GNOME Bugzilla – Bug 730290
xmllint --xinclude --postvalid broken by CVE-2014-0191 fix
Last modified: 2014-06-11 12:31:26 UTC
(As reported downstream at https://bugs.gentoo.org/show_bug.cgi?id=510508) Commit 9cd1c3cf fixing CVE-2014-0191 changed the parser to not load external entities unless in noent or validating mode. Unfortunately, this breaks "xmllint --xinclude --postvalid" when e.g. validating docbook files, and as a result breaks the build for a number of distro packages. My quick-and-dirty solution is to use XML_PARSE_DTDVALID | XML_PARSE_NOERROR | XML_PARSE_NOWARNING during xmllint's initial parser pass before a-posteriori validation mod: XML_PARSE_DTDVALID works around the CVE-2014-0191 fix, and XML_PARSE_NOERROR | XML_PARSE_NOWARNING ensures errors from incompletely resolved entities are suppressed during the initial parse pass. But perhaps you may want to add some dedicated API for a-posteriori validation use cases.
Created attachment 276694 [details] [review] proposed patch
There is also another proposed patch here: https://mail.gnome.org/archives/xml/2014-May/msg00003.html
The final patch fixing this and a few other issues is now commited in master: https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825 thanks ! Daniel