Description of problem: libguestfs parses XML files in various places: - libvirt capabilities XML - libvirt domain XML - libosinfo XML database files In the unlikely case that either libvirt or libosinfo included external entities then this means we could open network connections unintentionally. It's not clear that this is exploitable, but it's best to avoid it. For comparison of how to do it correctly, see libvirt src/util/virxml.c. Version-Release number of selected component (if applicable): libguestfs 1.27.3 Additional info: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing Note that "XML_PARSE_NOENT" is very confusing. Setting this flag causes entities to be *parsed*!! It seems we should set XML_PARSE_NONET (disable network connections). It's not clear to me if this is the default or not. Areas of concern: $ git grep xmlParse fish/uri.c: uri = xmlParseURI (arg); src/launch-libvirt.c: doc = xmlParseMemory (capabilities_xml, strlen (capabilities_xml)); src/libvirt-domain.c: doc = xmlParseMemory (xml, strlen (xml)); src/osinfo.c: doc = xmlParseFile (pathname); v2v/xml-c.c: doc = xmlParseMemory (String_val (xmlv), caml_string_length (xmlv)); v2v/xml.mli:(** xmlParseMemory *)
(In reply to Richard W.M. Jones from comment #0) > Areas of concern: > [...] > fish/uri.c: uri = xmlParseURI (arg); This just parses an URI string, so should not matter. > v2v/xml-c.c: doc = xmlParseMemory (String_val (xmlv), caml_string_length > (xmlv)); > v2v/xml.mli:(** xmlParseMemory *) These don't exist in master yet. > src/launch-libvirt.c: doc = xmlParseMemory (capabilities_xml, strlen > (capabilities_xml)); > src/libvirt-domain.c: doc = xmlParseMemory (xml, strlen (xml)); > src/osinfo.c: doc = xmlParseFile (pathname); It seems these don't do entities expansion by default, so https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing should not apply. However, to be sure, I replaced xmlParse{File,Memory} with xmlRead{File,Memory}, so we can explicitly set XML_PARSE_NONET (and other flags may be added, if needed). The result seems unchanged.
Created attachment 885457 [details] xmlParse{File,Memory} -> xmlRead{File,Memory}
ACK. Let's not push this yet until the libvirt patch has been made public.
This bug is also embargoed until the dependent libvirt bug is published.
The publication date is: Tuesday May 6th at 1200 UTC.
Patch committed as https://github.com/libguestfs/libguestfs/commit/845daded5fddc70fc5e822769bc1e2a8cbead7ca which is in libguestfs >= 1.27.9.