Bug 1377996 - perl-XML-LibXML: Expanding external entities by default
Summary: perl-XML-LibXML: Expanding external entities by default
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20160917,repor...
Depends On: 1377997
Blocks: 1395614
TreeView+ depends on / blocked
Reported: 2016-09-21 09:34 UTC by Adam Mariš
Modified: 2019-06-08 21:27 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-01-09 02:26:32 UTC

Attachments (Terms of Use)
Reproducer (187 bytes, text/plain)
2016-09-22 11:49 UTC, Petr Pisar
no flags Details
Parametrized reproduder (187 bytes, text/plain)
2016-09-30 11:46 UTC, Petr Pisar
no flags Details
Disable entitiy expansion (2.55 KB, patch)
2016-09-30 13:05 UTC, Petr Pisar
no flags Details | Diff
Parametrized reproduder (409 bytes, text/plain)
2016-12-15 13:17 UTC, Petr Pisar
no flags Details

System ID Priority Status Summary Last Updated
CPAN 118032 None None None 2016-09-22 11:45:48 UTC

Description Adam Mariš 2016-09-21 09:34:02 UTC
It was found that XML::LibXML is vulnerable to XXE attack as it has enabled external entity loading by default.

Bug report:


Comment 1 Adam Mariš 2016-09-21 09:34:33 UTC
Created perl-libxml-perl tracking bugs for this issue:

Affects: fedora-all [bug 1377997]

Comment 2 Petr Pisar 2016-09-22 11:00:12 UTC
(In reply to Adam Mariš from comment #1)
> Created perl-libxml-perl tracking bugs for this issue:
> Affects: fedora-all [bug 1377997]

Thant's wrong component. The Debian bug is about <http://search.cpan.org/~shlomif/XML-LibXML-2.0116/> that is packaged as libxml-libxml-perl in Debian and as perl-XML-LibXML in Fedora.

Comment 3 Petr Pisar 2016-09-22 11:45:48 UTC
I forwarded the request for changing default behavior to the LibXML-XML upstream <https://rt.cpan.org/Public/Bug/Display.html?id=118032>.

Comment 4 Petr Pisar 2016-09-22 11:49:03 UTC
Created attachment 1203692 [details]

This reveals /etc/passwd content. Fixed Perl should not allow that if loading (external) entities was not requested explicitly.

Comment 5 Doran Moppert 2016-09-26 03:18:34 UTC

Programs and libraries using XML::LibXML can disable this behaviour by
passing `expand_entities => 0` to the constructor XML::LibXML->new().

Comment 6 Petr Pisar 2016-09-30 11:46:56 UTC
Created attachment 1206227 [details]
Parametrized reproduder

Yes, but that disables expanding internal entities too. This is unacceptable. I think XML::LibXML or libxml2 is missing a knob that affects external entities only.

Attached script accepts an optional argument and pass it as expand_entities option value if exists. If you execute it with "0", it also disabled expanding the internal entity. And I think this is wrong.

Comment 7 Petr Pisar 2016-09-30 13:05:03 UTC
Created attachment 1206255 [details]
Disable entitiy expansion

Proposed fix that disables entity expansion by default. It affects both external and internal entities.

It still allows to load external DTD.

Comment 9 Petr Pisar 2016-12-15 13:17:09 UTC
Created attachment 1232169 [details]
Parametrized reproduder

I attached wrong file. This is the correct parametrized reproducer that exhibits various types of entities.

Note You need to log in before you can comment on or make changes to this bug.