Summary: | <dev-libs/libxml-2.9.4-r2: XML External Entity (XXE) attacks via a crafted document (CVE-2016-9318) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | gnome, herrtimson, slawomir.nizio, sudormrfhalt | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://github.com/lsh123/xmlsec/issues/43 | ||||||
Whiteboard: | A3 [glsa cve] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 623206 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
D'juan McDonald (domhnall)
2017-01-09 19:01:05 UTC
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 Source: https://github.com/lsh123/xmlsec/issues/43 Upstream Patch For https://bugzilla.gnome.org/show_bug.cgi?id=772726 https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0 Status: RESOLVED FIXED Bug 772726 - (CVE-2016-9318) XXE problems continue Created attachment 470422 [details, diff]
Add an XML_PARSE_NOXXE flag to block all entities loading even local
Greatly forgive the unconscious adjustment on an open cve. Scouting beginner. *** Bug 621126 has been marked as a duplicate of this bug. *** @maintainer(s), please follow procedure to close this report. Thank you!! Daj'Uan (mbailey_j) Gentoo Security Scout Patch Set $URL:https://github.com/lsh123/xmlsec/pull/93/commits Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 (In reply to Thomas Deutschmann from comment #1) changing present $URL to match $Source as present $URL is now obsolete: from present $URL "Access Denied" however, page is still 200 if needing PoC. d-hat committed Mar 7, 2017 https://github.com/lsh123/xmlsec/pull/93/commits/b86c05d36a1d9176e3c13d36a37dcf7906ab0cdb Latest Status: https://github.com/lsh123/xmlsec/issues?q=is%3Aissue+is%3Aclosed @maintainer(s), I believe this patch should finally fix the vulnerability. after version bump, please follow procedure to close. Patch for this issue have been pushed in libxml-2.9.4-r2. Please note that: * patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it. * unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet. Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues. (In reply to Gilles Dartiguelongue from comment #10) > Patch for this issue have been pushed in libxml-2.9.4-r2. @Eva, thank you for your work. @Arches please test and follow procedure to close on report, thank you. Daj'Uan (mbailey_j) Gentoo Security Scout @maintainer(s), please call for stable when ready. This issue was resolved and addressed in GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01 by GLSA coordinator Christopher Diaz Riveros (chrisadr). |