Bugzilla – Bug 929237
VUL-1: CVE-2015-3451: perl-XML-LibXML: "expand_entities" option was not preserved under some circumstances
Last modified: 2016-09-08 10:20:35 UTC
Created attachment 632989 [details] reproducer scripts via oss-sec http://seclists.org/oss-sec/2015/q2/280 > I'd like to request a CVE number for an XEE vulnerability in Perl's XML::LibXML. > > According to XML::LibXML's documentation it should be possible to > disable processing of external entities by using the "expand_entities" parameter. > > Two example scripts are attached to this mail. The > output of XEE-XML-LibXML-demo.pl should not contain external > entities, but "expand_entities" is ignored. The output > of XEE-XML-LibXML-demo2.pl is as expected (no external entities). > > The behaviour depends on how the XML is loaded. > Using "$XML_DOC = XML::LibXML->load_xml" works as documented, using > $parser = XML::LibXML->new and $XML_DOC = $parser->load_xml does not. > > I've tested the issue on two platforms and was able to print out the > system's "/etc/passwd" file. > [...] > The vulnerability is fixed in version 2.0119. > I'm not sure which older versions are affected, however the vulnerability is present in version 1.89 and probably older > versions, too. > > The fix: > <https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30> > > Changelog: > <http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes> Reproducer worked on 13.2: XEE-XML-LibXML-demo.pl prints /etc/passwd file contents. XEE-XML-LibXML-demo2.pl does not References: https://bugzilla.redhat.com/show_bug.cgi?id=1216112 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3451
The patch itself applies to SLE 12 only.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (929237) was mentioned in https://build.opensuse.org/request/show/325034 13.2+13.1 / perl-XML-LibXML
(In reply to Andreas Stieger from comment #0) > Reproducer worked on 13.2: > XEE-XML-LibXML-demo.pl prints /etc/passwd file contents. > XEE-XML-LibXML-demo2.pl does not XEE-XML-LibXML-demo2.pl isn't supposed to return the content of /etc/passwd It uses the api in a way that's not vulnerable: https://bugzilla.redhat.com/show_bug.cgi?id=1216112#c3
SUSE-SU-2015:1439-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 929237 CVE References: CVE-2015-3451 Sources used: SUSE Linux Enterprise Server 12 (src): perl-XML-LibXML-2.0019-5.3 SUSE Linux Enterprise Desktop 12 (src): perl-XML-LibXML-2.0019-5.3
openSUSE-SU-2015:1506-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 929237 CVE References: CVE-2015-3451 Sources used: openSUSE 13.2 (src): perl-XML-LibXML-2.0121-2.3.1 openSUSE 13.1 (src): perl-XML-LibXML-2.0121-2.3.1
done