libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 Source: https://github.com/lsh123/xmlsec/issues/43
Upstream Patch For https://bugzilla.gnome.org/show_bug.cgi?id=772726 https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0 Status: RESOLVED FIXED Bug 772726 - (CVE-2016-9318) XXE problems continue
Created attachment 470422 [details, diff] Add an XML_PARSE_NOXXE flag to block all entities loading even local
Greatly forgive the unconscious adjustment on an open cve. Scouting beginner.
*** Bug 621126 has been marked as a duplicate of this bug. ***
@maintainer(s), please follow procedure to close this report. Thank you!! Daj'Uan (mbailey_j) Gentoo Security Scout
Patch Set $URL:https://github.com/lsh123/xmlsec/pull/93/commits
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 (In reply to Thomas Deutschmann from comment #1) changing present $URL to match $Source as present $URL is now obsolete: from present $URL "Access Denied" however, page is still 200 if needing PoC.
d-hat committed Mar 7, 2017 https://github.com/lsh123/xmlsec/pull/93/commits/b86c05d36a1d9176e3c13d36a37dcf7906ab0cdb Latest Status: https://github.com/lsh123/xmlsec/issues?q=is%3Aissue+is%3Aclosed @maintainer(s), I believe this patch should finally fix the vulnerability. after version bump, please follow procedure to close.
Patch for this issue have been pushed in libxml-2.9.4-r2. Please note that: * patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it. * unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet. Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
(In reply to Gilles Dartiguelongue from comment #10) > Patch for this issue have been pushed in libxml-2.9.4-r2. @Eva, thank you for your work. @Arches please test and follow procedure to close on report, thank you. Daj'Uan (mbailey_j) Gentoo Security Scout
@maintainer(s), please call for stable when ready.
This issue was resolved and addressed in GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01 by GLSA coordinator Christopher Diaz Riveros (chrisadr).