmlParseEntityDecl: entity %s not terminated\n", name);
++ xmlStopParser(ctxt);
+ } else {
+ if (input != ctxt->input) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
diff --git a/libxml2.spec b/libxml2.spec
index 3180869..cd8b4ab 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,7 +1,7 @@
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.1
-Release: 3%{?dist}%{?extra_release}
+Release: 4%{?dist}%{?extra_release}
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -11,6 +11,10 @@ URL: http://xmlsoft.org/
Patch0: libxml2-multilib.patch
Patch1: libxml2-2.9.0-do-not-check-crc.patch
Patch2: CVE-2014-3660.patch
+Patch3: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
+Patch4: libxml2-Do-not-fetch-external-parameter-entities.patch
+Patch5: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
+Patch6: libxml2-Stop-parsing-on-entities-boundaries-errors.patch
%description
This library allows to manipulate XML files. It includes support
@@ -73,6 +77,10 @@ at parse time or later once the document has been modified.
# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
%patch1 -p1 -b .do-not-check-crc
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
%build
%configure
@@ -155,6 +163,12 @@ rm -fr %{buildroot}
%doc doc/python.html
%changelog
+* Mon Mar 23 2015 Daniel Veillard <veillard at redhat.com> - 2.9.1-4
+- Stop parsing on entities boundaries errors
+- Fix missing entities after CVE-2014-3660 fix
+- Do not fetch external parameter entities (CVE-2014-0191)
+- Fix missing entities after CVE-2014-3660 fix
+
* Thu Oct 16 2014 Daniel Veillard <veillard at redhat.com> - 2.9.1-3
- CVE-2014-3660 billion laugh DOS
More information about the scm-commits
mailing list