Bug 1377996 - perl-XML-LibXML: Expanding external entities by default
Summary: perl-XML-LibXML: Expanding external entities by default
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1377997
Blocks: 1395614
TreeView+ depends on / blocked
 
Reported: 2016-09-21 09:34 UTC by Adam Mariš
Modified: 2020-01-13 14:49 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-09 02:26:32 UTC


Attachments (Terms of Use)
Reproducer (187 bytes, text/plain)
2016-09-22 11:49 UTC, Petr Pisar
no flags Details
Parametrized reproduder (187 bytes, text/plain)
2016-09-30 11:46 UTC, Petr Pisar
no flags Details
Disable entitiy expansion (2.55 KB, patch)
2016-09-30 13:05 UTC, Petr Pisar
no flags Details | Diff
Parametrized reproduder (409 bytes, text/plain)
2016-12-15 13:17 UTC, Petr Pisar
no flags Details


Links
System ID Priority Status Summary Last Updated
CPAN 118032 None None None 2016-09-22 11:45:48 UTC

Description Adam Mariš 2016-09-21 09:34:02 UTC
It was found that XML::LibXML is vulnerable to XXE attack as it has enabled external entity loading by default.

Bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097

Comment 1 Adam Mariš 2016-09-21 09:34:33 UTC
Created perl-libxml-perl tracking bugs for this issue:

Affects: fedora-all [bug 1377997]

Comment 2 Petr Pisar 2016-09-22 11:00:12 UTC
(In reply to Adam Mariš from comment #1)
> Created perl-libxml-perl tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1377997]

Thant's wrong component. The Debian bug is about <http://search.cpan.org/~shlomif/XML-LibXML-2.0116/> that is packaged as libxml-libxml-perl in Debian and as perl-XML-LibXML in Fedora.

Comment 3 Petr Pisar 2016-09-22 11:45:48 UTC
I forwarded the request for changing default behavior to the LibXML-XML upstream <https://rt.cpan.org/Public/Bug/Display.html?id=118032>.

Comment 4 Petr Pisar 2016-09-22 11:49:03 UTC
Created attachment 1203692 [details]
Reproducer

This reveals /etc/passwd content. Fixed Perl should not allow that if loading (external) entities was not requested explicitly.

Comment 5 Doran Moppert 2016-09-26 03:18:34 UTC
Mitigation:

Programs and libraries using XML::LibXML can disable this behaviour by
passing `expand_entities => 0` to the constructor XML::LibXML->new().

Comment 6 Petr Pisar 2016-09-30 11:46:56 UTC
Created attachment 1206227 [details]
Parametrized reproduder

Yes, but that disables expanding internal entities too. This is unacceptable. I think XML::LibXML or libxml2 is missing a knob that affects external entities only.

Attached script accepts an optional argument and pass it as expand_entities option value if exists. If you execute it with "0", it also disabled expanding the internal entity. And I think this is wrong.

Comment 7 Petr Pisar 2016-09-30 13:05:03 UTC
Created attachment 1206255 [details]
Disable entitiy expansion

Proposed fix that disables entity expansion by default. It affects both external and internal entities.

It still allows to load external DTD.

Comment 9 Petr Pisar 2016-12-15 13:17:09 UTC
Created attachment 1232169 [details]
Parametrized reproduder

I attached wrong file. This is the correct parametrized reproducer that exhibits various types of entities.

Comment 12 Petr Pisar 2020-01-13 14:49:03 UTC
XML-LibXML upstream stopped enabling expansion of DTD-defined entities in <https://github.com/shlomif/perl-XML-LibXML/commit/ff99d94a5186fecf90b88379755434739550b5a9> commit and released 2.0202 version. The reproduced now prints:

$ ./reproducer
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY c PUBLIC "bar" "/etc/passwd">
<!ENTITY i "ivalue">
]>
<root>
    <external>&c;</external>
    <internal>&i;</internal>
    <predefined>"</predefined>
    <numeric>A</numeric>
</root>

Since it also affects entities defined in the internal DTD, I do not recommend applying the patch to stable distributions.


Note You need to log in before you can comment on or make changes to this bug.