File libxml2-CVE-2016-9318.patch of Package libxml2.6602

Index: libxml2-2.9.4/elfgcchack.h
===================================================================
--- libxml2-2.9.4.orig/elfgcchack.h
+++ libxml2-2.9.4/elfgcchack.h
@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityL
 #endif
 #endif
 
+#ifdef bottom_xmlIO
+#undef xmlNoXxeExternalEntityLoader
+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
+#else
+#ifndef xmlNoXxeExternalEntityLoader
+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
+#endif
+#endif
+
 #ifdef bottom_tree
 #undef xmlNodeAddContent
 extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
Index: libxml2-2.9.4/include/libxml/parser.h
===================================================================
--- libxml2-2.9.4.orig/include/libxml/parser.h
+++ libxml2-2.9.4/include/libxml/parser.h
@@ -1111,7 +1111,8 @@ typedef enum {
     XML_PARSE_HUGE      = 1<<19,/* relax any hardcoded limit from the parser */
     XML_PARSE_OLDSAX    = 1<<20,/* parse using SAX2 interface before 2.7.0 */
     XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
-    XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
+    XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
+    XML_PARSE_NOXXE	= 1<<23 /* Forbid any external entity substitution */
 } xmlParserOption;
 
 XMLPUBFUN void XMLCALL
Index: libxml2-2.9.4/include/libxml/xmlIO.h
===================================================================
--- libxml2-2.9.4.orig/include/libxml/xmlIO.h
+++ libxml2-2.9.4/include/libxml/xmlIO.h
@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
 					 xmlParserCtxtPtr ctxt);
 
 /*
+ * A predefined entity loader external entity expansion
+ */
+XMLPUBFUN xmlParserInputPtr XMLCALL
+	xmlNoXxeExternalEntityLoader	(const char *URL,
+					 const char *ID,
+					 xmlParserCtxtPtr ctxt);
+
+/*
  * xmlNormalizeWindowsPath is obsolete, don't use it.
  * Check xmlCanonicPath in uri.h for a better alternative.
  */
Index: libxml2-2.9.4/include/libxml/xmlerror.h
===================================================================
--- libxml2-2.9.4.orig/include/libxml/xmlerror.h
+++ libxml2-2.9.4/include/libxml/xmlerror.h
@@ -470,6 +470,7 @@ typedef enum {
     XML_IO_EADDRINUSE, /* 1554 */
     XML_IO_EALREADY, /* 1555 */
     XML_IO_EAFNOSUPPORT, /* 1556 */
+    XML_IO_ILLEGAL_XXE, /* 1557 */
     XML_XINCLUDE_RECURSION=1600,
     XML_XINCLUDE_PARSE_VALUE, /* 1601 */
     XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
Index: libxml2-2.9.4/parser.c
===================================================================
--- libxml2-2.9.4.orig/parser.c
+++ libxml2-2.9.4/parser.c
@@ -15358,6 +15358,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtP
 	ctxt->options |= XML_PARSE_NONET;
         options -= XML_PARSE_NONET;
     }
+    if (options & XML_PARSE_NOXXE) {
+	ctxt->options |= XML_PARSE_NOXXE;
+        options -= XML_PARSE_NOXXE;
+    }
     if (options & XML_PARSE_COMPACT) {
 	ctxt->options |= XML_PARSE_COMPACT;
         options -= XML_PARSE_COMPACT;
Index: libxml2-2.9.4/xmlIO.c
===================================================================
--- libxml2-2.9.4.orig/xmlIO.c
+++ libxml2-2.9.4/xmlIO.c
@@ -210,6 +210,7 @@ static const char *IOerr[] = {
     "adddress in use",		/* EADDRINUSE */
     "already in use",		/* EALREADY */
     "unknown address familly",	/* EAFNOSUPPORT */
+    "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
 };
 
 #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const cha
     xmlGenericError(xmlGenericErrorContext,
                     "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
 #endif
-    if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
+    if (ctxt != NULL) {
         int options = ctxt->options;
 
-	ctxt->options -= XML_PARSE_NONET;
-        ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-	ctxt->options = options;
-	return(ret);
+        if (options & XML_PARSE_NOXXE) {
+            ctxt->options -= XML_PARSE_NOXXE;
+            ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
+            ctxt->options = options;
+            return(ret);
+        }
+ 
+        if (options & XML_PARSE_NONET) {
+            ctxt->options -= XML_PARSE_NONET;
+            ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
+            ctxt->options = options;
+            return(ret);
+        }
     }
 #ifdef LIBXML_CATALOG_ENABLED
     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char
     xmlParserInputPtr input = NULL;
     xmlChar *resource = NULL;
 
+    if (ctxt == NULL) {
+        return(NULL);
+    }
+    if (ctxt->input_id == 1) {
+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
+    }
+
 #ifdef LIBXML_CATALOG_ENABLED
     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
 #endif
@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char
     return(input);
 }
 
+xmlParserInputPtr
+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
+                          xmlParserCtxtPtr ctxt) {
+    if (ctxt == NULL) {
+        return(NULL);
+    }
+    if (ctxt->input_id == 1) {
+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
+    }
+    xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
+    return(NULL);
+}
+
 #define bottom_xmlIO
 #include "elfgcchack.h"
Index: libxml2-2.9.4/xmllint.c
===================================================================
--- libxml2-2.9.4.orig/xmllint.c
+++ libxml2-2.9.4/xmllint.c
@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
     printf("\t--path 'paths': provide a set of paths for resources\n");
     printf("\t--load-trace : print trace of all external entities loaded\n");
     printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
+    printf("\t--noxxe : forbid any external entity substitution\n");
     printf("\t--nocompact : do not generate compact text nodes\n");
     printf("\t--htmlout : output results as HTML\n");
     printf("\t--nowrap : do not put HTML doc wrapper\n");
@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
                    (!strcmp(argv[i], "--nonet"))) {
 	    options |= XML_PARSE_NONET;
 	    xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
+        } else if ((!strcmp(argv[i], "-noxxe")) ||
+                   (!strcmp(argv[i], "--noxxe"))) {
+	    options |= XML_PARSE_NOXXE;
+	    xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
         } else if ((!strcmp(argv[i], "-nocompact")) ||
                    (!strcmp(argv[i], "--nocompact"))) {
 	    options &= ~XML_PARSE_COMPACT;