Bug 1377996
Summary: | perl-XML-LibXML: Expanding external entities by default | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||||||
Severity: | medium | Docs Contact: | |||||||||||
Priority: | medium | ||||||||||||
Version: | unspecified | CC: | carnil, dmoppert, jplesnik, perl-devel, perl-maint-list, ppisar, psabata, sardella | ||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2018-01-09 02:26:32 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | 1377997 | ||||||||||||
Bug Blocks: | 1395614 | ||||||||||||
Attachments: |
|
Description
Adam Mariš
2016-09-21 09:34:02 UTC
Created perl-libxml-perl tracking bugs for this issue: Affects: fedora-all [bug 1377997] (In reply to Adam Mariš from comment #1) > Created perl-libxml-perl tracking bugs for this issue: > > Affects: fedora-all [bug 1377997] Thant's wrong component. The Debian bug is about <http://search.cpan.org/~shlomif/XML-LibXML-2.0116/> that is packaged as libxml-libxml-perl in Debian and as perl-XML-LibXML in Fedora. I forwarded the request for changing default behavior to the LibXML-XML upstream <https://rt.cpan.org/Public/Bug/Display.html?id=118032>. Created attachment 1203692 [details]
Reproducer
This reveals /etc/passwd content. Fixed Perl should not allow that if loading (external) entities was not requested explicitly.
Mitigation: Programs and libraries using XML::LibXML can disable this behaviour by passing `expand_entities => 0` to the constructor XML::LibXML->new(). Created attachment 1206227 [details]
Parametrized reproduder
Yes, but that disables expanding internal entities too. This is unacceptable. I think XML::LibXML or libxml2 is missing a knob that affects external entities only.
Attached script accepts an optional argument and pass it as expand_entities option value if exists. If you execute it with "0", it also disabled expanding the internal entity. And I think this is wrong.
Created attachment 1206255 [details]
Disable entitiy expansion
Proposed fix that disables entity expansion by default. It affects both external and internal entities.
It still allows to load external DTD.
Created attachment 1232169 [details]
Parametrized reproduder
I attached wrong file. This is the correct parametrized reproducer that exhibits various types of entities.
XML-LibXML upstream stopped enabling expansion of DTD-defined entities in <https://github.com/shlomif/perl-XML-LibXML/commit/ff99d94a5186fecf90b88379755434739550b5a9> commit and released 2.0202 version. The reproduced now prints: $ ./reproducer <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY c PUBLIC "bar" "/etc/passwd"> <!ENTITY i "ivalue"> ]> <root> <external>&c;</external> <internal>&i;</internal> <predefined>"</predefined> <numeric>A</numeric> </root> Since it also affects entities defined in the internal DTD, I do not recommend applying the patch to stable distributions. |