Bug 1104864

Summary: libxml2-2.7.6-14.el6_5.1 fails parsing external resources
Product: Red Hat Enterprise Linux 6 Reporter: beckerje
Component: libxml2Assignee: Daniel Veillard <veillard>
Status: CLOSED WONTFIX QA Contact: qe-baseos-tools-bugs
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.7CC: fweimer, jsegitz, me, redhat-bugzilla, sardella
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-06 12:57:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description beckerje 2014-06-04 20:49:40 UTC 
One of the patches applied in RHSA-2014:0513-01 breaks XML DTD validation.  Specifically, the fix for CVE-2014-0191 appears to completely block validation using external entities, instead of blocking them only by default.

This is the announcement for the errata that contains the newly-broken package https://www.redhat.com/archives/rhsa-announce/2014-May/msg00020.html

The specific version affected is libxml2-2.7.6-14.el6_5.1

Steps to Reproduce:
1.  Create an XML that references a DTD file.
2.  Create a DTD that contains external entity references.
3.  Run "xmllint -noout -noent -dtdvalid /path/to/my.dtd  my.xml


Actual results:

Parsing failures of the form:
  "/path/to/my.dtd:248: parser warning : PEReference: %external-entity-file.ent; not found"


Expected results:
The XML should validate properly (yes, it's valid XML).


Additional info:
This problem is more fully described in these two posts to the Gnome XML mailing list.  The 2nd post includes a patch for libxml2 that applies cleanly, and appears to address the issue.

  https://mail.gnome.org/archives/xml/2014-May/msg00002.html
  https://mail.gnome.org/archives/xml/2014-May/msg00003.html
Comment 2 Florian Weimer 2014-06-10 09:58:39 UTC 
The patch at https://mail.gnome.org/archives/xml/2014-May/txt5nbPSpfgSB.txt looks like it reintroduces the vulnerability.  I think it is okay to trust the DTD specified with -dtdvalid, but not the input document, and the patch seems to extend trust to both once DTD validation is enabled.
Comment 3 Murray McAllister 2014-06-18 02:58:03 UTC 
http://www.ubuntu.com/usn/usn-2214-3/ notes "USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a number of regressions." Are all of those covered by this bug, or is a new one needed?

Thanks
Comment 4 beckerje 2014-06-23 13:57:10 UTC 
This claims to have a fix:
  https://rhn.redhat.com/errata/RHBA-2014-0766.html

We're testing it now.
Comment 5 Jan Kurik 2017-12-06 12:57:21 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/