It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service.
xmlsec is vulnerable to XML External Entity Expansion via libxml2 (see CVE-2016-9318). A workaround is in progress on the upstream bug report.
Is this affecting only the command line utility ?
(In reply to Simo Sorce from comment #2)
> Is this affecting only the command line utility ?
The library is affected as well, as it uses libxml2 in the same way.
I see no patch for the library upstream.
What's the recommendation ?
(In reply to Simo Sorce from comment #4)
> I see no patch for the library upstream.
> What's the recommendation ?
The merge request on the upstream ticket applies to the library as well (xmlSecInit() in src/xmlsec.c).
Created xmlsec1 tracking bugs for this issue:
Affects: epel-7 [bug 1472090]
Affects: fedora-all [bug 1472089]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2492 https://access.redhat.com/errata/RHSA-2017:2492