Review Request 118270: [doc] explicitly load external entities (after CVE-2014-0191)
Luc Menut
lmenut at free.fr
Sat May 24 23:12:59 BST 2014
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/118270/#review58411
-----------------------------------------------------------
Thanks for the fix, it seems to work fine.
I built KDE SC 4.13.1 (Mageia Cauldron) with it with both original and patched libxml2; in the 2 cases, results are the same, and the same as original meinproc4 with unpatched libxml2.
Do we need ressources from network? If all the resources are supposed to be on the local machine, perhaps we should use XML_PARSE_NONET (Forbid network access) option? It is often suggested/recommended to use this option with DTDLOAD and NOENT when it's possible.
https://bugzilla.redhat.com/show_bug.cgi?id=863166#c3
- Luc Menut
On May 23, 2014, 8:24 p.m., Luigi Toscano wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/118270/
> -----------------------------------------------------------
>
> (Updated May 23, 2014, 8:24 p.m.)
>
>
> Review request for Documentation, KDE Frameworks, kdelibs, Rohan Garg, Jonathan Riddell, and Rex Dieter.
>
>
> Bugs: 335001
> http://bugs.kde.org/show_bug.cgi?id=335001
>
>
> Repository: kdelibs
>
>
> Description
> -------
>
> Use the more modern API function for XML loading and enable the flags which load the external entities, so that meinproc4 can work
> again after the security changes implemented for CVE-2014-0191.
> Without this change meinproc4 complains (see the referenced bug)
>
> The fix (half of the patch, the other half is on code which was removed) applies to KF5 too, hence the group.
>
> My tests shows that the documentation cache is properly generated as before, and the patch should work even on the old
>
> Packagers (Ubuntu packagers in CC, as Ubuntu is one of the few distributions where libxml2 has been already patched) could you please test it with a fixed libxml and without, and if possible with KF5 as well?
>
>
> Diffs
> -----
>
> kdoctools/meinproc.cpp 0894d63
> kdoctools/xslt.cpp a7265ca
>
> Diff: https://git.reviewboard.kde.org/r/118270/diff/
>
>
> Testing
> -------
>
> meinproc4 works again
>
>
> Thanks,
>
> Luigi Toscano
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20140524/b3cd3725/attachment.htm>
More information about the kde-core-devel
mailing list