Bug 1437311 (CVE-2017-1000061)

Summary: CVE-2017-1000061 xmlsec1: xmlsec vulnerable to external entity expansion
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ssorce, tmraz, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-21 05:36:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1472089, 1472090, 1472091, 1472092    
Bug Blocks: 1395614    

Description Doran Moppert 2017-03-30 03:41:50 UTC 
xmlsec is vulnerable to XML External Entity Expansion via libxml2 (see CVE-2016-9318). A workaround is in progress on the upstream bug report.

Upstream bug:

https://github.com/lsh123/xmlsec/issues/43
Comment 2 Simo Sorce 2017-03-30 13:08:35 UTC 
Is this affecting only the command line utility ?
Comment 3 Doran Moppert 2017-03-31 05:27:50 UTC 
(In reply to Simo Sorce from comment #2)
> Is this affecting only the command line utility ?

The library is affected as well, as it uses libxml2 in the same way.
Comment 4 Simo Sorce 2017-03-31 17:12:01 UTC 
I see no patch for the library upstream.
What's the recommendation ?
Comment 5 Doran Moppert 2017-04-03 00:54:24 UTC 
(In reply to Simo Sorce from comment #4)
> I see no patch for the library upstream.
> What's the recommendation ?

The merge request on the upstream ticket applies to the library as well (xmlSecInit() in src/xmlsec.c).
Comment 6 Doran Moppert 2017-07-18 05:07:50 UTC 
Upstream patch:

https://github.com/lsh123/xmlsec/pull/93/files
Comment 7 Doran Moppert 2017-07-18 05:08:26 UTC 
Created xmlsec1 tracking bugs for this issue:

Affects: epel-7 [bug 1472090]
Affects: fedora-all [bug 1472089]
Comment 13 errata-xmlrpc 2017-08-21 04:58:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2492 https://access.redhat.com/errata/RHSA-2017:2492