Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 605208 (CVE-2016-9318)

Summary: <dev-libs/libxml-2.9.4-r2: XML External Entity (XXE) attacks via a crafted document (CVE-2016-9318)
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gnome, herrtimson, slawomir.nizio, sudormrfhalt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 623206    
Bug Blocks:    
Description Flags
Add an XML_PARSE_NOXXE flag to block all entities loading even local none

Description D'juan McDonald (domhnall) 2017-01-09 19:01:05 UTC
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 20:14:01 UTC
Upstream bug:

Comment 2 D'juan McDonald (domhnall) 2017-04-19 16:12:07 UTC
Upstream Patch For

Bug 772726 - (CVE-2016-9318) XXE problems continue
Comment 3 D'juan McDonald (domhnall) 2017-04-19 16:36:39 UTC
Created attachment 470422 [details, diff]
Add an XML_PARSE_NOXXE flag to block all entities loading even local
Comment 4 D'juan McDonald (domhnall) 2017-05-16 04:58:31 UTC
Greatly forgive the unconscious adjustment on an open cve. Scouting beginner.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-07 19:50:48 UTC
*** Bug 621126 has been marked as a duplicate of this bug. ***
Comment 6 D'juan McDonald (domhnall) 2017-08-22 05:35:04 UTC
@maintainer(s), please follow procedure to close this report. Thank you!!

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 7 D'juan McDonald (domhnall) 2017-08-22 05:40:37 UTC
Patch Set $URL:
Comment 8 D'juan McDonald (domhnall) 2017-08-22 05:55:28 UTC
Upstream bug:
(In reply to Thomas Deutschmann from comment #1)

changing present $URL to match $Source as present $URL is now obsolete:

from present $URL "Access Denied" however, page is still 200 if needing PoC.
Comment 9 D'juan McDonald (domhnall) 2017-08-22 10:38:07 UTC
d-hat committed Mar 7, 2017

Latest Status:

@maintainer(s), I believe this patch should finally fix the vulnerability. after version bump, please follow procedure to close.
Comment 10 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-23 07:36:28 UTC
Patch for this issue have been pushed in libxml-2.9.4-r2.

Please note that:
* patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it.
* unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet.

Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
Comment 11 D'juan McDonald (domhnall) 2017-08-24 00:36:16 UTC
(In reply to Gilles Dartiguelongue from comment #10)
> Patch for this issue have been pushed in libxml-2.9.4-r2.

@Eva, thank you for your work. @Arches please test and follow procedure to close on report, thank you.

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-08-24 00:50:11 UTC
@maintainer(s), please call for stable when ready.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 03:49:01 UTC
This issue was resolved and addressed in
 GLSA 201711-01 at
by GLSA coordinator Christopher Diaz Riveros (chrisadr).