diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch deleted file mode 100644 index 1c05ae649e..0000000000 --- a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2014-0191-fix.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 22 Apr 2014 15:30:56 +0800 -Subject: Do not fetch external parameter entities - -Unless explicitely asked for when validating or replacing entities -with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com> - -Upstream-Status: Backport -Reference: https://access.redhat.com/security/cve/CVE-2014-0191 - -Signed-off-by: Daniel Veillard <veillard@redhat.com> -Signed-off-by: Maxin B. John <maxin.john@enea.com> ---- -diff -Naur libxml2-2.9.1-orig/parser.c libxml2-2.9.1/parser.c ---- libxml2-2.9.1-orig/parser.c 2013-04-16 15:39:18.000000000 +0200 -+++ libxml2-2.9.1/parser.c 2014-05-07 13:35:46.883687946 +0200 -@@ -2595,6 +2595,20 @@ - xmlCharEncoding enc; - - /* -+ * Note: external parsed entities will not be loaded, it is -+ * not required for a non-validating parser, unless the -+ * option of validating, or substituting entities were -+ * given. Doing so is far more secure as the parser will -+ * only process data coming from the document entity by -+ * default. -+ */ -+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && -+ ((ctxt->options & XML_PARSE_NOENT) == 0) && -+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ (ctxt->validate == 0)) -+ return; -+ -+ /* - * handle the extra spaces added before and after - * c.f. http://www.w3.org/TR/REC-xml#as-PE - * this is done independently. |