LSN-2014-0003: Don't expand entities when parsing XML

debian/patches/security/LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch

+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 15 Apr 2014 11:20:29 +0100
+Subject: LSN-2014-0003: Don't expand entities when parsing XML
+
+If the XML_PARSE_NOENT flag is passed to libxml2, then any
+entities in the input document will be fully expanded. This
+allows the user to read arbitrary files on the host machine
+by creating an entity pointing to a local file. Removing
+the XML_PARSE_NOENT flag means that any entities are left
+unchanged by the parser, or expanded to "" by the XPath
+APIs.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ src/util/virxml.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/virxml.c b/src/util/virxml.c
+index 9f00f62..34af64a 100644
+--- a/src/util/virxml.c
++++ b/src/util/virxml.c
+@@ -746,11 +746,11 @@ virXMLParseHelper(int domcode,
+ 
+     if (filename) {
+         xml = xmlCtxtReadFile(pctxt, filename, NULL,
+-                              XML_PARSE_NOENT | XML_PARSE_NONET |
++                              XML_PARSE_NONET |
+                               XML_PARSE_NOWARNING);
+     } else {
+         xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL,
+-                             XML_PARSE_NOENT | XML_PARSE_NONET |
++                             XML_PARSE_NONET |
+                              XML_PARSE_NOWARNING);
+     }
+     if (!xml)

debian/patches/series

@@ -12,3 +12,4 @@ debian/Debianize-systemd-service-files.patch
 Allow-xen-toolstack-to-find-it-s-binaries.patch
 Skip-vircgrouptest.patch
 Include-param.h-on-kFreeBSD.patch
+security/LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch