xmllint --xinclude --postvalid broken by CVE-2014-0191 fix
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libxml2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The fix for CVE-2014-0191 changed the parser to not load external entities unless in noent or validating mode. Unfortunately, this breaks "xmllint --xinclude --postvalid" when (for example) validating docbook files, and as a result this breaks the build for a number of distro packages.
I stole this report from the Gentoo bug database, but it also applies to Ubuntu. The related bug reports:
Gentoo:
https:/
- libxml2-2.9.1-r3 fails
- libxml2-2.9.1-r4 works
Upstream, includes patch:
https:/
Ubuntu package:
- 2.9.1+dfsg1-
- 2.9.1+dfsg1-
Temporary solution is to downgrade:
- apt-get install libxml2-
Status changed to 'Confirmed' because the bug affects multiple users.