meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191 (kde#335001)

2014-05-23 13:00:54 -05:00 · 2014-05-23 13:00:54 -05:00 · 2551653d7c
parent 379a767770
commit 2551653d7c
2 changed files with 55 additions and 1 deletions
--- a/kdelibs-r118270.patch
+++ b/kdelibs-r118270.patch
@ -0,0 +1,46 @@
+From d31488721660d7592e29f20dda747e1f129e0290 Mon Sep 17 00:00:00 2001
+From: Luigi Toscano <luigi.toscano@tiscali.it>
+Date: Thu, 22 May 2014 23:29:09 +0200
+Subject: [PATCH] Explicitly load external entities (after CVE-2014-0191)
+
+Use the more modern API function for XML loading and enable the
+flags which load the external entities, so that meinproc4 can work
+again after the security changes implemented for CVE-2014-0191.
+
+BUG: 335001
+---
+ kdoctools/meinproc.cpp | 4 ++--
+ kdoctools/xslt.cpp     | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kdoctools/meinproc.cpp b/kdoctools/meinproc.cpp
+index 0894d63..c4e963f 100644
+--- a/kdoctools/meinproc.cpp
+++ b/kdoctools/meinproc.cpp
+@@ -197,8 +197,8 @@ int main(int argc, char **argv) {
+ 
+         if (style_sheet != NULL) {
+ 
+-            xmlDocPtr doc = xmlParseFile( QFile::encodeName( checkFilename ).constData() );
+-
+            xmlDocPtr doc = xmlReadFile( QFile::encodeName( checkFilename ).constData(),
+                                         NULL, XML_PARSE_NOENT|XML_PARSE_DTDLOAD );
+             xmlDocPtr res = xsltApplyStylesheet(style_sheet, doc, &params[0]);
+ 
+             xmlFreeDoc(doc);
+diff --git a/kdoctools/xslt.cpp b/kdoctools/xslt.cpp
+index a7265ca..0e7047d 100644
+--- a/kdoctools/xslt.cpp
+++ b/kdoctools/xslt.cpp
+@@ -157,7 +157,7 @@ QString transform( const QString &pat, const QString& tss,
+ 
+     INFO(i18n("Parsing document"));
+ 
+-    xmlDocPtr doc = xmlParseFile(QFile::encodeName(pat));
+    xmlDocPtr doc = xmlReadFile(QFile::encodeName(pat), NULL, XML_PARSE_NOENT|XML_PARSE_DTDLOAD);
+     xsltTransformContextPtr ctxt;
+ 
+     ctxt = xsltNewTransformContext(style_sheet, doc);
+-- 
+2.0.0.rc2
+
--- a/kdelibs.spec
+++ b/kdelibs.spec
@ -39,7 +39,7 @@

 Summary: KDE Libraries
 Version: 4.13.1
-Release: 1%{?dist}
+Release: 2%{?dist}

 Name: kdelibs
 Epoch: 6
@ -144,6 +144,10 @@ Patch53: kdelibs-4.7.2-kjs-s390.patch
 # return valid locale (RFC 1766)
 Patch54: kdelibs-4.8.4-kjs-locale.patch

+# meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191
+# http://bugs.kde.org/335001 , https://git.reviewboard.kde.org/r/118270
+Patch55: kdelibs-r118270.patch
+
 # make filter working, TODO: upstream?  -- rex
 Patch59: kdelibs-4.9.3-kcm_ssl.patch

@ -356,6 +360,7 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
 %patch52 -p1 -b .SOLID_UPNP
 %patch53 -p1 -b .kjs-s390
 %patch54 -p1 -b .kjs-locale
+%patch55 -p1 -b .r118270
 %patch59 -p1 -b .filter
 %patch61 -p1 -b .dot
 %patch62 -p1 -b .arm-plasma
@ -624,6 +629,9 @@ gtk-update-icon-cache %{_kde4_iconsdir}/hicolor &> /dev/null || :


 %changelog
+* Fri May 23 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.13.1-2
+- meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191 (kde#335001)
+
 * Sat May 10 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.13.1-1
 - 4.13.1