A security issue - CVE-2014-0191 - has been fixed recently in libxml2. http://www.openwall.com/lists/oss-security/2014/05/06/4 http://www.scip.ch/en/?vuldb.13154 https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df With this fix, libxml2 doesn't fetch external parameter entities unless explicitely asked for when validating or replacing entities with their value. meinproc4 running with fixed libxml2 doesn't substitute entity anymore, with plenty of parser error : Entity 'xxxxxx' not defined. cf. example kde-workspace-4.11.9/doc/kmenuedit/index.docbook Reproducible: Always Steps to Reproduce: use meinproc4 with fixed libxml2 (https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df)
Created attachment 86696 [details] errors from 'meinproc4 --check -o index.html index.docbook' (with fixed libxml2)
Created attachment 86697 [details] good index.html from meinproc4 with unfixed libxml2
Created attachment 86698 [details] bad index.html from meinproc4 with fixed libxml2 for CVE-2014-0191
I put a patch here: https://git.reviewboard.kde.org/r/118270/ Could you please test it (also on KF5 if possible, and with the old libxml2 as well)? I'm on vacation with limited connectivity for few days. Please ensure that the generated doc is the same.
Git commit d4fca9ffb31a2383459c89b27f81b10b7ddece1a by Luigi Toscano. Committed on 04/06/2014 at 20:40. Pushed by ltoscano into branch 'KDE/4.13'. Explicitly load external entities (after CVE-2014-0191) Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Network loading is disabled too now. REVIEW: 118270 FIXED-IN: 4.13.2 M +2 -2 kdoctools/meinproc.cpp M +2 -1 kdoctools/xslt.cpp http://commits.kde.org/kdelibs/d4fca9ffb31a2383459c89b27f81b10b7ddece1a
Git commit 684bb98b31d338d85e1e6089cac381a507a5b4d8 by Luigi Toscano. Committed on 13/06/2014 at 00:41. Pushed by ltoscano into branch 'KDE/4.13'. Do not set global loading of DTD and entities, no more needed The global settings have been replaced by the fine-grained parameters passed to xmlReadFile. Moreover a libxml2 regression prevents those parameters from being used when the patch for CVE-2014-0191 is applied, see https://bugzilla.gnome.org/show_bug.cgi?id=730290 A new libxml2 patch is going to be deployed soon, but anyway this code works even without setting those parameters. M +0 -3 kdoctools/meinproc.cpp http://commits.kde.org/kdelibs/684bb98b31d338d85e1e6089cac381a507a5b4d8
Git commit f9ed9951d228fae90f2979830f6009ad71e33511 by Luigi Toscano. Committed on 14/06/2014 at 00:36. Pushed by ltoscano into branch 'master'. Explicitly load external entities Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work again after the security changes implemented for CVE-2014-0191. Network loading is disabled too now. Please note that, even if the changes to the aforementioned CVE introduced a regression in libxml2, recently fixed upstream, and that the current meinproc code works again once the fix is deployed, nevertheless upstream suggests to not use global settings anymore. Adapted from the following kdelibs (Qt4 branch) commits: d4fca9ffb31a2383459c89b27f81b10b7ddece1a 684bb98b31d338d85e1e6089cac381a507a5b4d8 M +0 -3 src/meinproc.cpp M +3 -1 src/xslt.cpp http://commits.kde.org/kdoctools/f9ed9951d228fae90f2979830f6009ad71e33511