Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605208 (CVE-2016-9318) - <dev-libs/libxml-2.9.4-r2: XML External Entity (XXE) attacks via a crafted document (CVE-2016-9318)
Summary: <dev-libs/libxml-2.9.4-r2: XML External Entity (XXE) attacks via a crafted do...
Status: RESOLVED FIXED
Alias: CVE-2016-9318
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/lsh123/xmlsec/issu...
Whiteboard: A3 [glsa cve]
Keywords:
: 621126 (view as bug list)
Depends on: CVE-2017-7375
Blocks:
  Show dependency tree
 
Reported: 2017-01-09 19:01 UTC by D'juan McDonald (domhnall)
Modified: 2017-11-10 03:49 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Add an XML_PARSE_NOXXE flag to block all entities loading even local (file_605208.txt,101 bytes, patch)
2017-04-19 16:36 UTC, D'juan McDonald (domhnall)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-01-09 19:01:05 UTC
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 20:14:01 UTC
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726

Source: https://github.com/lsh123/xmlsec/issues/43
Comment 2 D'juan McDonald (domhnall) 2017-04-19 16:12:07 UTC
Upstream Patch For https://bugzilla.gnome.org/show_bug.cgi?id=772726

https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0

Status: 	RESOLVED FIXED
Bug 772726 - (CVE-2016-9318) XXE problems continue
Comment 3 D'juan McDonald (domhnall) 2017-04-19 16:36:39 UTC
Created attachment 470422 [details, diff]
Add an XML_PARSE_NOXXE flag to block all entities loading even local
Comment 4 D'juan McDonald (domhnall) 2017-05-16 04:58:31 UTC
Greatly forgive the unconscious adjustment on an open cve. Scouting beginner.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-07 19:50:48 UTC
*** Bug 621126 has been marked as a duplicate of this bug. ***
Comment 6 D'juan McDonald (domhnall) 2017-08-22 05:35:04 UTC
@maintainer(s), please follow procedure to close this report. Thank you!!

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 7 D'juan McDonald (domhnall) 2017-08-22 05:40:37 UTC
Patch Set $URL:https://github.com/lsh123/xmlsec/pull/93/commits
Comment 8 D'juan McDonald (domhnall) 2017-08-22 05:55:28 UTC
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726
(In reply to Thomas Deutschmann from comment #1)

changing present $URL to match $Source as present $URL is now obsolete:

from present $URL "Access Denied" however, page is still 200 if needing PoC.
Comment 9 D'juan McDonald (domhnall) 2017-08-22 10:38:07 UTC
d-hat committed Mar 7, 2017

https://github.com/lsh123/xmlsec/pull/93/commits/b86c05d36a1d9176e3c13d36a37dcf7906ab0cdb

Latest Status: 
https://github.com/lsh123/xmlsec/issues?q=is%3Aissue+is%3Aclosed

@maintainer(s), I believe this patch should finally fix the vulnerability. after version bump, please follow procedure to close.
Comment 10 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-23 07:36:28 UTC
Patch for this issue have been pushed in libxml-2.9.4-r2.

Please note that:
* patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it.
* unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet.

Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
Comment 11 D'juan McDonald (domhnall) 2017-08-24 00:36:16 UTC
(In reply to Gilles Dartiguelongue from comment #10)
> Patch for this issue have been pushed in libxml-2.9.4-r2.

@Eva, thank you for your work. @Arches please test and follow procedure to close on report, thank you.

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-08-24 00:50:11 UTC
@maintainer(s), please call for stable when ready.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 03:49:01 UTC
This issue was resolved and addressed in
 GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01
by GLSA coordinator Christopher Diaz Riveros (chrisadr).