xmllint 2.9.1+dfsg1-3ubuntu4.1 does not load entities any more

Bug #1321869 reported by Jason Gunthorpe on 2014-05-21
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
libxml2
Fix Released
High
libxml2 (Ubuntu)
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers

Bug Description

This is a regression, 2.9.1+dfsg1-3ubuntu4 and all prior for the last 5 years work fine.

xmllint 2.9.1+dfsg1-3ubuntu4.1 doesn't load entities, for instance attempting to validate a docbook document:

$ xmllint --load-trace --path build-hosted/doc/ --path doc/ --xinclude --nonet --postvalid --noout doc/oss-build.xml
Loaded URL="doc/oss-build.xml" ID="(null)"
Loaded URL="http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" ID="-//OASIS//DTD DocBook XML V4.5//EN"
doc/oss-build.xml:6: element article: validity error : No declaration for element article

While prior versions work fine:

Loaded URL="doc/oss-build.xml" ID="(null)"
Loaded URL="http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" ID="-//OASIS//DTD DocBook XML V4.5//EN"
Loaded URL="file:///usr/share/xml/docbook/schema/dtd/4.5/dbnotnx.mod" ID="-//OASIS//ENTITIES DocBook Notations V4.5//EN"
Loaded URL="file:///usr/share/xml/docbook/schema/dtd/4.5/dbcentx.mod" ID="-//OASIS//ENTITIES DocBook Character Entities V4.5//EN"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOamsa.ent" ID="ISO 8879:1986//ENTITIES Added Math Symbols: Arrow Relations//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOamsb.ent" ID="ISO 8879:1986//ENTITIES Added Math Symbols: Binary Operators//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOamsc.ent" ID="ISO 8879:1986//ENTITIES Added Math Symbols: Delimiters//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOamsn.ent" ID="ISO 8879:1986//ENTITIES Added Math Symbols: Negated Relations//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOamso.ent" ID="ISO 8879:1986//ENTITIES Added Math Symbols: Ordinary//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOamsr.ent" ID="ISO 8879:1986//ENTITIES Added Math Symbols: Relations//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISObox.ent" ID="ISO 8879:1986//ENTITIES Box and Line Drawing//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOcyr1.ent" ID="ISO 8879:1986//ENTITIES Russian Cyrillic//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOcyr2.ent" ID="ISO 8879:1986//ENTITIES Non-Russian Cyrillic//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOdia.ent" ID="ISO 8879:1986//ENTITIES Diacritical Marks//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOgrk1.ent" ID="ISO 8879:1986//ENTITIES Greek Letters//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOgrk2.ent" ID="ISO 8879:1986//ENTITIES Monotoniko Greek//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOgrk3.ent" ID="ISO 8879:1986//ENTITIES Greek Symbols//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOgrk4.ent" ID="ISO 8879:1986//ENTITIES Alternative Greek Symbols//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOlat1.ent" ID="ISO 8879:1986//ENTITIES Added Latin 1//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOlat2.ent" ID="ISO 8879:1986//ENTITIES Added Latin 2//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOnum.ent" ID="ISO 8879:1986//ENTITIES Numeric and Special Graphic//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOpub.ent" ID="ISO 8879:1986//ENTITIES Publishing//EN//XML"
Loaded URL="file:///usr/share/xml/entities/xml-iso-entities-8879.1986/ISOtech.ent" ID="ISO 8879:1986//ENTITIES General Technical//EN//XML"
Loaded URL="file:///usr/share/xml/docbook/schema/dtd/4.5/dbpoolx.mod" ID="-//OASIS//ELEMENTS DocBook Information Pool V4.5//EN"
Loaded URL="file:///usr/share/xml/docbook/schema/dtd/4.5/htmltblx.mod" ID="-//OASIS//ELEMENTS DocBook XML HTML Tables V4.5//EN"
Loaded URL="file:///usr/share/xml/docbook/schema/dtd/4.5/calstblx.dtd" ID="-//OASIS//DTD DocBook CALS Table Model V4.5//EN"
Loaded URL="file:///usr/share/xml/docbook/schema/dtd/4.5/dbhierx.mod" ID="-//OASIS//ELEMENTS DocBook Document Hierarchy V4.5//EN"
Loaded URL="file:///usr/share/xml/docbook/schema/dtd/4.5/dbgenent.mod" ID="-//OASIS//ENTITIES DocBook Additional General Entities V4.5//EN"

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libxml2-utils 2.9.1+dfsg1-3ubuntu4.1
ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
Uname: Linux 3.13.0-24-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.1
Architecture: amd64
CurrentDesktop: XFCE
Date: Wed May 21 12:21:04 2014
InstallationDate: Installed on 2014-04-16 (35 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140415)
SourcePackage: libxml2
UpgradeStatus: No upgrade log present (probably fresh install)

Jason Gunthorpe (jgunthorpe) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libxml2 (Ubuntu):
status: New → Confirmed
Matthias Klose (doko) on 2014-06-04
Changed in libxml2 (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in libxml2:
importance: Unknown → High
status: Unknown → New
Matthias Klumpp (ximion) wrote :

This issue also breaks Publican and similar tools which validate their input Docbook before running.
It's a pretty annoying thing to track down (I initially thought it was a publican issue...), especially because it was introduced by a security bugfix, breaking existing setups.

Marc Deslauriers (mdeslaur) wrote :
Changed in libxml2 (Ubuntu Lucid):
status: New → Confirmed
Changed in libxml2 (Ubuntu Precise):
status: New → Confirmed
Changed in libxml2 (Ubuntu Saucy):
status: New → Confirmed
Changed in libxml2 (Ubuntu Trusty):
status: New → Confirmed
Changed in libxml2 (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libxml2 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libxml2 (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libxml2 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libxml2 (Ubuntu Utopic):
assignee: Ubuntu Security Team (ubuntu-security) → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.9.1+dfsg1-3ubuntu6

---------------
libxml2 (2.9.1+dfsg1-3ubuntu6) utopic; urgency=medium

  * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid
    (LP: #1321869)
    - debian/patches/lp1321869.patch: also check XML_PARSE_DTDLOAD in
      parser.c.
 -- Marc Deslauriers <email address hidden> Fri, 06 Jun 2014 12:49:52 -0400

Changed in libxml2 (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.7.6.dfsg-1ubuntu1.12

---------------
libxml2 (2.7.6.dfsg-1ubuntu1.12) lucid-security; urgency=medium

  * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid
    (LP: #1321869)
    - Thanks to Alexey Neyman for proposed patch
    - https://mail.gnome.org/archives/xml/2014-May/msg00003.html
 -- Marc Deslauriers <email address hidden> Fri, 06 Jun 2014 13:36:55 -0400

Changed in libxml2 (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.9.1+dfsg1-3ubuntu4.2

---------------
libxml2 (2.9.1+dfsg1-3ubuntu4.2) trusty-security; urgency=medium

  * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid
    (LP: #1321869)
    - debian/patches/lp1321869.patch: also check XML_PARSE_DTDLOAD in
      parser.c.
 -- Marc Deslauriers <email address hidden> Fri, 06 Jun 2014 13:29:08 -0400

Changed in libxml2 (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.9.1+dfsg1-3ubuntu2.2

---------------
libxml2 (2.9.1+dfsg1-3ubuntu2.2) saucy-security; urgency=medium

  * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid
    (LP: #1321869)
    - debian/patches/lp1321869.patch: also check XML_PARSE_DTDLOAD in
      parser.c.
 -- Marc Deslauriers <email address hidden> Fri, 06 Jun 2014 13:29:55 -0400

Changed in libxml2 (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.7.8.dfsg-5.1ubuntu4.8

---------------
libxml2 (2.7.8.dfsg-5.1ubuntu4.8) precise-security; urgency=medium

  * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid
    (LP: #1321869)
    - Thanks to Alexey Neyman for proposed patch
    - https://mail.gnome.org/archives/xml/2014-May/msg00003.html
 -- Marc Deslauriers <email address hidden> Fri, 06 Jun 2014 12:32:11 -0400

Changed in libxml2 (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in libxml2:
status: New → Fix Released
Unit 193 (unit193) wrote :

With the curent patch, and libxml2 (2.9.1+dfsg1-3ubuntu4.2), xubuntu-docs still will not build and validate. To fix this problem, I used the upstream patch here: https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825 and rebuilt.

Marc Deslauriers (mdeslaur) wrote :

Thanks, re-opening this bug. I'll release another update with the final upstream commit.

Changed in libxml2 (Ubuntu Saucy):
status: Fix Released → Confirmed
Changed in libxml2 (Ubuntu Trusty):
status: Fix Released → Confirmed
Changed in libxml2 (Ubuntu Utopic):
status: Fix Released → Confirmed
Changed in libxml2 (Ubuntu Lucid):
status: Fix Released → Confirmed
Changed in libxml2 (Ubuntu Precise):
status: Fix Released → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.9.1+dfsg1-3ubuntu7

---------------
libxml2 (2.9.1+dfsg1-3ubuntu7) utopic; urgency=medium

  * SECURITY REGRESSION: more xmllint regressions (LP: #1321869)
    - debian/patches/lp1321869.patch: use upstream commit which includes
      additional regression fixes to parser.c.
 -- Marc Deslauriers <email address hidden> Fri, 13 Jun 2014 07:26:35 -0400

Changed in libxml2 (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.9.1+dfsg1-3ubuntu2.3

---------------
libxml2 (2.9.1+dfsg1-3ubuntu2.3) saucy-security; urgency=medium

  * SECURITY REGRESSION: more xmllint regressions (LP: #1321869)
    - debian/patches/lp1321869.patch: use upstream commit which includes
      additional regression fixes to parser.c.
 -- Marc Deslauriers <email address hidden> Fri, 13 Jun 2014 08:34:17 -0400

Changed in libxml2 (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.9.1+dfsg1-3ubuntu4.3

---------------
libxml2 (2.9.1+dfsg1-3ubuntu4.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: more xmllint regressions (LP: #1321869)
    - debian/patches/lp1321869.patch: use upstream commit which includes
      additional regression fixes to parser.c.
 -- Marc Deslauriers <email address hidden> Fri, 13 Jun 2014 08:33:28 -0400

Changed in libxml2 (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.7.8.dfsg-5.1ubuntu4.9

---------------
libxml2 (2.7.8.dfsg-5.1ubuntu4.9) precise-security; urgency=medium

  * SECURITY REGRESSION: more xmllint regressions (LP: #1321869)
    - use upstream commit which includes additional regression fixes to
      parser.c.
    - https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825
 -- Marc Deslauriers <email address hidden> Fri, 13 Jun 2014 09:11:38 -0400

Changed in libxml2 (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.7.6.dfsg-1ubuntu1.13

---------------
libxml2 (2.7.6.dfsg-1ubuntu1.13) lucid-security; urgency=medium

  * SECURITY REGRESSION: more xmllint regressions (LP: #1321869)
    - use upstream commit which includes additional regression fixes to
      parser.c.
    - https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825
 -- Marc Deslauriers <email address hidden> Fri, 13 Jun 2014 09:15:29 -0400

Changed in libxml2 (Ubuntu Lucid):
status: Confirmed → Fix Released

Just got hit by that bug (while trying to build git-remote-hg, which calls asciidoc), even though that patch seems to be applied in current release (on trusty -> libxml2 version 2.9.1+dfsg1-3ubuntu4.4)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.