Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458740 (CVE-2013-0338) - <dev-libs/libxml2-2.9.1: Internal/external entity expansion (CVE-2013-0338, CVE-2013-0339)
Summary: <dev-libs/libxml2-2.9.1: Internal/external entity expansion (CVE-2013-0338, C...
Status: RESOLVED FIXED
Alias: CVE-2013-0338
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa]
Keywords:
Depends on: CVE-2013-2877
Blocks:
  Show dependency tree
 
Reported: 2013-02-22 13:58 UTC by Agostino Sarubbo
Modified: 2013-11-10 15:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-22 13:58:08 UTC 
From ${URL} :

So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).

To be clear:

====================
Internal entity expansion refers to the exponential/quadratic/fast
linear expansion of XML entities, e.g.:
====================
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>

or

<!DOCTYPE bomb [
<!ENTITY a "xxxxxxx... a couple of ten thousand chars">
]>
<bomb>&a;&a;&a;... repeat</bomb>

Which causes resources to be consumed



====================
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
====================
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml">
]>
<root>&ee;</root>


<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>&ee;</root>

Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.


So the CVE's to use:

Please use CVE-2013-0338 for libxml2 internal entity expansion

Please use CVE-2013-0339 for libxml2 external entities expansion
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-02-26 05:13:30 UTC 
Isn't this a duplicate of bug #458430?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-04-26 11:09:17 UTC 
CVE-2013-0338 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0338):
  libxml2 2.9.0 and earlier allows context-dependent attackers to cause a
  denial of service (CPU and memory consumption) via an XML file containing an
  entity declaration with long replacement text and many references to this
  entity, aka "internal entity expansion" with linear complexity.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-07 17:02:39 UTC 
Both fixed [1] in libxml2-2.9.1.

[1] https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
Comment 4 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-12 17:57:18 UTC 
>=libxml2-2.9.1 is being stabilized at bug #476438
Comment 5 Sergey Popov gentoo-dev 2013-08-28 07:36:38 UTC 
Added to existing GLSA draft
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-11-10 15:19:03 UTC 
This issue was resolved and addressed in
 GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml
by GLSA coordinator Sean Amoss (ackle).