Contents

From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 23 Oct 2014 11:35:36 +0800
Subject: [PATCH] Fix missing entities after CVE-2014-3660 fix

For https://bugzilla.gnome.org/show_bug.cgi?id=738805

The fix for CVE-2014-3660 introduced a regression in some case
where entity substitution is required and the entity is used
first in anotther entity referenced from an attribute value
---
 parser.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 67c9dfd..a8d1b67 100644
--- a/parser.c
+++ b/parser.c
@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
      * far more secure as the parser will only process data coming from
      * the document entity by default.
      */
-    if ((ent->checked == 0) &&
+    if (((ent->checked == 0) ||
+         ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
         ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
          (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
 	unsigned long oldnbent = ctxt->nbentities;
-- 
2.1.2

Version data entries

36 entries across 36 versions & 7 rubygems

Version	Path
vagrant-compose-yaml-0.1.3	vendor/bundle/ruby/2.2.0/gems/nokogiri-1.6.7.1/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-compose-yaml-0.1.2	vendor/bundle/ruby/2.2.0/gems/nokogiri-1.6.7.1/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-compose-yaml-0.1.1	vendor/bundle/ruby/2.2.0/gems/nokogiri-1.6.7.1/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-compose-yaml-0.1.0	vendor/bundle/ruby/2.2.0/gems/nokogiri-1.6.7.1/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-unbundled-1.8.5.2	vendor/bundle/ruby/2.3.0/gems/nokogiri-1.6.7.2/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-unbundled-1.8.5.1	vendor/bundle/ruby/2.3.0/gems/nokogiri-1.6.7.2/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-unbundled-1.8.4.2	vendor/bundle/ruby/2.3.0/gems/nokogiri-1.6.7.2/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-unbundled-1.8.4.1	vendor/bundle/ruby/2.3.0/gems/nokogiri-1.6.7.2/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
ish_lib_manager-0.0.1	test/dummy/vendor/bundle/ruby/2.3.0/gems/nokogiri-1.6.7.2/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.7.2	patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
vagrant-unbundled-1.8.1.1	vendor/bundle/ruby/2.3.0/gems/nokogiri-1.6.7.1/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.7.1	patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.7	patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.7.rc4	patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.6.4	ports/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.6.4-java	ports/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.6.3	ports/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-1.6.6.3-java	ports/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
nokogiri-xmlsec1-0.0.11	ports/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch
sc_core-0.0.7	test/dummy/vendor/bundle/ruby/2.2.0/gems/nokogiri-1.6.6.2/ports/patches/libxml2/0002-Fix-missing-entities-after-CVE-2014-3660-fix.patch