It was found that XML::LibXML is vulnerable to XXE attack as it has enabled external entity loading by default. Bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097
Created perl-libxml-perl tracking bugs for this issue: Affects: fedora-all [bug 1377997]
(In reply to Adam Mariš from comment #1) > Created perl-libxml-perl tracking bugs for this issue: > > Affects: fedora-all [bug 1377997] Thant's wrong component. The Debian bug is about <http://search.cpan.org/~shlomif/XML-LibXML-2.0116/> that is packaged as libxml-libxml-perl in Debian and as perl-XML-LibXML in Fedora.
I forwarded the request for changing default behavior to the LibXML-XML upstream <https://rt.cpan.org/Public/Bug/Display.html?id=118032>.
Created attachment 1203692 [details] Reproducer This reveals /etc/passwd content. Fixed Perl should not allow that if loading (external) entities was not requested explicitly.
Mitigation: Programs and libraries using XML::LibXML can disable this behaviour by passing `expand_entities => 0` to the constructor XML::LibXML->new().
Created attachment 1206227 [details] Parametrized reproduder Yes, but that disables expanding internal entities too. This is unacceptable. I think XML::LibXML or libxml2 is missing a knob that affects external entities only. Attached script accepts an optional argument and pass it as expand_entities option value if exists. If you execute it with "0", it also disabled expanding the internal entity. And I think this is wrong.
Created attachment 1206255 [details] Disable entitiy expansion Proposed fix that disables entity expansion by default. It affects both external and internal entities. It still allows to load external DTD.
Created attachment 1232169 [details] Parametrized reproduder I attached wrong file. This is the correct parametrized reproducer that exhibits various types of entities.
XML-LibXML upstream stopped enabling expansion of DTD-defined entities in <https://github.com/shlomif/perl-XML-LibXML/commit/ff99d94a5186fecf90b88379755434739550b5a9> commit and released 2.0202 version. The reproduced now prints: $ ./reproducer <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY c PUBLIC "bar" "/etc/passwd"> <!ENTITY i "ivalue"> ]> <root> <external>&c;</external> <internal>&i;</internal> <predefined>"</predefined> <numeric>A</numeric> </root> Since it also affects entities defined in the internal DTD, I do not recommend applying the patch to stable distributions.