Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix



   thanks !

  Yes, I have now pushed it in master, this should solve all the
issues which got reported for that CVE-2014-0191 patch

  https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825

  feedback welcome !

Daniel

On Tue, Jun 10, 2014 at 02:18:19PM -0700, Alexey Neyman wrote:
Hi Daniel,

Your patch works for me, thanks! One more thing you missed though: 
s/parsed/parameter/ in the copy-pasted comment :)

Regards,
Alexey.

On Monday, June 09, 2014 07:06:02 am Daniel Veillard wrote:
  Pong, sorry, but was distracted with other things and I accumulated
feedback from different places on this issue, I would rather not have to
push 3 different patches to cover this :-)

  I ended up with a rather similar but slightly more complex patch
(attached), the DTD may have to be loaded in other different conditions
wna while you apparently covered xmlIOParseDTD, one of the case I got
also pointed to xmlSAXParseDTD so both need to be fixed. Also I'm
doing an incremental bit fix rather than overwriting the full context
option which could also cause regressions.

  I will also push separately an update to xmlInitParserCtxt() setting
up the options based on the global variable settings (it's evil but
needed for compatibility), but it's more of a cleanup than an actual
fix for the issue so not in that patch,

  give it a try,

   thanks,

Daniel

On Sun, Jun 08, 2014 at 06:31:57PM -0700, Alexey Neyman wrote:
PING!

On Tuesday, May 20, 2014 10:06:27 PM Alexey Neyman wrote:
[More investigation follows. Writing from a different machine, so
cannot reply to my own email]

The issue, brief summary: upgrade of libxml2 from 2.7.6-14.el6 to
2.7.6-14.el6_5.1 (RHEL6) broke the --postvalid/--dtdvalid options.

Minimal test case:

[a.xml]
<?xml version="1.0"?>
<!-- vi: set sw=2 : -->
<!DOCTYPE a SYSTEM "a.dtd">
<a>

 <b/>

</a>


[a.dtd]
<!ELEMENT a (b|c)>
<!ENTITY % base.dtd SYSTEM "b.dtd">
%base.dtd;


[b.dtd]
<!ELEMENT b EMPTY>
<!ELEMENT c EMPTY>

This command works:
xmllint --valid --noout --dtdvalid a.dtd a.xml

This command doesn't:
xmllint --postvalid --noout --dtdvalid a.dtd a.xml
a.xml:5: element b: validity error : No declaration for element b
Document a.xml does not validate against a.dtd

The problem:
1. With --postvalid (and similarly treated options --dtdvalid,
--dtdvalidfpi) the XML_PARSE_DTDVALID is not set. Instead,
XML_PARSE_DTDLOAD is set (the validation is performed after loading of
the XML document). Solution: the
xmlParserHandlePEReference() should also check for XML_PARSE_DTDLOAD or
the parsed entities defined in the nested DTDs will not load.

2. Even with parsed entities loaded, the validation then fails: the
xmlParserHandlePEReference() is called during the post-validation with
the ctxt->options equal to zero when loading a separate DTD (e.g. due
to --dtdvalid option) via the xmlSAXParseDTD(). Solution:
xmlSAXParseDTD() should set the ctxt->options to XML_PARSE_DTDLOAD -
after all, xmlSAXParseDTD *is* loading the DTD.

3. The comment in the xmlParserHandlePEReference() is an obvious
copy-paste: it refers to parsed entities while the code actually
handles parameter entities. Solution: fix the comment :)

Updated patch attached (against RHEL version of 2.7.6 - will update to
git version of libxml2 if needed).

Regards,
Alexey.

_______________________________________________
xml mailing list, project page  http://xmlsoft.org/
xml gnome org
https://mail.gnome.org/mailman/listinfo/xml

-- 
Daniel Veillard      | Open Source and Standards, Red Hat
veillard redhat com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]