Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548032 (CVE-2015-3451) - <dev-perl/XML-LibXML-2.12.100: "expand_entities" option was not preserved under some circumstances (CVE-2015-3451)
Summary: <dev-perl/XML-LibXML-2.12.100: "expand_entities" option was not preserved und...
Status: RESOLVED FIXED
Alias: CVE-2015-3451
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 551116 551118
Blocks:
  Show dependency tree
 
Reported: 2015-04-28 15:33 UTC by Agostino Sarubbo
Modified: 2015-06-14 20:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-28 15:33:06 UTC
From ${URL} :

According to XML::LibXML's documentation it should be possible to
disable processing of external entities by using the "expand_entities" parameter.

Two example scripts are attached to this mail. The 
output of XEE-XML-LibXML-demo.pl should not contain external 
entities, but "expand_entities" is ignored. The output 
of XEE-XML-LibXML-demo2.pl is as expected (no external entities).

The behaviour depends on how the XML is loaded.
Using "$XML_DOC = XML::LibXML->load_xml" works as documented, using 
$parser = XML::LibXML->new and $XML_DOC = $parser->load_xml does not.

I've tested the issue on two platforms and was able to print out the 
system's "/etc/passwd" file.


Ubuntu 12.04.5 LTS
Perl version: v5.14.2
libxml2 version: 2.7.8
XML::LibXML version: 1.89

Mac OS X 10.9.5
Perl version: v5.16.2
libxml2 version: 2.9.0
XML::LibXML version: 2.0118


The vulnerability is fixed in version 2.0119.
I'm not sure which older versions are affected, however the vulnerability is present in version 1.89 and probably older 
versions, too.

The fix:
<https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30>

Changelog:
<http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes>



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2015-06-03 21:45:45 UTC
I have the ebuild ready to get bumped in my CVS repo. However, a bunch of tests now depend on dev-perl/Test-LeakTrace which needs stabilisation and keywording.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-04 04:33:46 UTC
(In reply to Patrice Clement from comment #1)
> I have the ebuild ready to get bumped in my CVS repo. However, a bunch of
> tests now depend on dev-perl/Test-LeakTrace which needs stabilisation and
> keywording.

Commit it with dropped keywords for architectures which lack keywords on dev-perl/Test-LeakTrace.
Comment 3 Patrice Clement gentoo-dev 2015-06-04 12:43:10 UTC
+*XML-LibXML-2.12.100 (04 Jun 2015)
+
+  04 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  +XML-LibXML-2.12.100.ebuild:
+  Version bump. Fix security bug 548032.
+

Please stabilise this package ASAP. Previous version was stable for the following platforms:
- alpha 
- amd64 
- arm 
- arm64 
- hppa 
- ia64 
- ppc 
- ppc64 
- s390 
- sh 
- sparc
- x86
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-04 12:52:02 UTC
(In reply to Patrice Clement from comment #3)
> +*XML-LibXML-2.12.100 (04 Jun 2015)
> +
> +  04 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
> +  +XML-LibXML-2.12.100.ebuild:
> +  Version bump. Fix security bug 548032.
> +
> 
> Please stabilise this package ASAP. Previous version was stable for the
> following platforms:

fwiw, that would require CCing the arches...

Arches, please stabilize:
=dev-perl/XML-LibXML-2.12.100
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-04 13:10:10 UTC
GLSA vote: no.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-04 13:22:58 UTC
GLSA Vote: No

  04 Jun 2015; Mikle Kolyada <zlogene@gentoo.org> -XML-LibXML-2.1.400-r1.ebuild,
  XML-LibXML-2.12.100.ebuild:
  Stable for all (security bug #548032)

Thanks for cleanup and stabliziation.

Closing [noglsa]
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:16:12 UTC
CVE-2015-3451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3451):
  The _clone function in XML::LibXML before 2.0119 does not properly set the
  expand_entities option, which allows remote attackers to conduct XML
  external entity (XXE) attacks via a crafted XML data to the (1) new or (2)
  load_xml function.