[rpms/xmlstarlet] rawhide: Fix XXE (XML External Entity) vulnerability

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/xmlstarlet] rawhide: Fix XXE (XML External Entity) vulnerability
@ 2026-06-01 12:55 Vitezslav Crhonek
  0 siblings, 0 replies; only message in thread
From: Vitezslav Crhonek @ 2026-06-01 12:55 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/xmlstarlet
            Branch : rawhide
            Commit : 28345a47173054f5de79b15b6cc5ec23a9bf30b9
            Author : Vitezslav Crhonek <vcrhonek@redhat.com>
            Date   : 2026-05-27T08:55:44+02:00
            Stats  : +68/-1 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/xmlstarlet/c/28345a47173054f5de79b15b6cc5ec23a9bf30b9?branch=rawhide

            Log:
            Fix XXE (XML External Entity) vulnerability

Mark relevant test as expected to fail. Mark also
bigxml tests as expected to fail, probably due libxml2
changes in Rawhide.

---
diff --git a/xmlstarlet-1.6.1-fix-xxe.patch b/xmlstarlet-1.6.1-fix-xxe.patch
new file mode 100644
index 0000000..270747c
--- /dev/null
+++ b/xmlstarlet-1.6.1-fix-xxe.patch
@@ -0,0 +1,62 @@
+diff -Naur xmlstarlet-1.6.1.orig/examples/tests.mk xmlstarlet-1.6.1/examples/tests.mk
+--- xmlstarlet-1.6.1.orig/examples/tests.mk	2013-06-22 17:36:56.000000000 +0200
++++ xmlstarlet-1.6.1/examples/tests.mk	2026-05-26 13:31:13.886894244 +0200
+@@ -98,7 +98,13 @@
+ 
+ XFAIL_TESTS =\
+ examples/bigxml-dtd\
+-examples/ed-namespace
++examples/ed-namespace\
++examples/external-entity\
++examples/bigxml-embed-ref\
++examples/bigxml-embed\
++examples/bigxml-relaxng\
++examples/bigxml-well-formed\
++examples/bigxml-xsd
+ 
+ if !HAVE_EXSLT_XPATH_REGISTER
+ XFAIL_TESTS += examples/exslt-ed
+diff -Naur xmlstarlet-1.6.1.orig/src/trans.c xmlstarlet-1.6.1/src/trans.c
+--- xmlstarlet-1.6.1.orig/src/trans.c	2012-08-12 17:18:59.000000000 +0200
++++ xmlstarlet-1.6.1/src/trans.c	2026-05-26 13:31:20.240064967 +0200
+@@ -174,7 +174,10 @@
+     int i, options = 0;
+ 
+     options = XSLT_PARSE_OPTIONS;
+-     
++    /* Disable entity expansion to prevent XXE attacks */
++    options &= ~XML_PARSE_NOENT;
++    options |= XML_PARSE_NONET;
++
+     /*
+      * Compile XSLT Sylesheet
+      */
+diff -Naur xmlstarlet-1.6.1.orig/src/xml_C14N.c xmlstarlet-1.6.1/src/xml_C14N.c
+--- xmlstarlet-1.6.1.orig/src/xml_C14N.c	2012-08-12 17:18:59.000000000 +0200
++++ xmlstarlet-1.6.1/src/xml_C14N.c	2026-05-26 13:31:20.240173256 +0200
+@@ -62,8 +62,8 @@
+      */
+ 
+     doc = xmlReadFile(xml_filename, NULL,
+-        XML_PARSE_NOENT | XML_PARSE_DTDLOAD |
+-        XML_PARSE_DTDATTR | (nonet? XML_PARSE_NONET:0));
++        XML_PARSE_DTDLOAD |
++        XML_PARSE_DTDATTR | XML_PARSE_NONET);
+     if (doc == NULL) {
+         fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_filename);
+         return(EXIT_BAD_FILE);
+diff -Naur xmlstarlet-1.6.1.orig/src/xml_select.c xmlstarlet-1.6.1/src/xml_select.c
+--- xmlstarlet-1.6.1.orig/src/xml_select.c	2014-03-03 01:15:08.000000000 +0100
++++ xmlstarlet-1.6.1/src/xml_select.c	2026-05-26 13:31:20.240276580 +0200
+@@ -708,9 +708,9 @@
+     selInitOptions(&ops);
+     xsltInitOptions(&xsltOps);
+     start = selParseOptions(&ops, argc, argv);
+-    xml_options |= XML_PARSE_NOENT; /* substitute entities */
++    /* XML_PARSE_NOENT removed to prevent XXE attacks */
+     xml_options |= XML_PARSE_DTDATTR; /* use default attrib values */
+-    xml_options |= ops.nonet? XML_PARSE_NONET : 0;
++    xml_options |= XML_PARSE_NONET;
+     xsltOps.nonet = ops.nonet;
+     xsltOps.noblanks = ops.noblanks;
+     xsltInitLibXml(&xsltOps);

diff --git a/xmlstarlet.spec b/xmlstarlet.spec
index 3eb4433..f23783b 100644
--- a/xmlstarlet.spec
+++ b/xmlstarlet.spec
@@ -2,7 +2,7 @@
 
 Name: xmlstarlet
 Version: 1.6.1
-Release: 29%{?dist}
+Release: 30%{?dist}
 Summary: Command Line XML Toolkit
 License: MIT
 URL: http://xmlstar.sourceforge.net/
@@ -10,6 +10,8 @@ Source0: http://downloads.sourceforge.net/xmlstar/%{name}-%{version}.tar.gz
 # https://sourceforge.net/p/xmlstar/bugs/109/
 Patch0: xmlstarlet-1.6.1-nogit.patch
 # http://sourceforge.net/tracker/?func=detail&aid=3266898&group_id=66612&atid=515106
+# Fix for XXE (XML External Entity) vulnerability
+Patch1: xmlstarlet-1.6.1-fix-xxe.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -53,6 +55,9 @@ make check
 
 
 %changelog
+* Wed May 27 2026 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.6.1-30
+- Fix XXE (XML External Entity) vulnerability
+
 * Sat Jan 17 2026 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-29
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-01 12:55 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-01 12:55 [rpms/xmlstarlet] rawhide: Fix XXE (XML External Entity) vulnerability Vitezslav Crhonek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox