[rpms/xmlstarlet] f43: Fix XXE (XML External Entity) vulnerability

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Vitezslav Crhonek <vcrhonek@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/xmlstarlet] f43: Fix XXE (XML External Entity) vulnerability
Date: Tue, 02 Jun 2026 16:08:48 GMT	[thread overview]
Message-ID: <178041652883.1.310365629330007017.rpms-xmlstarlet-28345a471730@fedoraproject.org> (raw)

            A new commit has been pushed.

            Repo   : rpms/xmlstarlet
            Branch : f43
            Commit : 28345a47173054f5de79b15b6cc5ec23a9bf30b9
            Author : Vitezslav Crhonek <vcrhonek@redhat.com>
            Date   : 2026-05-27T08:55:44+02:00
            Stats  : +68/-1 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/xmlstarlet/c/28345a47173054f5de79b15b6cc5ec23a9bf30b9?branch=f43

            Log:
            Fix XXE (XML External Entity) vulnerability

Mark relevant test as expected to fail. Mark also
bigxml tests as expected to fail, probably due libxml2
changes in Rawhide.

---
diff --git a/xmlstarlet-1.6.1-fix-xxe.patch b/xmlstarlet-1.6.1-fix-xxe.patch
new file mode 100644
index 0000000..270747c
--- /dev/null
+++ b/xmlstarlet-1.6.1-fix-xxe.patch
@@ -0,0 +1,62 @@
+diff -Naur xmlstarlet-1.6.1.orig/examples/tests.mk xmlstarlet-1.6.1/examples/tests.mk
+--- xmlstarlet-1.6.1.orig/examples/tests.mk	2013-06-22 17:36:56.000000000 +0200
++++ xmlstarlet-1.6.1/examples/tests.mk	2026-05-26 13:31:13.886894244 +0200
+@@ -98,7 +98,13 @@
+ 
+ XFAIL_TESTS =\
+ examples/bigxml-dtd\
+-examples/ed-namespace
++examples/ed-namespace\
++examples/external-entity\
++examples/bigxml-embed-ref\
++examples/bigxml-embed\
++examples/bigxml-relaxng\
++examples/bigxml-well-formed\
++examples/bigxml-xsd
+ 
+ if !HAVE_EXSLT_XPATH_REGISTER
+ XFAIL_TESTS += examples/exslt-ed
+diff -Naur xmlstarlet-1.6.1.orig/src/trans.c xmlstarlet-1.6.1/src/trans.c
+--- xmlstarlet-1.6.1.orig/src/trans.c	2012-08-12 17:18:59.000000000 +0200
++++ xmlstarlet-1.6.1/src/trans.c	2026-05-26 13:31:20.240064967 +0200
+@@ -174,7 +174,10 @@
+     int i, options = 0;
+ 
+     options = XSLT_PARSE_OPTIONS;
+-     
++    /* Disable entity expansion to prevent XXE attacks */
++    options &= ~XML_PARSE_NOENT;
++    options |= XML_PARSE_NONET;
++
+     /*
+      * Compile XSLT Sylesheet
+      */
+diff -Naur xmlstarlet-1.6.1.orig/src/xml_C14N.c xmlstarlet-1.6.1/src/xml_C14N.c
+--- xmlstarlet-1.6.1.orig/src/xml_C14N.c	2012-08-12 17:18:59.000000000 +0200
++++ xmlstarlet-1.6.1/src/xml_C14N.c	2026-05-26 13:31:20.240173256 +0200
+@@ -62,8 +62,8 @@
+      */
+ 
+     doc = xmlReadFile(xml_filename, NULL,
+-        XML_PARSE_NOENT | XML_PARSE_DTDLOAD |
+-        XML_PARSE_DTDATTR | (nonet? XML_PARSE_NONET:0));
++        XML_PARSE_DTDLOAD |
++        XML_PARSE_DTDATTR | XML_PARSE_NONET);
+     if (doc == NULL) {
+         fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_filename);
+         return(EXIT_BAD_FILE);
+diff -Naur xmlstarlet-1.6.1.orig/src/xml_select.c xmlstarlet-1.6.1/src/xml_select.c
+--- xmlstarlet-1.6.1.orig/src/xml_select.c	2014-03-03 01:15:08.000000000 +0100
++++ xmlstarlet-1.6.1/src/xml_select.c	2026-05-26 13:31:20.240276580 +0200
+@@ -708,9 +708,9 @@
+     selInitOptions(&ops);
+     xsltInitOptions(&xsltOps);
+     start = selParseOptions(&ops, argc, argv);
+-    xml_options |= XML_PARSE_NOENT; /* substitute entities */
++    /* XML_PARSE_NOENT removed to prevent XXE attacks */
+     xml_options |= XML_PARSE_DTDATTR; /* use default attrib values */
+-    xml_options |= ops.nonet? XML_PARSE_NONET : 0;
++    xml_options |= XML_PARSE_NONET;
+     xsltOps.nonet = ops.nonet;
+     xsltOps.noblanks = ops.noblanks;
+     xsltInitLibXml(&xsltOps);

diff --git a/xmlstarlet.spec b/xmlstarlet.spec
index 3eb4433..f23783b 100644
--- a/xmlstarlet.spec
+++ b/xmlstarlet.spec
@@ -2,7 +2,7 @@
 
 Name: xmlstarlet
 Version: 1.6.1
-Release: 29%{?dist}
+Release: 30%{?dist}
 Summary: Command Line XML Toolkit
 License: MIT
 URL: http://xmlstar.sourceforge.net/
@@ -10,6 +10,8 @@ Source0: http://downloads.sourceforge.net/xmlstar/%{name}-%{version}.tar.gz
 # https://sourceforge.net/p/xmlstar/bugs/109/
 Patch0: xmlstarlet-1.6.1-nogit.patch
 # http://sourceforge.net/tracker/?func=detail&aid=3266898&group_id=66612&atid=515106
+# Fix for XXE (XML External Entity) vulnerability
+Patch1: xmlstarlet-1.6.1-fix-xxe.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -53,6 +55,9 @@ make check
 
 
 %changelog
+* Wed May 27 2026 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.6.1-30
+- Fix XXE (XML External Entity) vulnerability
+
 * Sat Jan 17 2026 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-29
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

                 reply	other threads:[~2026-06-02 16:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178041652883.1.310365629330007017.rpms-xmlstarlet-28345a471730@fedoraproject.org \
    --to=vcrhonek@redhat.com \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox