| Summary: | meinproc4 doesn't substitute entity with libxml2 fixed for CVE-2014-0191 | ||
|---|---|---|---|
| Product: | [Websites] docs.kde.org | Reporter: | Luc Menut <lmenut> |
| Component: | ksgmltools | Assignee: | Documentation Editorial Team <kde-doc-english> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | luigi.toscano, rakuco, rdieter |
| Priority: | NOR | ||
| Version: | 4.13.1 | ||
| Target Milestone: | --- | ||
| Platform: | Mageia RPMs | ||
| OS: | Linux | ||
| Latest Commit: | http://commits.kde.org/kdelibs/d4fca9ffb31a2383459c89b27f81b10b7ddece1a | Version Fixed In: | 4.13.2 |
| Sentry Crash Report: | |||
| Attachments: |
errors from 'meinproc4 --check -o index.html index.docbook' (with fixed libxml2)
good index.html from meinproc4 with unfixed libxml2 bad index.html from meinproc4 with fixed libxml2 for CVE-2014-0191 |
||
|
Description
Luc Menut
2014-05-18 21:13:15 UTC
Created attachment 86696 [details]
errors from 'meinproc4 --check -o index.html index.docbook' (with fixed libxml2)
Created attachment 86697 [details]
good index.html from meinproc4 with unfixed libxml2
Created attachment 86698 [details]
bad index.html from meinproc4 with fixed libxml2 for CVE-2014-0191
I put a patch here: https://git.reviewboard.kde.org/r/118270/ Could you please test it (also on KF5 if possible, and with the old libxml2 as well)? I'm on vacation with limited connectivity for few days. Please ensure that the generated doc is the same. Git commit d4fca9ffb31a2383459c89b27f81b10b7ddece1a by Luigi Toscano. Committed on 04/06/2014 at 20:40. Pushed by ltoscano into branch 'KDE/4.13'. Explicitly load external entities (after CVE-2014-0191) Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Network loading is disabled too now. REVIEW: 118270 FIXED-IN: 4.13.2 M +2 -2 kdoctools/meinproc.cpp M +2 -1 kdoctools/xslt.cpp http://commits.kde.org/kdelibs/d4fca9ffb31a2383459c89b27f81b10b7ddece1a Git commit 684bb98b31d338d85e1e6089cac381a507a5b4d8 by Luigi Toscano. Committed on 13/06/2014 at 00:41. Pushed by ltoscano into branch 'KDE/4.13'. Do not set global loading of DTD and entities, no more needed The global settings have been replaced by the fine-grained parameters passed to xmlReadFile. Moreover a libxml2 regression prevents those parameters from being used when the patch for CVE-2014-0191 is applied, see https://bugzilla.gnome.org/show_bug.cgi?id=730290 A new libxml2 patch is going to be deployed soon, but anyway this code works even without setting those parameters. M +0 -3 kdoctools/meinproc.cpp http://commits.kde.org/kdelibs/684bb98b31d338d85e1e6089cac381a507a5b4d8 Git commit f9ed9951d228fae90f2979830f6009ad71e33511 by Luigi Toscano. Committed on 14/06/2014 at 00:36. Pushed by ltoscano into branch 'master'. Explicitly load external entities Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Network loading is disabled too now. Please note that, even if the changes to the aforementioned CVE introduced a regression in libxml2, recently fixed upstream, and that the current meinproc code works again once the fix is deployed, nevertheless upstream suggests to not use global settings anymore. Adapted from the following kdelibs (Qt4 branch) commits: d4fca9ffb31a2383459c89b27f81b10b7ddece1a 684bb98b31d338d85e1e6089cac381a507a5b4d8 M +0 -3 src/meinproc.cpp M +3 -1 src/xslt.cpp http://commits.kde.org/kdoctools/f9ed9951d228fae90f2979830f6009ad71e33511 |