Ubuntu
libxml2 package

Apply upstream patch to close XXE vulnerability in precise

Bug #1194410 reported by Georgios Chinis on 2013-06-25

270

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	libxml2 (Ubuntu)	Fix Released	Undecided	Unassigned
	Lucid	Fix Released	Medium	Unassigned
	Precise	Fix Released	Medium	Unassigned
	Quantal	Fix Released	Medium	Unassigned
	Raring	Fix Released	Undecided	Unassigned
	Saucy	Fix Released	Undecided	Unassigned

Bug Description

In version 2.7.8 there is no way to avoid opening and reading a file if it is specified in the ENTITY section of the document.

The issue has been raised in:
https://mail.gnome.org/archives/xml/2012-October/msg00002.html
https://github.com/sparklemotion/nokogiri/issues/693

An upstream fix has been released:
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

Related branches

lp:ubuntu/lucid-security/libxml2

lp:ubuntu/precise-security/libxml2

lp:ubuntu/quantal-security/libxml2

CVE References

Seth Arnold (seth-arnold) on 2013-06-25

information type:

Private Security → Public Security

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2013-07-05:

#1

I've requested a CVE for this issue, thanks.

Marc Deslauriers (mdeslaur) on 2013-07-12

Changed in libxml2 (Ubuntu Lucid):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in libxml2 (Ubuntu Precise):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in libxml2 (Ubuntu Quantal):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in libxml2 (Ubuntu Raring):
status:	New → Fix Released
Changed in libxml2 (Ubuntu Saucy):
status:	New → Fix Committed
status:	Fix Committed → Fix Released
Changed in libxml2 (Ubuntu Lucid):
status:	Confirmed → In Progress
Changed in libxml2 (Ubuntu Precise):
status:	Confirmed → In Progress
Changed in libxml2 (Ubuntu Quantal):
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-07-15:

#2

This bug was fixed in the package libxml2 - 2.7.8.dfsg-5.1ubuntu4.5

---------------
libxml2 (2.7.8.dfsg-5.1ubuntu4.5) precise-security; urgency=low

  * SECURITY UPDATE: external entity expansion attack (LP: #1194410)
    - do not fetch external parsed entities in parser.c, added test to
      test/errors/extparsedent.xml, result/errors/extparsedent.xml.
    - https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
    - CVE-2013-0339
  * SECURITY UPDATE: denial of service via incomplete document
    - try to stop parsing as quickly as possible in parser.c,
      include/libxml/xmlerror.h.
    - https://git.gnome.org/browse/libxml2/commit/?id=48b4cdde3483e054af8ea02e0cd7ee467b0e9a50
    - https://git.gnome.org/browse/libxml2/commit/?id=e50ba8164eee06461c73cd8abb9b46aa0be81869
    - CVE-2013-2877
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2013 14:57:48 -0400

Changed in libxml2 (Ubuntu Precise):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-07-15:

#3

This bug was fixed in the package libxml2 - 2.7.6.dfsg-1ubuntu1.9

---------------
libxml2 (2.7.6.dfsg-1ubuntu1.9) lucid-security; urgency=low

  * SECURITY UPDATE: external entity expansion attack (LP: #1194410)
    - do not fetch external parsed entities in parser.c, added test to
      test/errors/extparsedent.xml, result/errors/extparsedent.xml.
    - https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
    - CVE-2013-0339
  * SECURITY UPDATE: denial of service via incomplete document
    - try to stop parsing as quickly as possible in parser.c,
      include/libxml/xmlerror.h.
    - https://git.gnome.org/browse/libxml2/commit/?id=48b4cdde3483e054af8ea02e0cd7ee467b0e9a50
    - https://git.gnome.org/browse/libxml2/commit/?id=e50ba8164eee06461c73cd8abb9b46aa0be81869
    - CVE-2013-2877
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2013 15:07:11 -0400

Changed in libxml2 (Ubuntu Lucid):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-07-15:

#4

This bug was fixed in the package libxml2 - 2.8.0+dfsg1-5ubuntu2.3

---------------
libxml2 (2.8.0+dfsg1-5ubuntu2.3) quantal-security; urgency=low

  * SECURITY UPDATE: external entity expansion attack (LP: #1194410)
    - debian/patches/CVE-2013-0339.patch: do not fetch external parsed
      entities in parser.c, added test to test/errors/extparsedent.xml,
      result/errors/extparsedent.xml.
    - CVE-2013-0339
  * SECURITY UPDATE: denial of service via incomplete document
    - debian/patches/CVE-2013-2877.patch: try to stop parsing as quickly as
      possible in parser.c, include/libxml/xmlerror.h.
    - CVE-2013-2877
-- Marc Deslauriers <email address hidden> Thu, 11 Jul 2013 14:53:41 -0400

Changed in libxml2 (Ubuntu Quantal):
status:	In Progress → Fix Released

Revision history for this message

Daniel Dehennin (launchpad-baby-gnu) wrote on 2013-07-16:

#5

I saw something like a regression in some case, or maybe I'm misusing the library:

>>> from io import BytesIO
>>> from lxml import etree
>>> xml='''<root>
... <child name='one' />
... <child name='two' />
... </root>
... '''
>>> document = etree.iterparse(BytesIO(xml), events=('end',), tag='root')
>>> for action, elem in document:
... print("%s: %s" % (action, elem.tag))
...
end: root
>>> file('/tmp/test.xml', 'w').write(xml)
>>> document = etree.iterparse('/tmp/test.xml', events=('end',), tag='root')
>>> for action, elem in document:
... print("%s: %s" % (action, elem.tag))
...
end: root
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "iterparse.pxi", line 478, in lxml.etree.iterparse.__next__ (src/lxml/lxml.etree.c:98432)
  File "iterparse.pxi", line 530, in lxml.etree.iterparse._read_more_events (src/lxml/lxml.etree.c:98953)
  File "parser.pxi", line 601, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:74863)
lxml.etree.XMLSyntaxError: None

Downgrading libxml2 version 2.7.8.dfsg-5.1ubuntu4 does not finish in a traceback when parsing from a file.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2013-07-16:

#6

Thanks for reporting this regression. I've opened bug 1201849 to track it.

Revision history for this message

Andrew (mescalito) wrote on 2013-07-25:

#7

Hi, not sure if I even need this libxml2 as I don't write code or publish websites, as I think this may be what it's for?
I do however have this error and totally do not know what to do with the file I just downloaded.
I'm just a happy Ubuntu user :)
Any help would be gratefully acccepted!!

Thanks

Andrew

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.