File xmltooling-1.5.6-CVE-2018-0486.patch of Package xmltooling.10706

From a02314e96d6746d29c5697b504d37f2e04a6e6cd Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Wed, 10 Jan 2018 12:20:07 -0500
Subject: [PATCH] CPPXT-127 - Block entity reference nodes during
 unmarshalling.

https://issues.shibboleth.net/jira/browse/CPPXT-127
---
 xmltooling/io/AbstractXMLObjectUnmarshaller.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
index ae2709e..487348e 100644
--- a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+++ b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
@@ -206,6 +206,8 @@ void AbstractXMLObjectUnmarshaller::unmarshallContent(const DOMElement* domEleme
         else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) {
             m_log.debug("processing text content at position (%d)", position);
             setTextContent(childNode->getNodeValue(), position);
+        } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) {
+            throw UnmarshallingException("Unmarshaller found Entity/Reference node.");
         }
         
         childNode = childNode->getNextSibling();
-- 
1.8.3.1