Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix

From: Alexey Neyman <stilor att net>
To: veillard redhat com
Cc: xml gnome org
Subject: Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix
Date: Tue, 10 Jun 2014 14:18:19 -0700

Hi Daniel,

Your patch works for me, thanks! One more thing you missed though: 
s/parsed/parameter/ in the copy-pasted comment :)

Regards,
Alexey.

On Monday, June 09, 2014 07:06:02 am Daniel Veillard wrote:

  Pong, sorry, but was distracted with other things and I accumulated
feedback from different places on this issue, I would rather not have to
push 3 different patches to cover this :-)

  I ended up with a rather similar but slightly more complex patch
(attached), the DTD may have to be loaded in other different conditions
wna while you apparently covered xmlIOParseDTD, one of the case I got
also pointed to xmlSAXParseDTD so both need to be fixed. Also I'm
doing an incremental bit fix rather than overwriting the full context
option which could also cause regressions.

  I will also push separately an update to xmlInitParserCtxt() setting
up the options based on the global variable settings (it's evil but
needed for compatibility), but it's more of a cleanup than an actual
fix for the issue so not in that patch,

  give it a try,

   thanks,

Daniel

On Sun, Jun 08, 2014 at 06:31:57PM -0700, Alexey Neyman wrote:

PING!

On Tuesday, May 20, 2014 10:06:27 PM Alexey Neyman wrote:

[More investigation follows. Writing from a different machine, so
cannot reply to my own email]

The issue, brief summary: upgrade of libxml2 from 2.7.6-14.el6 to
2.7.6-14.el6_5.1 (RHEL6) broke the --postvalid/--dtdvalid options.

Minimal test case:

[a.xml]
<?xml version="1.0"?>
<!-- vi: set sw=2 : -->
<!DOCTYPE a SYSTEM "a.dtd">
<a>

 <b/>

</a>


[a.dtd]
<!ELEMENT a (b|c)>
<!ENTITY % base.dtd SYSTEM "b.dtd">
%base.dtd;


[b.dtd]
<!ELEMENT b EMPTY>
<!ELEMENT c EMPTY>

This command works:
xmllint --valid --noout --dtdvalid a.dtd a.xml

This command doesn't:
xmllint --postvalid --noout --dtdvalid a.dtd a.xml
a.xml:5: element b: validity error : No declaration for element b
Document a.xml does not validate against a.dtd

The problem:
1. With --postvalid (and similarly treated options --dtdvalid,
--dtdvalidfpi) the XML_PARSE_DTDVALID is not set. Instead,
XML_PARSE_DTDLOAD is set (the validation is performed after loading of
the XML document). Solution: the
xmlParserHandlePEReference() should also check for XML_PARSE_DTDLOAD or
the parsed entities defined in the nested DTDs will not load.

2. Even with parsed entities loaded, the validation then fails: the
xmlParserHandlePEReference() is called during the post-validation with
the ctxt->options equal to zero when loading a separate DTD (e.g. due
to --dtdvalid option) via the xmlSAXParseDTD(). Solution:
xmlSAXParseDTD() should set the ctxt->options to XML_PARSE_DTDLOAD -
after all, xmlSAXParseDTD *is* loading the DTD.

3. The comment in the xmlParserHandlePEReference() is an obvious
copy-paste: it refers to parsed entities while the code actually
handles parameter entities. Solution: fix the comment :)

Updated patch attached (against RHEL version of 2.7.6 - will update to
git version of libxml2 if needed).

Regards,
Alexey.


_______________________________________________
xml mailing list, project page  http://xmlsoft.org/
xml gnome org
https://mail.gnome.org/mailman/listinfo/xml

Follow-Ups:
- Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix
  - From: Daniel Veillard

References:
- Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix
  - From: Alexey Neyman
- Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]