Bug 1377996
| Summary: | perl-XML-LibXML: Expanding external entities by default | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | unspecified | CC: | carnil, dmoppert, jplesnik, perl-devel, perl-maint-list, ppisar, psabata, sardella | ||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2018-01-09 02:26:32 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | 1377997 | ||||||||||||
| Bug Blocks: | 1395614 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Adam Mariš
2016-09-21 09:34:02 UTC
Created perl-libxml-perl tracking bugs for this issue: Affects: fedora-all [bug 1377997] (In reply to Adam Mariš from comment #1) > Created perl-libxml-perl tracking bugs for this issue: > > Affects: fedora-all [bug 1377997] Thant's wrong component. The Debian bug is about <http://search.cpan.org/~shlomif/XML-LibXML-2.0116/> that is packaged as libxml-libxml-perl in Debian and as perl-XML-LibXML in Fedora. I forwarded the request for changing default behavior to the LibXML-XML upstream <https://rt.cpan.org/Public/Bug/Display.html?id=118032>. Created attachment 1203692 [details]
Reproducer
This reveals /etc/passwd content. Fixed Perl should not allow that if loading (external) entities was not requested explicitly.
Mitigation: Programs and libraries using XML::LibXML can disable this behaviour by passing `expand_entities => 0` to the constructor XML::LibXML->new(). Created attachment 1206227 [details]
Parametrized reproduder
Yes, but that disables expanding internal entities too. This is unacceptable. I think XML::LibXML or libxml2 is missing a knob that affects external entities only.
Attached script accepts an optional argument and pass it as expand_entities option value if exists. If you execute it with "0", it also disabled expanding the internal entity. And I think this is wrong.
Created attachment 1206255 [details]
Disable entitiy expansion
Proposed fix that disables entity expansion by default. It affects both external and internal entities.
It still allows to load external DTD.
Created attachment 1232169 [details]
Parametrized reproduder
I attached wrong file. This is the correct parametrized reproducer that exhibits various types of entities.
XML-LibXML upstream stopped enabling expansion of DTD-defined entities in <https://github.com/shlomif/perl-XML-LibXML/commit/ff99d94a5186fecf90b88379755434739550b5a9> commit and released 2.0202 version. The reproduced now prints: $ ./reproducer <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY c PUBLIC "bar" "/etc/passwd"> <!ENTITY i "ivalue"> ]> <root> <external>&c;</external> <internal>&i;</internal> <predefined>"</predefined> <numeric>A</numeric> </root> Since it also affects entities defined in the internal DTD, I do not recommend applying the patch to stable distributions. |