After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 738805 - Regression in 2.9.2: entity is not parsed if used in another one, which has been previously parsed
Regression in 2.9.2: entity is not parsed if used in another one, which has b...
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks: 760367
 
 
Reported: 2014-10-19 12:29 UTC by pierre.labastie
Modified: 2016-01-09 16:28 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description pierre.labastie 2014-10-19 12:29:09 UTC 
Using the following testcase.xml:
----
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE  somedoc [
  <!ENTITY a   "something">
  <!ENTITY b   "&a;">
]>

<somedoc>

<somebeacon someattribute="&b;"/>

&a; should appear after colon: &a;
&b; should appear after colon: &a;
&a; should appear after colon: &b;
&b; should appear after colon: &b;

</somedoc>
----
the command "xmllint --noent testcase.xml" ouputs (libxml2-2.9.2):
----
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE somedoc [
<!ENTITY a "something">
<!ENTITY b "&a;">
]>
<somedoc>

<somebeacon someattribute="something"/>

 should appear after colon: 
 should appear after colon: 
 should appear after colon: 
 should appear after colon: 

</somedoc>
----
while with libxml2-2.9.1; it gives:
----<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE somedoc [
<!ENTITY a "something">
<!ENTITY b "&a;">
]>
<somedoc>

<somebeacon someattribute="something"/>

something should appear after colon: something
something should appear after colon: something
something should appear after colon: something
something should appear after colon: something

</somedoc>
----
Changing the line "<somebeacon someattribute="&b;"/>" to
"<somebeacon someattribute="&a;"/> gives the normal 2nd output on all version, as well as moving that line after the "should appear" lines.

Regards
Pierre
Comment 1 pierre.labastie 2014-10-19 17:51:06 UTC 
git bisect says the offending commit is:
commit be2a7edaf289c5da74a4f9ed3a0b6c733e775230
Author: Daniel Veillard <veillard@redhat.com>
Date:   Thu Oct 16 13:59:47 2014 +0800

    Fix for CVE-2014-3660
    
    Issues related to the billion laugh entity expansion which happened to
    escape the initial set of fixes
Comment 2 Daniel Veillard 2014-10-23 03:39:14 UTC 
Okay found and fixed:

https://git.gnome.org/browse/libxml2/commit/?id=72a46a519ce7326d9a00f0b6a7f2a8e958cd1675

patch is small but it's a rather convoluted test case and this escaped initial
testing, sorry about it,

  thanks for the report,

Daniel
Comment 4 David Kilzer 2016-01-09 16:28:49 UTC 
(In reply to Daniel Veillard from comment #2)
> Okay found and fixed:
> 
> https://git.gnome.org/browse/libxml2/commit/
> ?id=72a46a519ce7326d9a00f0b6a7f2a8e958cd1675
> 
> patch is small but it's a rather convoluted test case and this escaped
> initial
> testing, sorry about it,
> 
>   thanks for the report,
> 
> Daniel

This fix caused the following regression in libxml2 v2.9.3:

Bug 760367: REGRESSION (v2.9.3): Entity is expanded twice when custom xmlEntity is returned from xmlSAXHandler.getEntity
<https://bugzilla.gnome.org/show_bug.cgi?id=760367>