Bug 1090976 (CVE-2014-0191)
Summary: | CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Stefan Cornelius <scorneli> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | athmanem, berrange, carnil, c.david86, drizt72, erik-fedora, fedora-mingw, jkurik, jrusnack, jsegitz, ktietz, lfarkas, mcermak, mdshaikh, ohudlick, redhat-bugzilla, rjones, sardella, security-response-team, veillard |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libxml2 2.9.2 | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-30 11:56:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1093090, 1093091, 1107556, 1107557, 1191425, 1195649, 1195650 | ||
Bug Blocks: | 1086699, 1090982 |
Description
Stefan Cornelius
2014-04-24 13:59:12 UTC
Acknowledgements: This issue was discovered by Daniel P. Berrange of Red Hat. Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df This issue is related to the handling of external parameter entities. Even when libxml2 was instructed to parse XML document without preforming entity substitutions (i.e. when parser was run without the XML_PARSE_NOENT option, which is the default), libxml2 loaded external entities, which could lead to some XML eXternal Entities (XXE) attacks. Similar problem was previously corrected in libxml2 for general entities via: https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0513 https://rhn.redhat.com/errata/RHSA-2014-0513.html Ubuntu just released http://www.ubuntu.com/usn/usn-2214-2/ to note a regression in the upstream fix for this issue, described as: """ USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a regression when using xmllint with the --postvalid option. This update fixes the problem. """ Given that we have fixed in RHEL6, do we suffer from the same regression? See also https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869 and https://mail.gnome.org/archives/xml/2014-May/msg00002.html which contains a patch attached (presumably what was used in Ubuntu); also see the upstream report here: https://bugzilla.gnome.org/show_bug.cgi?id=730290 Vincent Vincent, I think we do have the same regression. See https://bugzilla.redhat.com/show_bug.cgi?id=1104864 . Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1107556] Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1107557] (In reply to Vincent Danen from comment #22) > Given that we have fixed in RHEL6, do we suffer from the same regression? > See also https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869 and > https://mail.gnome.org/archives/xml/2014-May/msg00002.html which contains a > patch attached (presumably what was used in Ubuntu); also see the upstream > report here: > > https://bugzilla.gnome.org/show_bug.cgi?id=730290 This is a bug we've introduced with this security patch, but from what I can tell it's not a new security issue. As Michael Chapman pointed out in comment 24, this is already being handled in bug 1104864. Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Created mingw32-libxml2 tracking bugs for this issue: Affects: epel-7 [bug 1191425] Bug 915149 comment 8 has notes on related issue that affected general external entities. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0749 https://rhn.redhat.com/errata/RHSA-2015-0749.html libxml2-2.9.1-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. libxml2-2.9.1-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |