File libxml2-CVE-2014-0191.patch of Package libxml2.3902

Index: libxml2.SUSE_SLE-11_Update/libxml2-2.7.1/parser.c
===================================================================
--- a/parser.c
+++ b/parser.c
@@ -2387,6 +2387,23 @@ xmlParserHandlePEReference(xmlParserCtxt
 		    xmlCharEncoding enc;
 
 		    /*
+                     * Note: external parameter entities will not be loaded, it
+                     * is not required for a non-validating parser, unless the
+                     * option of validating, or substituting entities were
+                     * given. Doing so is far more secure as the parser will
+                     * only process data coming from the document entity by
+                     * default.             
+                     */
+                    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+                        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+                        ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+			((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
+                        ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
+                        (ctxt->replaceEntities == 0) &&
+                        (ctxt->validate == 0))
+                        return;
+
+		    /*
 		     * handle the extra spaces added before and after
 		     * c.f. http://www.w3.org/TR/REC-xml#as-PE
 		     * this is done independently.
@@ -11772,6 +11789,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlP
 	return(NULL);
     }
 
+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
     /*
      * Set-up the SAX context
      */
@@ -11899,6 +11919,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, con
 	return(NULL);
     }
 
+    /* We are loading a DTD */
+    ctxt->options |= XML_PARSE_DTDLOAD;
+
     /*
      * Set-up the SAX context
      */
Places

File libxml2-CVE-2014-0191.patch of Package libxml2.3902

Places
