From ${URL} : According to XML::LibXML's documentation it should be possible to disable processing of external entities by using the "expand_entities" parameter. Two example scripts are attached to this mail. The output of XEE-XML-LibXML-demo.pl should not contain external entities, but "expand_entities" is ignored. The output of XEE-XML-LibXML-demo2.pl is as expected (no external entities). The behaviour depends on how the XML is loaded. Using "$XML_DOC = XML::LibXML->load_xml" works as documented, using $parser = XML::LibXML->new and $XML_DOC = $parser->load_xml does not. I've tested the issue on two platforms and was able to print out the system's "/etc/passwd" file. Ubuntu 12.04.5 LTS Perl version: v5.14.2 libxml2 version: 2.7.8 XML::LibXML version: 1.89 Mac OS X 10.9.5 Perl version: v5.16.2 libxml2 version: 2.9.0 XML::LibXML version: 2.0118 The vulnerability is fixed in version 2.0119. I'm not sure which older versions are affected, however the vulnerability is present in version 1.89 and probably older versions, too. The fix: <https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30> Changelog: <http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes> @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I have the ebuild ready to get bumped in my CVS repo. However, a bunch of tests now depend on dev-perl/Test-LeakTrace which needs stabilisation and keywording.
(In reply to Patrice Clement from comment #1) > I have the ebuild ready to get bumped in my CVS repo. However, a bunch of > tests now depend on dev-perl/Test-LeakTrace which needs stabilisation and > keywording. Commit it with dropped keywords for architectures which lack keywords on dev-perl/Test-LeakTrace.
+*XML-LibXML-2.12.100 (04 Jun 2015) + + 04 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +XML-LibXML-2.12.100.ebuild: + Version bump. Fix security bug 548032. + Please stabilise this package ASAP. Previous version was stable for the following platforms: - alpha - amd64 - arm - arm64 - hppa - ia64 - ppc - ppc64 - s390 - sh - sparc - x86
(In reply to Patrice Clement from comment #3) > +*XML-LibXML-2.12.100 (04 Jun 2015) > + > + 04 Jun 2015; Patrice Clement <monsieurp@gentoo.org> > + +XML-LibXML-2.12.100.ebuild: > + Version bump. Fix security bug 548032. > + > > Please stabilise this package ASAP. Previous version was stable for the > following platforms: fwiw, that would require CCing the arches... Arches, please stabilize: =dev-perl/XML-LibXML-2.12.100 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
GLSA vote: no.
GLSA Vote: No 04 Jun 2015; Mikle Kolyada <zlogene@gentoo.org> -XML-LibXML-2.1.400-r1.ebuild, XML-LibXML-2.12.100.ebuild: Stable for all (security bug #548032) Thanks for cleanup and stabliziation. Closing [noglsa]
CVE-2015-3451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3451): The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML data to the (1) new or (2) load_xml function.