[Pkg-libvirt-commits] [libvirt] 17/18: LSN-2014-0003: Don't expand entities when parsing XML

[Guido Guenther]

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/0.9.12.3-1+deb7u1
in repository libvirt.

commit 3c5f1fafdc8e907bb38272bc99022a4308082d66
Author: Guido Günther <agx at sigxcpu.org>
Date:   Fri Sep 26 13:31:14 2014 +0200

    LSN-2014-0003: Don't expand entities when parsing XML
---
 ...03-Don-t-expand-entities-when-parsing-XML.patch | 36 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 37 insertions(+)

diff --git a/debian/patches/security/LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch b/debian/patches/security/LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
new file mode 100644
index 0000000..e44c410
--- /dev/null
+++ b/debian/patches/security/LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
@@ -0,0 +1,36 @@
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Tue, 15 Apr 2014 11:20:29 +0100
+Subject: LSN-2014-0003: Don't expand entities when parsing XML
+
+If the XML_PARSE_NOENT flag is passed to libxml2, then any
+entities in the input document will be fully expanded. This
+allows the user to read arbitrary files on the host machine
+by creating an entity pointing to a local file. Removing
+the XML_PARSE_NOENT flag means that any entities are left
+unchanged by the parser, or expanded to "" by the XPath
+APIs.
+
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+(cherry picked from commit d6b27d3e4c40946efa79e91d134616b41b1666c4)
+---
+ src/util/xml.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/xml.c b/src/util/xml.c
+index 7411968..72fc016 100644
+--- a/src/util/xml.c
++++ b/src/util/xml.c
+@@ -731,11 +731,11 @@ virXMLParseHelper(int domcode,
+ 
+     if (filename) {
+         xml = xmlCtxtReadFile(pctxt, filename, NULL,
+-                              XML_PARSE_NOENT | XML_PARSE_NONET |
++                              XML_PARSE_NONET |
+                               XML_PARSE_NOWARNING);
+     } else {
+         xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL,
+-                             XML_PARSE_NOENT | XML_PARSE_NONET |
++                             XML_PARSE_NONET |
+                              XML_PARSE_NOWARNING);
+     }
+     if (!xml)
diff --git a/debian/patches/series b/debian/patches/series
index c09c395..5ab30ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ Only-check-for-cluster-fs-if-we-re-using-a-filesyste.patch
 Reduce-udevadm-settle-timeout-to-10-seconds.patch
 debian/Allow-xen-toolstack-to-find-it-s-binaries.patch
 security/CVE-2014-3633-qemu-blkiotune-Use-correct-definition-.patch
+security/LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git