Package: libxml2 Version: 2.8.0+dfsg1-7+wheezy2 Severity: important Dear Maintainer,
We found a case where DTD are not correctly handled in some XML files. Please find in attachment bug.xml and bug.dtd which reproduces the bug: Result : $ xmllint --format --noent --loaddtd bug.xml <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE page SYSTEM "./bug.dtd"> <xml> <a b="www.example.org"/> <c/> </xml> Here, rootDomain is replaces by an empty string instead of "www.example.org". If both "a" and "c" are reversed, like in good.xml: $ xmllint --format --noent --loaddtd good.xml <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE page SYSTEM "./bug.dtd"> <xml> <c>www.example.org</c> <a b="www.example.org"/> </xml> rootDomain is well replaced. -- System Information: Debian Release: 7.8 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.10.9-xxxx-grs-ipv6-64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libxml2 depends on: ii libc6 2.13-38+deb7u7 ii liblzma5 5.1.1alpha+20120614-2 ii multiarch-support 2.13-38+deb7u7 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages libxml2 recommends: ii xml-core 0.13+nmu2 libxml2 suggests no packages. -- no debconf information
<!ENTITY rootDomain "www.example.org"> <!ENTITY cgiDomain "&rootDomain;">
bug.xml
Description: XML document
good.xml
Description: XML document
