Ubuntu
libxml2 package

xmllint --xinclude --postvalid broken by CVE-2014-0191 fix

Bug #1322039 reported by Philip Olson
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libxml2 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The fix for CVE-2014-0191 changed the parser to not load external entities unless in noent or validating mode. Unfortunately, this breaks "xmllint --xinclude --postvalid" when (for example) validating docbook files, and as a result this breaks the build for a number of distro packages.

I stole this report from the Gentoo bug database, but it also applies to Ubuntu. The related bug reports:

Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=510508
  - libxml2-2.9.1-r3 fails
  - libxml2-2.9.1-r4 works

Upstream, includes patch:
https://bugzilla.gnome.org/show_bug.cgi?id=730290

Ubuntu package:
  - 2.9.1+dfsg1-3ubuntu4 works
  - 2.9.1+dfsg1-3ubuntu4.1 fails

Temporary solution is to downgrade:
  - apt-get install libxml2-dev=2.9.1+dfsg1-3ubuntu4 libxml2=2.9.1+dfsg1-3ubuntu4

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libxml2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Philip Olson (philip-z) wrote :

Here's OpenSUSE's fix:
  - Report: https://bugzilla.novell.com/show_bug.cgi?id=876652#c23
  - Confirmed fix: https://bugzilla.novell.com/show_bug.cgi?id=876652#c37

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.