Daniel Veillard discovered that a specially crafted document can lead to a recursive evaluation of entities, the result being an exhaustion of memory and CPU usage Acknowledgements: Red Hat would like to thank Andreas Solberg for responsibly disclosing this issue.
I was mistaken, Andreas Solberg is the discoverer of this flaw.
Public now via: http://mail.gnome.org/archives/xml/2008-August/msg00034.html
libxml2-2.6.32-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
libxml2-2.6.32-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
It seems that it introduces some issues with createrepo command (which uses libxml2-python and libxml2). Sometimes the changelog entries of packages contain "<" and/or ">" symbols. For example, a fragment of the changelog of "k3b" package: > * Wed Oct 6 02:00:00 2004 Harald Hoyer <harald> 0:0.11.17-1 > - version 0.11.17 > - revert the dao -> tao change > - add the suid feature to every app automatically note the "->" in the line: > - revert the dao -> tao change When I create my local repodata ("cd somewhere; createrepo ."), the correspond fragment appears in the "repodata/other.xml.gz" file, in the form of: > - revert the dao -> tao change Then, when I update my repodata by "createrepo --update .", I receive an error: > Scanning old repo data > Indexed 2997 base nodes > Indexed 3001 filelist nodes > /var/ftp/.4/fedora-8/fedora/i386/./repodata/other.xml.gz:118813: parser error : Detected an entity reference loop > - revert the dao -> tao change > ^ > Traceback (most recent call last): > File "/usr/share/createrepo/genpkgmetadata.py", line 722, in <module> > main(sys.argv[1:]) > File "/usr/share/createrepo/genpkgmetadata.py", line 645, in main > mdgen.doPkgMetadata(directory) > File "/usr/share/createrepo/genpkgmetadata.py", line 161, in doPkgMetadata > basefile, flfile, otherfile, opts) > File "/usr/share/createrepo/readMetadata.py", line 41, in __init__ > self.scan() > File "/usr/share/createrepo/readMetadata.py", line 64, in scan > root = libxml2.parseFile(self.files['other']).getRootElement() > File "/usr/lib/python2.5/site-packages/libxml2.py", line 1279, in parseFile > if ret is None:raise parserError('xmlParseFile() failed') > libxml2.parserError: xmlParseFile() failed IOW, the initial "full" createrepo run seems OK, the subsequent run with "--update" is failed. Any comments?
Forget, the latest libxml2-2.7.1 has no such an issue...
w.r.t. comment #21 the first fix had that problem, we pushed other updates using a different fix without that problem later. 2.7.x fixes it too Daniel
This was fixed in RHEL 2.1, 3, 4, and 5 via: https://rhn.redhat.com/errata/RHSA-2008-0836.html