Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix
- From: Daniel Veillard <veillard redhat com>
- To: Alexey Neyman <stilor att net>
- Cc: xml gnome org
- Subject: Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix
- Date: Wed, 11 Jun 2014 18:23:31 +0800
thanks !
Yes, I have now pushed it in master, this should solve all the
issues which got reported for that CVE-2014-0191 patch
https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825
feedback welcome !
Daniel
On Tue, Jun 10, 2014 at 02:18:19PM -0700, Alexey Neyman wrote:
Hi Daniel,
Your patch works for me, thanks! One more thing you missed though:
s/parsed/parameter/ in the copy-pasted comment :)
Regards,
Alexey.
On Monday, June 09, 2014 07:06:02 am Daniel Veillard wrote:
Pong, sorry, but was distracted with other things and I accumulated
feedback from different places on this issue, I would rather not have to
push 3 different patches to cover this :-)
I ended up with a rather similar but slightly more complex patch
(attached), the DTD may have to be loaded in other different conditions
wna while you apparently covered xmlIOParseDTD, one of the case I got
also pointed to xmlSAXParseDTD so both need to be fixed. Also I'm
doing an incremental bit fix rather than overwriting the full context
option which could also cause regressions.
I will also push separately an update to xmlInitParserCtxt() setting
up the options based on the global variable settings (it's evil but
needed for compatibility), but it's more of a cleanup than an actual
fix for the issue so not in that patch,
give it a try,
thanks,
Daniel
On Sun, Jun 08, 2014 at 06:31:57PM -0700, Alexey Neyman wrote:
PING!
On Tuesday, May 20, 2014 10:06:27 PM Alexey Neyman wrote:
[More investigation follows. Writing from a different machine, so
cannot reply to my own email]
The issue, brief summary: upgrade of libxml2 from 2.7.6-14.el6 to
2.7.6-14.el6_5.1 (RHEL6) broke the --postvalid/--dtdvalid options.
Minimal test case:
[a.xml]
<?xml version="1.0"?>
<!-- vi: set sw=2 : -->
<!DOCTYPE a SYSTEM "a.dtd">
<a>
<b/>
</a>
[a.dtd]
<!ELEMENT a (b|c)>
<!ENTITY % base.dtd SYSTEM "b.dtd">
%base.dtd;
[b.dtd]
<!ELEMENT b EMPTY>
<!ELEMENT c EMPTY>
This command works:
xmllint --valid --noout --dtdvalid a.dtd a.xml
This command doesn't:
xmllint --postvalid --noout --dtdvalid a.dtd a.xml
a.xml:5: element b: validity error : No declaration for element b
Document a.xml does not validate against a.dtd
The problem:
1. With --postvalid (and similarly treated options --dtdvalid,
--dtdvalidfpi) the XML_PARSE_DTDVALID is not set. Instead,
XML_PARSE_DTDLOAD is set (the validation is performed after loading of
the XML document). Solution: the
xmlParserHandlePEReference() should also check for XML_PARSE_DTDLOAD or
the parsed entities defined in the nested DTDs will not load.
2. Even with parsed entities loaded, the validation then fails: the
xmlParserHandlePEReference() is called during the post-validation with
the ctxt->options equal to zero when loading a separate DTD (e.g. due
to --dtdvalid option) via the xmlSAXParseDTD(). Solution:
xmlSAXParseDTD() should set the ctxt->options to XML_PARSE_DTDLOAD -
after all, xmlSAXParseDTD *is* loading the DTD.
3. The comment in the xmlParserHandlePEReference() is an obvious
copy-paste: it refers to parsed entities while the code actually
handles parameter entities. Solution: fix the comment :)
Updated patch attached (against RHEL version of 2.7.6 - will update to
git version of libxml2 if needed).
Regards,
Alexey.
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
xml gnome org
https://mail.gnome.org/mailman/listinfo/xml
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard redhat com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
