File _service:tar_scm:backport-CVE-2024-40896.patch of Package libxml2

From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 6 Jul 2024 01:03:46 +0200
Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code

Some users set an entity's children manually in the getEntity SAX
callback to restrict entity expansion. This stopped working after
renaming the "checked" member of xmlEntity, making at least one
downstream project and its dependants susceptible to XXE attacks.

See #761.
---
 parser.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/parser.c b/parser.c
index 4feb21a28..8fe0a064d 100644
--- a/parser.c
+++ b/parser.c
@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
 	return;
     }
 
+    /*
+     * Some users try to parse entities on their own and used to set
+     * the renamed "checked" member. Fix the flags to cover this
+     * case.
+     */
+    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+        ent->flags |= XML_ENT_PARSED;
+
     /*
      * The first reference to the entity trigger a parsing phase
      * where the ent->children is filled with the result from
-- 
GitLab