From ${URL} : It was found that XML::LibXML is vulnerable to XXE attack as it has enabled external entity loading by default. Bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 6ab4da0dccbc2a77285e0c200d2ee3df58249ec6 Author: Andreas K. Hüttel <dilfridge@gentoo.org> Date: Fri Dec 30 17:40:18 2016 +0100 dev-perl/XML-LibXML: Disable expanding external entities by default, bug 594614 Patch by ppisar@redhat.com https://rt.cpan.org/Public/Bug/Display.html?id=118032 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097 https://bugzilla.redhat.com/show_bug.cgi?id=1377996 Package-Manager: Portage-2.3.3, Repoman-2.3.1 Let's wait a bit how much this makes explode...
Arches please stabilize dev-perl/XML-LibXML-2.12.800-r1 Target: all stable arches
arm arm64 ppc ppc64 stable
amd64 stable
Stable for HPPA.
x86 stable
sparc stable
Stable on alpha.
Arches, Thank you for your work. GLSA Vote: No - NO GLSA will be issued (Setting noglsa) ia64 not a security supported arch. Maintainer(s), please drop the vulnerable version(s).
ia64 stable Last arch is done.
commit: 2ec47ab7d89df6b0c138426c9c861ad184b758be author: 2017-06-05 23:14:00 +1200 Kent Fredric <kentnl@gentoo.org> commit: 2017-06-05 23:14:12 +1200 Kent Fredric <kentnl@gentoo.org> gpg-key: E854324B1366A820 dev-perl/XML-LibXML: Cleanup old re bug #594614 Removing old versions affected by XXE Buyg: https://bugs.gentoo.org/594614 Package-Manager: Portage-2.3.5, Repoman-2.3.2 dev-perl/XML-LibXML/Manifest | 2 - dev-perl/XML-LibXML/XML-LibXML-2.12.100.ebuild | 62 ---- dev-perl/XML-LibXML/XML-LibXML-2.12.600.ebuild | 65 ----- dev-perl/XML-LibXML/XML-LibXML-2.12.800.ebuild | 65 ----- 4 files changed, 194 deletions(-)
Repository is clean, all done.
It seems this issue may have been fixed inappropriately. The fix stated and applied seems to prohibit decoding entities entirely (eg: &), not merely rejecting loading of external entities. The documentation also says flipping expand_entities is wrong, because: https://metacpan.org/pod/distribution/XML-LibXML/lib/XML/LibXML/Parser.pod#expand_entities > Note that although this flag disables entity substitution, it does not > prevent the parser from loading external entities; > when substitution of an external entity is disabled, the entity will be > represented in the document tree by an XML_ENTITY_REF_NODE node whose subtree > will be the content obtained by parsing the external resource; Although this > nesting is visible from the DOM it is transparent to XPath data model, > so it is possible to match nodes in an unexpanded entity by the same XPath > expression as if the entity were expanded. See also ext_ent_handler. Redhat also have closed this as "wontfix" Please advise.
Reopening so comment 13 gets some attention
(In reply to Andreas K. Hüttel from comment #14) > Reopening so comment 13 gets some attention Closing again, since these versions are gone anyway. Sorry for the noise.
