wok-current view libxml2/stuff/CVE-2024-40896.patch @ rev 25728
Merge wok for both arch and few updates
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Dec 05 08:39:45 2024 +0000 (9 months ago) |
| parents | |
| children |
line source
1 From 1a8932303969907f6572b1b6aac4081c56adb5c6 Mon Sep 17 00:00:00 2001
2 From: Nick Wellnhofer <wellnhofer@aevum.de>
3 Date: Sat, 6 Jul 2024 01:03:46 +0200
4 Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
6 Some users set an entity's children manually in the getEntity SAX
7 callback to restrict entity expansion. This stopped working after
8 renaming the "checked" member of xmlEntity, making at least one
9 downstream project and its dependants susceptible to XXE attacks.
11 See #761.
12 ---
13 parser.c | 8 ++++++++
14 1 file changed, 8 insertions(+)
16 diff --git a/parser.c b/parser.c
17 index 0785e726b..4e8085304 100644
18 --- a/parser.c
19 +++ b/parser.c
20 @@ -7379,6 +7379,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
21 return;
22 }
24 + /*
25 + * Some users try to parse entities on their own and used to set
26 + * the renamed "checked" member. Fix the flags to cover this
27 + * case.
28 + */
29 + if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
30 + ent->flags |= XML_ENT_PARSED;
31 +
32 /*
33 * The first reference to the entity trigger a parsing phase
34 * where the ent->children is filled with the result from
35 --
36 GitLab