libxml2 for LTS
Hi,
this is my debdiff for CVE-2014-0191 in libxml2.
I used the patch for wheezy as template.
Thorsten
diff -u libxml2-2.7.8.dfsg/parser.c libxml2-2.7.8.dfsg/parser.c
--- libxml2-2.7.8.dfsg/parser.c
+++ libxml2-2.7.8.dfsg/parser.c
@@ -2554,6 +2554,23 @@
xmlChar start[4];
xmlCharEncoding enc;
+ /*
+ * Note: external parameter entities will not be loaded, it
+ * is not required for a non-validating parser, unless the
+ * option of validating, or substituting entities were
+ * given. Doing so is far more secure as the parser will
+ * only process data coming from the document entity by
+ * default.
+ */
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+ (ctxt->replaceEntities == 0) &&
+ (ctxt->validate == 0))
+ return;
+
/*
* handle the extra spaces added before and after
* c.f. http://www.w3.org/TR/REC-xml#as-PE
@@ -12302,6 +12319,12 @@
return(NULL);
}
+ /* We are loading a DTD */
+ ctxt->options |= XML_PARSE_DTDLOAD;
+
+ /* We are loading a DTD */
+ ctxt->options |= XML_PARSE_DTDLOAD;
+
/*
* Set-up the SAX context
*/
diff -u libxml2-2.7.8.dfsg/debian/changelog libxml2-2.7.8.dfsg/debian/changelog
--- libxml2-2.7.8.dfsg/debian/changelog
+++ libxml2-2.7.8.dfsg/debian/changelog
@@ -1,3 +1,13 @@
+libxml2 (2.7.8.dfsg-2+squeeze9) squeeze-lts; urgency=high
+
+ * libxml2 could be made to consume resources if it processed
+ a specially crafted file.
+ (CVE-2014-0191)
+ patch for parser.c copied from debian/patches/cve-2014-0191.patch
+ for Wheezy
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sun, 13 Jul 2014 18:00:28 +0200
+
libxml2 (2.7.8.dfsg-2+squeeze8) oldstable-security; urgency=high
* Non-maintainer upload by the Security Team.
Reply to: