meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191 (kde#335001)

This commit is contained in:
Rex Dieter 2014-05-23 13:00:54 -05:00
parent 379a767770
commit 2551653d7c
2 changed files with 55 additions and 1 deletions

46
kdelibs-r118270.patch Normal file
View File

@ -0,0 +1,46 @@
From d31488721660d7592e29f20dda747e1f129e0290 Mon Sep 17 00:00:00 2001
From: Luigi Toscano <luigi.toscano@tiscali.it>
Date: Thu, 22 May 2014 23:29:09 +0200
Subject: [PATCH] Explicitly load external entities (after CVE-2014-0191)
Use the more modern API function for XML loading and enable the
flags which load the external entities, so that meinproc4 can work
again after the security changes implemented for CVE-2014-0191.
BUG: 335001
---
kdoctools/meinproc.cpp | 4 ++--
kdoctools/xslt.cpp | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/kdoctools/meinproc.cpp b/kdoctools/meinproc.cpp
index 0894d63..c4e963f 100644
--- a/kdoctools/meinproc.cpp
+++ b/kdoctools/meinproc.cpp
@@ -197,8 +197,8 @@ int main(int argc, char **argv) {
if (style_sheet != NULL) {
- xmlDocPtr doc = xmlParseFile( QFile::encodeName( checkFilename ).constData() );
-
+ xmlDocPtr doc = xmlReadFile( QFile::encodeName( checkFilename ).constData(),
+ NULL, XML_PARSE_NOENT|XML_PARSE_DTDLOAD );
xmlDocPtr res = xsltApplyStylesheet(style_sheet, doc, &params[0]);
xmlFreeDoc(doc);
diff --git a/kdoctools/xslt.cpp b/kdoctools/xslt.cpp
index a7265ca..0e7047d 100644
--- a/kdoctools/xslt.cpp
+++ b/kdoctools/xslt.cpp
@@ -157,7 +157,7 @@ QString transform( const QString &pat, const QString& tss,
INFO(i18n("Parsing document"));
- xmlDocPtr doc = xmlParseFile(QFile::encodeName(pat));
+ xmlDocPtr doc = xmlReadFile(QFile::encodeName(pat), NULL, XML_PARSE_NOENT|XML_PARSE_DTDLOAD);
xsltTransformContextPtr ctxt;
ctxt = xsltNewTransformContext(style_sheet, doc);
--
2.0.0.rc2

View File

@ -39,7 +39,7 @@
Summary: KDE Libraries
Version: 4.13.1
Release: 1%{?dist}
Release: 2%{?dist}
Name: kdelibs
Epoch: 6
@ -144,6 +144,10 @@ Patch53: kdelibs-4.7.2-kjs-s390.patch
# return valid locale (RFC 1766)
Patch54: kdelibs-4.8.4-kjs-locale.patch
# meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191
# http://bugs.kde.org/335001 , https://git.reviewboard.kde.org/r/118270
Patch55: kdelibs-r118270.patch
# make filter working, TODO: upstream? -- rex
Patch59: kdelibs-4.9.3-kcm_ssl.patch
@ -356,6 +360,7 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
%patch52 -p1 -b .SOLID_UPNP
%patch53 -p1 -b .kjs-s390
%patch54 -p1 -b .kjs-locale
%patch55 -p1 -b .r118270
%patch59 -p1 -b .filter
%patch61 -p1 -b .dot
%patch62 -p1 -b .arm-plasma
@ -624,6 +629,9 @@ gtk-update-icon-cache %{_kde4_iconsdir}/hicolor &> /dev/null || :
%changelog
* Fri May 23 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.13.1-2
- meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191 (kde#335001)
* Sat May 10 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.13.1-1
- 4.13.1