Created attachment 646281 [details] tarball of schemas and XMLs to reproduce the issue Description of problem: libxml2 shipped in RHEL5 has serious problems validating using XML schemas with certain content in them. These problems don't exist in the version shipped in RHEL6 (libxml2-2.7+). We need to validate using these "problematic" XML schemas in openscap that we want to ship to RHEL5. The schemas that contain union xsd type definitions, regex contraints of certain properties and imports of external schemas with key contrains in the external schemas are all problematic. Version-Release number of selected component (if applicable): libxml2-2.6.26-2.1.15.el5_8.5 How reproducible: always Steps to Reproduce: It is enough to use "xmllint --schema SCHEMA FILE" to see the issue. File pairs these problems are reproducible with (attached): - schemas/sds/1.2/scap-source-data-stream_1.2.xsd, xmls/sds.xml (union type definition, external schemas and key constraints) - schemas/cpe/2.3/cpe-dictionary_2.3.xsd, xmls/cpe-dict.xml (regex constraint) $ xmllint --schema schemas/sds/1.2/scap-source-data-stream_1.2.xsd xmls/sds.xml $ xmllint --schema schemas/cpe/2.3/cpe-dictionary_2.3.xsd xmls/cpe-dict.xml Actual results: XMLs are reporterd to be invalid even though they are valid (and validate properly on RHEL6 and libxml2-2.7). Expected results: XMLs are reported to be valid. Additional info:
Hum, that one seems to validate for me: [root@test-rhel55 877348]# xmllint --noout --nowarning --schema schemas/sds/1.2/scap-source-data-stream_1.2.xsd xmls/sds.xml xmls/sds.xml validates but that one doesn't xmllint --noout --nowarning --schema schemas/cpe/2.3/cpe-dictionary_2.3.xsd xmls/cpe-dict.xml xmls/cpe-dict.xml:5: element cpe-item: Schemas validity error : Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item', attribute 'name': [facet 'pattern'] The value 'cpe:/o:example:applicable:5' is not accepted by the pattern '[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}'. ... xmls/cpe-dict.xml fails to validate [root@test-rhel55 877348]# that one fails. Agreed, Daniel
A single upstream commit seems to fix the problem: http://git.gnome.org/browse/libxml2/commit/?id=1ba2aca3ebc3b47653a86849746b168a4e0bd8c6 note that upstream head still raises warning when validating against schemas/sds/1.2/scap-source-data-stream_1.2.xsd , but it's just a warning and not the source of the problem (since apparently you are fine with RHEL-6) Daniel
Build libxml2-2.6.26-2.1.22.el5 includes the fix, Daniel
(In reply to comment #14) > Build libxml2-2.6.26-2.1.22.el5 includes the fix, > > Daniel Is libxml2-2.6.26-2.1.22.el5 available publicly somewhere? Can I just use libxml2-2.6.27-1.i386.rpm in http://xmlsoft.org/sources/old/?
Updated libxml2 to libxml2-2.6.26-2.1.21.el5 and this fixes the oscap parsing issue. Uses openscap-0.9.2 and libxml2-2.6.26-2.1.21 with Redhat 5 STIG Benchmark version 1, release 3 from http://iase.disa.mil/stigs/os/unix/red_hat.html .