From 2551653d7ca3604c6fea6d2e179669c0029c558b Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Fri, 23 May 2014 13:00:54 -0500
Subject: [PATCH] meinproc4 doesn't substitute entity with libxml2 fixed for
 CVE-2014-0191 (kde#335001)

---
 kdelibs-r118270.patch | 46 +++++++++++++++++++++++++++++++++++++++++++
 kdelibs.spec          | 10 +++++++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 kdelibs-r118270.patch

diff --git a/kdelibs-r118270.patch b/kdelibs-r118270.patch
new file mode 100644
index 0000000..3b927ac
--- /dev/null
+++ b/kdelibs-r118270.patch
@@ -0,0 +1,46 @@
+From d31488721660d7592e29f20dda747e1f129e0290 Mon Sep 17 00:00:00 2001
+From: Luigi Toscano <luigi.toscano@tiscali.it>
+Date: Thu, 22 May 2014 23:29:09 +0200
+Subject: [PATCH] Explicitly load external entities (after CVE-2014-0191)
+
+Use the more modern API function for XML loading and enable the
+flags which load the external entities, so that meinproc4 can work
+again after the security changes implemented for CVE-2014-0191.
+
+BUG: 335001
+---
+ kdoctools/meinproc.cpp | 4 ++--
+ kdoctools/xslt.cpp     | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kdoctools/meinproc.cpp b/kdoctools/meinproc.cpp
+index 0894d63..c4e963f 100644
+--- a/kdoctools/meinproc.cpp
++++ b/kdoctools/meinproc.cpp
+@@ -197,8 +197,8 @@ int main(int argc, char **argv) {
+ 
+         if (style_sheet != NULL) {
+ 
+-            xmlDocPtr doc = xmlParseFile( QFile::encodeName( checkFilename ).constData() );
+-
++            xmlDocPtr doc = xmlReadFile( QFile::encodeName( checkFilename ).constData(),
++                                         NULL, XML_PARSE_NOENT|XML_PARSE_DTDLOAD );
+             xmlDocPtr res = xsltApplyStylesheet(style_sheet, doc, &params[0]);
+ 
+             xmlFreeDoc(doc);
+diff --git a/kdoctools/xslt.cpp b/kdoctools/xslt.cpp
+index a7265ca..0e7047d 100644
+--- a/kdoctools/xslt.cpp
++++ b/kdoctools/xslt.cpp
+@@ -157,7 +157,7 @@ QString transform( const QString &pat, const QString& tss,
+ 
+     INFO(i18n("Parsing document"));
+ 
+-    xmlDocPtr doc = xmlParseFile(QFile::encodeName(pat));
++    xmlDocPtr doc = xmlReadFile(QFile::encodeName(pat), NULL, XML_PARSE_NOENT|XML_PARSE_DTDLOAD);
+     xsltTransformContextPtr ctxt;
+ 
+     ctxt = xsltNewTransformContext(style_sheet, doc);
+-- 
+2.0.0.rc2
+
diff --git a/kdelibs.spec b/kdelibs.spec
index cd21f23..92d74f3 100644
--- a/kdelibs.spec
+++ b/kdelibs.spec
@@ -39,7 +39,7 @@
 
 Summary: KDE Libraries
 Version: 4.13.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 Name: kdelibs
 Epoch: 6
@@ -144,6 +144,10 @@ Patch53: kdelibs-4.7.2-kjs-s390.patch
 # return valid locale (RFC 1766)
 Patch54: kdelibs-4.8.4-kjs-locale.patch
 
+# meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191
+# http://bugs.kde.org/335001 , https://git.reviewboard.kde.org/r/118270
+Patch55: kdelibs-r118270.patch
+
 # make filter working, TODO: upstream?  -- rex
 Patch59: kdelibs-4.9.3-kcm_ssl.patch
 
@@ -356,6 +360,7 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
 %patch52 -p1 -b .SOLID_UPNP
 %patch53 -p1 -b .kjs-s390
 %patch54 -p1 -b .kjs-locale
+%patch55 -p1 -b .r118270
 %patch59 -p1 -b .filter
 %patch61 -p1 -b .dot
 %patch62 -p1 -b .arm-plasma
@@ -624,6 +629,9 @@ gtk-update-icon-cache %{_kde4_iconsdir}/hicolor &> /dev/null || :
 
 
 %changelog
+* Fri May 23 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.13.1-2
+- meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191 (kde#335001)
+
 * Sat May 10 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.13.1-1
 - 4.13.1