Bug 1395609 (CVE-2016-9318)

Summary: CVE-2016-9318 libxml2: XML External Entity vulnerability
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, carnil, c.david86, csutherl, dmoppert, erik-fedora, fedora-mingw, gzaronik, jclere, ktietz, mbabacek, mturk, ohudlick, rjones, sardella, twalsh, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-09 02:39:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1395610, 1395611, 1395612    
Bug Blocks: 1395614, 1411794    

Description Adam Mariš 2016-11-16 09:52:09 UTC 
Improper Restriction of XML External Entity Reference vulnerability was found in libxml2. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=772726
Comment 1 Adam Mariš 2016-11-16 09:52:53 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1395610]
Comment 2 Adam Mariš 2016-11-16 09:53:01 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1395611]
Affects: epel-7 [bug 1395612]
Comment 7 Doran Moppert 2017-08-30 05:28:48 UTC 
See also CVE-2017-7375 (bug 1462203) which is a similar failure to restrict external entities.  The fix for CVE-2016-9318 (when it's ready) should also close that flaw.
Comment 8 Doran Moppert 2018-01-09 02:38:35 UTC 
Upstream is still working on a way to disable external entities while allowing internal entity expansion to work, which will likely eventually surface as a new option flag.  Since RPC interfaces and other instances where untrusted documents are parsed normally do not rely on internal entity expansion, the mitigation is acceptable in these environments.  If instances are discovered where this mitigation is not acceptable, Product Security will evaluate these and determine a suitable solution.
Comment 9 Doran Moppert 2018-01-09 02:38:47 UTC 
Mitigation:

Application parsing untrusted input with libxml2 should be careful to NOT use entity expansion (enabled by XML_PARSE_NOENT) or DTD validation (XML_PARSE_DTDLOAD, XML_PARSE_DTDVALID) on such input.