Red Hat Bugzilla – Bug 1264813
ggz-base-libs: does not disable internal XML entity expansion
Last modified: 2016-04-26 04:38:51 EDT
+++ This bug was initially created as a clone of Bug #889142 +++
ggz-base-libs 0.99.5 contains the following code in ggzcore/netxml.c:
if (!(net->parser = XML_ParserCreate("UTF-8")))
("Couldn't allocate memory for XML parser");
/* Setup handlers for tags */
This does not disable expansion of XML entities in the internal DTD subset, making the code subject to denial-of-service attacks ("billion laughs"). It seems the data comes from the network, so a trust boundary is crossed, making this a (low impact) security issue.
Adding the following handler using
should be sufficient to address this issue.
// Stop the parser when an entity declaration is encountered.
const XML_Char *entityName, int is_parameter_entity,
const XML_Char *value, int value_length,
const XML_Char *base, const XML_Char *systemId,
const XML_Char *publicId, const XML_Char *notationName)
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.
More information and reason for this action is here:
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
ggzcore's xml parsing is actually intended to parse xml coming from the network, so I'm afraid that disallowing network based dtd-s may break things ...
(In reply to Hans de Goede from comment #4)
> ggzcore's xml parsing is actually intended to parse xml coming from the
> network, so I'm afraid that disallowing network based dtd-s may break things
Do you expect these XML documents contain an internal DTD subset?
(In reply to Florian Weimer from comment #5)
> (In reply to Hans de Goede from comment #4)
> > ggzcore's xml parsing is actually intended to parse xml coming from the
> > network, so I'm afraid that disallowing network based dtd-s may break things
> > ...
> Do you expect these XML documents contain an internal DTD subset?
XML is not really my forte so I do not know, I just picked up ggz because it is a dep of a couple of games I [co-]maintain. Looking at the code / protocol it does not seem to use DTDs at all, the code in question is for parsing a streaming XML protocol with messages like this:
So I think that the fix you suggested is safe and should not lead to regressions, if you think the same I'll go ahead and add your fix.