Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1395609 - (CVE-2016-9318) CVE-2016-9318 libxml2: XML External Entity vulnerability
CVE-2016-9318 libxml2: XML External Entity vulnerability
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161006,repor...
: Security
Depends On: 1395612 1395610 1395611
Blocks: 1395614 CVE-2016-10127
  Show dependency treegraph
 
Reported: 2016-11-16 04:52 EST by Adam Mariš
Modified: 2018-01-08 21:39 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-01-08 21:39:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2016-11-16 04:52:09 EST 
Improper Restriction of XML External Entity Reference vulnerability was found in libxml2. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=772726
Comment 1 Adam Mariš 2016-11-16 04:52:53 EST 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1395610]
Comment 2 Adam Mariš 2016-11-16 04:53:01 EST 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1395611]
Affects: epel-7 [bug 1395612]
Comment 7 Doran Moppert 2017-08-30 01:28:48 EDT 
See also CVE-2017-7375 (bug 1462203) which is a similar failure to restrict external entities.  The fix for CVE-2016-9318 (when it's ready) should also close that flaw.
Comment 8 Doran Moppert 2018-01-08 21:38:35 EST 
Upstream is still working on a way to disable external entities while allowing internal entity expansion to work, which will likely eventually surface as a new option flag.  Since RPC interfaces and other instances where untrusted documents are parsed normally do not rely on internal entity expansion, the mitigation is acceptable in these environments.  If instances are discovered where this mitigation is not acceptable, Product Security will evaluate these and determine a suitable solution.
Comment 9 Doran Moppert 2018-01-08 21:38:47 EST 
Mitigation:

Application parsing untrusted input with libxml2 should be careful to NOT use entity expansion (enabled by XML_PARSE_NOENT) or DTD validation (XML_PARSE_DTDLOAD, XML_PARSE_DTDVALID) on such input.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.