Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605208 (CVE-2016-9318) - <dev-libs/libxml-2.9.4-r2: XML External Entity (XXE) attacks via a crafted document (CVE-2016-9318)
Summary: <dev-libs/libxml-2.9.4-r2: XML External Entity (XXE) attacks via a crafted do...
Alias: CVE-2016-9318
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
: 621126 (view as bug list)
Depends on: CVE-2017-7375
  Show dependency tree
Reported: 2017-01-09 19:01 UTC by D'juan McDonald (domhnall)
Modified: 2017-11-10 03:49 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Add an XML_PARSE_NOXXE flag to block all entities loading even local (file_605208.txt,101 bytes, patch)
2017-04-19 16:36 UTC, D'juan McDonald (domhnall)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-01-09 19:01:05 UTC
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 20:14:01 UTC
Upstream bug:

Comment 2 D'juan McDonald (domhnall) 2017-04-19 16:12:07 UTC
Upstream Patch For

Bug 772726 - (CVE-2016-9318) XXE problems continue
Comment 3 D'juan McDonald (domhnall) 2017-04-19 16:36:39 UTC
Created attachment 470422 [details, diff]
Add an XML_PARSE_NOXXE flag to block all entities loading even local
Comment 4 D'juan McDonald (domhnall) 2017-05-16 04:58:31 UTC
Greatly forgive the unconscious adjustment on an open cve. Scouting beginner.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-07 19:50:48 UTC
*** Bug 621126 has been marked as a duplicate of this bug. ***
Comment 6 D'juan McDonald (domhnall) 2017-08-22 05:35:04 UTC
@maintainer(s), please follow procedure to close this report. Thank you!!

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 7 D'juan McDonald (domhnall) 2017-08-22 05:40:37 UTC
Patch Set $URL:
Comment 8 D'juan McDonald (domhnall) 2017-08-22 05:55:28 UTC
Upstream bug:
(In reply to Thomas Deutschmann from comment #1)

changing present $URL to match $Source as present $URL is now obsolete:

from present $URL "Access Denied" however, page is still 200 if needing PoC.
Comment 9 D'juan McDonald (domhnall) 2017-08-22 10:38:07 UTC
d-hat committed Mar 7, 2017

Latest Status:

@maintainer(s), I believe this patch should finally fix the vulnerability. after version bump, please follow procedure to close.
Comment 10 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-23 07:36:28 UTC
Patch for this issue have been pushed in libxml-2.9.4-r2.

Please note that:
* patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it.
* unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet.

Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
Comment 11 D'juan McDonald (domhnall) 2017-08-24 00:36:16 UTC
(In reply to Gilles Dartiguelongue from comment #10)
> Patch for this issue have been pushed in libxml-2.9.4-r2.

@Eva, thank you for your work. @Arches please test and follow procedure to close on report, thank you.

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-08-24 00:50:11 UTC
@maintainer(s), please call for stable when ready.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 03:49:01 UTC
This issue was resolved and addressed in
 GLSA 201711-01 at
by GLSA coordinator Christopher Diaz Riveros (chrisadr).