Bug 1437311 (CVE-2017-1000061) - CVE-2017-1000061 xmlsec1: xmlsec vulnerable to external entity expansion
Summary: CVE-2017-1000061 xmlsec1: xmlsec vulnerable to external entity expansion
Status: CLOSED ERRATA
Alias: CVE-2017-1000061
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170330,repor...
Keywords: Security
Depends On: 1472089 1472090 1472091 1472092
Blocks: 1395614
TreeView+ depends on / blocked
 
Reported: 2017-03-30 03:41 UTC by Doran Moppert
Modified: 2019-06-08 21:53 UTC (History)
3 users (show)

(edit)
It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service.
Clone Of:
(edit)
Last Closed: 2017-08-21 05:36:40 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2492 normal SHIPPED_LIVE Moderate: xmlsec1 security update 2017-08-21 08:58:11 UTC

Description Doran Moppert 2017-03-30 03:41:50 UTC
xmlsec is vulnerable to XML External Entity Expansion via libxml2 (see CVE-2016-9318). A workaround is in progress on the upstream bug report.

Upstream bug:

https://github.com/lsh123/xmlsec/issues/43

Comment 2 Simo Sorce 2017-03-30 13:08:35 UTC
Is this affecting only the command line utility ?

Comment 3 Doran Moppert 2017-03-31 05:27:50 UTC
(In reply to Simo Sorce from comment #2)
> Is this affecting only the command line utility ?

The library is affected as well, as it uses libxml2 in the same way.

Comment 4 Simo Sorce 2017-03-31 17:12:01 UTC
I see no patch for the library upstream.
What's the recommendation ?

Comment 5 Doran Moppert 2017-04-03 00:54:24 UTC
(In reply to Simo Sorce from comment #4)
> I see no patch for the library upstream.
> What's the recommendation ?

The merge request on the upstream ticket applies to the library as well (xmlSecInit() in src/xmlsec.c).

Comment 6 Doran Moppert 2017-07-18 05:07:50 UTC
Upstream patch:

https://github.com/lsh123/xmlsec/pull/93/files

Comment 7 Doran Moppert 2017-07-18 05:08:26 UTC
Created xmlsec1 tracking bugs for this issue:

Affects: epel-7 [bug 1472090]
Affects: fedora-all [bug 1472089]

Comment 13 errata-xmlrpc 2017-08-21 04:58:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2492 https://access.redhat.com/errata/RHSA-2017:2492


Note You need to log in before you can comment on or make changes to this bug.