[Libreoffice-commits] core.git: 3 commits - configure.ac RepositoryExternal.mk unoxml/qa unoxml/source

Michael Stahl mstahl at redhat.com
Wed Apr 3 13:56:12 PDT 2013 

 RepositoryExternal.mk                                    |    1 
 configure.ac                                             |    2 +
 unoxml/qa/complex/unoxml/RDFRepositoryTest.java          |   14 +++++++++++
 unoxml/qa/complex/unoxml/testdocuments/cve_2012_0037.rdf |   19 +++++++++++++++
 unoxml/source/rdf/librdf_repository.cxx                  |   10 -------
 5 files changed, 35 insertions(+), 11 deletions(-)

New commits:
commit df2ecdcb6e604f8e1dcea1549c929a1ced06c583
Author: Michael Stahl <mstahl at redhat.com>
Date:   Wed Apr 3 22:52:40 2013 +0200

    unordf: add unit test for CVE-2012-0037
    
    Change-Id: Ife037f05ddf66bc8c0598cb9521e95a1fa15c26e

diff --git a/unoxml/qa/complex/unoxml/RDFRepositoryTest.java b/unoxml/qa/complex/unoxml/RDFRepositoryTest.java
index c84ab56..4356de0 100644
--- a/unoxml/qa/complex/unoxml/RDFRepositoryTest.java
+++ b/unoxml/qa/complex/unoxml/RDFRepositoryTest.java
@@ -543,6 +543,20 @@ public class RDFRepositoryTest
         }
     }
 
+    @Test public void checkCVE_2012_0037() throws Exception
+    {
+        XInputStream xIn = new StreamSimulator(
+                TestDocument.getUrl("cve_2012_0037.rdf"), true, param);
+        xRep.importGraph(FileFormat.RDF_XML, xIn, manifest, base);
+        XNamedGraph xGraph = xRep.getGraph(manifest);
+        assertNotNull("no graph", xGraph);
+        XEnumeration xEnum = xGraph.getStatements(foo, bar, null);
+        // there must not be anything more than "EVIL" in the literal
+        XLiteral evil = Literal.create(xContext, "EVIL");
+        Statement FooBarEvil = new Statement(foo, bar, evil, manifest);
+        assertTrue("EVIL", eq(xEnum, new Statement [] { FooBarEvil }));
+    }
+
 // utilities -------------------------------------------------------------
 
     public void report2(Exception e)
diff --git a/unoxml/qa/complex/unoxml/testdocuments/cve_2012_0037.rdf b/unoxml/qa/complex/unoxml/testdocuments/cve_2012_0037.rdf
new file mode 100644
index 0000000..9e2327c
--- /dev/null
+++ b/unoxml/qa/complex/unoxml/testdocuments/cve_2012_0037.rdf
@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+<!DOCTYPE rdf [
+   <!ENTITY file SYSTEM "file:///etc/passwd">
+]>
+<!--
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+-->
+<rdf:RDF
+ xmlns:baz="uri:"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+  <rdf:Description rdf:about="uri:foo">
+    <baz:bar>EVIL&file;</baz:bar>
+  </rdf:Description>
+</rdf:RDF>
commit 5fccea4add2eb5b838733becdb4dc3120151a82f
Author: Michael Stahl <mstahl at redhat.com>
Date:   Wed Apr 3 22:15:57 2013 +0200

    unordf: replace external entity disabling handler code ...
    
    ... with a configure check for the fixed raptor library.
    
    Change-Id: I495d5d28e9a4e7b6234f8f9d17c2bda36154316d

diff --git a/configure.ac b/configure.ac
index a3f50aa..eabc81a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8475,6 +8475,8 @@ dnl ===================================================================
 dnl versions before 1.0.8 write RDF/XML that is useless for ODF (@xml:base)
 libo_CHECK_SYSTEM_MODULE([redland],[REDLAND],[redland >= 1.0.8])
 if test "$with_system_redland" = "yes"; then
+    # need at least 2.0.7 for CVE-2012-0037
+    PKG_CHECK_MODULES([RAPTOR2],[raptor2 >= 2.0.7])
     libo_MINGW_CHECK_DLL([REDLAND], [librdf])
     libo_MINGW_TRY_DLL([RAPTOR], [libraptor])
     libo_MINGW_TRY_DLL([RASQAL], [librasqal])
diff --git a/unoxml/source/rdf/librdf_repository.cxx b/unoxml/source/rdf/librdf_repository.cxx
index 733b313..be3e81f 100644
--- a/unoxml/source/rdf/librdf_repository.cxx
+++ b/unoxml/source/rdf/librdf_repository.cxx
@@ -32,7 +32,6 @@
 #include <boost/bind.hpp>
 
 #include <libxslt/security.h>
-#include <libxml/parser.h>
 
 #include <redland.h>
 
@@ -872,11 +871,6 @@ bool formatNeedsBaseURI(::sal_Int16 i_Format)
     return true;
 }
 
-xmlParserInputPtr myExtEntityLoader( const char* /*URL*/, const char* /*ID*/, xmlParserCtxtPtr /*context*/)
-{
-	return NULL;
-}
-
 //void SAL_CALL
 uno::Reference<rdf::XNamedGraph> SAL_CALL
 librdf_Repository::importGraph(::sal_Int16 i_Format,
@@ -954,9 +948,6 @@ throw (uno::RuntimeException, lang::IllegalArgumentException,
                 "librdf_new_parser failed", *this);
     }
 
-    xmlExternalEntityLoader oldExtEntityLoader = xmlGetExternalEntityLoader();
-    xmlSetExternalEntityLoader( myExtEntityLoader);
-
     uno::Sequence<sal_Int8> buf;
     uno::Reference<io::XSeekable> xSeekable(i_xInStream, uno::UNO_QUERY);
     // UGLY: if only that redland junk could read streams...
@@ -982,7 +973,6 @@ throw (uno::RuntimeException, lang::IllegalArgumentException,
             "librdf_model_context_add_statements failed", *this);
     }
 
-    xmlSetExternalEntityLoader( oldExtEntityLoader);
     return getGraph(i_xGraphName);
 }
 
commit cf176b444aa5d2b3fbb352fb723c0f6322ea1379
Author: Michael Stahl <mstahl at redhat.com>
Date:   Wed Apr 3 21:58:34 2013 +0200

    redland does no longer use openssl
    
    Change-Id: I704a5a5ae4122fadf0fe5f8ec07ad3cb0bbefee2

diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk
index 295058f..dee5eff 100644
--- a/RepositoryExternal.mk
+++ b/RepositoryExternal.mk
@@ -932,7 +932,6 @@ $(call gb_LinkTarget_use_static_libraries,$(1),\
 	rdf \
 	rasqal \
 	raptor2 \
-	crypto \
 )
 
 endef

More information about the Libreoffice-commits mailing list