libxml2: CVE-2017-16932: Infinite recursion in parameter entities

Debian Bug report logs - #882613
libxml2: CVE-2017-16932: Infinite recursion in parameter entities

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libxml2: CVE-2017-16932: Infinite recursion in parameter entities

Date: Fri, 24 Nov 2017 20:39:06 +0100

Source: libxml2
Version: 2.9.4+dfsg1-5.1
Severity: important
Tags: patch security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=759579

Hi,

the following vulnerability was published for libxml2.

CVE-2017-16932[0]:
| parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in
| parameter entities.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16932
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932
[1] https://bugzilla.gnome.org/show_bug.cgi?id=759579 (not yet public)
[2] https://git.gnome.org/browse/libxml2/commit/?id=899a5d9f0ed13b8e32449a08a361e0de127dd961

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 882613@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 882613@bugs.debian.org

Cc: team@security.debian.org, mapreri@debian.org

Subject: Re: Bug#882613: libxml2: CVE-2017-16932: Infinite recursion in parameter entities

Date: Sun, 26 Nov 2017 09:19:14 +0100

Hi

Whilst cherry picking the commit we can verify the testcase attached
in the commit is correctly detected, a minimialized variant of it
would not work, the minimalized variant I mean of

,---- [ 759579.xml ]
| <!DOCTYPE doc [
|     <!ENTITY % z '
|         &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
|         &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
|         &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
|         &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
|         &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
|     '>
|     %z;
| ]>
| <doc/>
`----

is

,---- [ minimized-759579.xml ]
| <!DOCTYPE doc [
|     <!ENTITY % z ' &#37;z;'>
|     %z;
| ]>
| <doc/>
`----

I have verified that the issue is adressed with libxml2 git chcked out
at 899a5d9f0ed13b8e32449a08a361e0de127dd961 so guess the best action
is to update to 2.9.7. If we want to fix it isolately we might need
some other prerequisite between upsteam v2.9.4 to
899a5d9f0ed13b8e32449a08a361e0de127dd961 (v2.9.5-rc1)

marked the issue as no-dsa for jessie and stretch, let us know if you
disagree.

Regards,
Salvatore

Message #17 received at 882613-close@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 882613-close@bugs.debian.org

Subject: Bug#882613: fixed in libxml2 2.9.7+dfsg-1

Date: Wed, 03 Jan 2018 17:34:28 +0000

Source: libxml2
Source-Version: 2.9.7+dfsg-1

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882613@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 Jan 2018 18:15:18 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-doc python-libxml2 python-libxml2-dbg python3-libxml2 python3-libxml2-dbg
Architecture: source
Version: 2.9.7+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
 libxml2    - GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
 python3-libxml2 - Python3 bindings for the GNOME XML library
 python3-libxml2-dbg - Python3 bindings for the GNOME XML library (debug extension)
Closes: 836698 882074 882613
Changes:
 libxml2 (2.9.7+dfsg-1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream version 2.9.7+dfsg.  Closes: #882074
     + Infinite recursion in parameter entities.  CVE-2017-16932; Closes: #882613
     + Double entity expansion;  Closes: #836698
   * Refresh patches.
   * Refresh symbols.
   * Stop installing /usr/bin/xml2-config.
     Packages should just use pkg-config instead.
   * Remove the libxml2-dbg package, in favour of automatic debug package.
Checksums-Sha1:
 b5f1db0d746233a9ee197b082b26b214f48c825a 2915 libxml2_2.9.7+dfsg-1.dsc
 e4adef359319613d88e004638f82b87cd1ad25ad 4061148 libxml2_2.9.7+dfsg.orig.tar.gz
 26d27f12d5c4ca3ecbbbb05e2fc36d602d38f096 26312 libxml2_2.9.7+dfsg-1.debian.tar.xz
 72ea004a13bf1429f696f4c5f4acbd8b7ea1562a 9623 libxml2_2.9.7+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 991564fb05d0a6c05126470e4d4d26fc6358f4e04adc3aaa7b4746f06e4430e8 2915 libxml2_2.9.7+dfsg-1.dsc
 d95a0a10c68c40e04bfb3dd646024c8a4b99c2be96628171525080d48e8b47ed 4061148 libxml2_2.9.7+dfsg.orig.tar.gz
 c0e812f9d185c9d02866a8953b0814e735987b0bb8525cf7371c4db344e6760b 26312 libxml2_2.9.7+dfsg-1.debian.tar.xz
 2c77567c014478f70264903391f13480d7dea6c1a16d652f46405562486215c4 9623 libxml2_2.9.7+dfsg-1_amd64.buildinfo
Files:
 da385ff133b0b00d32a969e648c3ef25 2915 libs optional libxml2_2.9.7+dfsg-1.dsc
 e9bde0cc380bee322784dcc3fb57c7a0 4061148 libs optional libxml2_2.9.7+dfsg.orig.tar.gz
 229543740e426b2ad3bccdded3b9c04d 26312 libs optional libxml2_2.9.7+dfsg-1.debian.tar.xz
 02b1d5828988f74ef30f51940a1517ce 9623 libs optional libxml2_2.9.7+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlpNEYEACgkQCBa54Yx2
K60CEhAAgAwGf3f4jobGmf9iqZO1ZK5IRyS7I9twBncPm0OMYJrFYtLvqhdjXItu
4b0/3M46JcbmNtILmHZZBcz3Iq1mbW5kvJJUA2OT3sNKnBdhA72qUuBgnKyZ+5ga
8xEAYW+0zuXLTmWzulzX8Jc41QcR0IiwgXCSv1vSi+6fuPNQpRj6TRSDM8KBHUOP
NksMcWRfmjlLfK635wRjlrnch4uDvCLItTYB3p8369nQhn6wL87jRhIaELY1W6/p
P2r3EzqeBBX+wk2xQr3z81FGgO3cTmxrs9vv9PfGh4eWjDTqcS2Pu4liO3c9ID7G
BYLEn3huVb+rJd50xoKVQoYMKuZaOOCIjWIeKCOTQAJ05zN5ah49QV8ca9OUBa59
Jobgz9fPvqXTPLVEjJ+l2e9j2x+A8vzSdrgDCHtU01XE6lOKIOx+tSvbOAOhOdXk
5oJsWH4KEi4U51fWKFPc6Eu/Fu/HAhUw8t/Q/clM+6UTqs2+MtLdOzaFeHuFb84m
rzn9T9paU8jYdn4SOlZbmc3K81FGkQjUnJ/sfLs+Ou/V7PVMXrw/+dDzpgF2jUJ2
P+uQdQxTsDnb994z/J4kFu0MLZNaKXXLMFu94fxaAgCwap6jmEl5vSiN86yuQ3f7
O7hesD8FzRdK2zQkFRklDNjtlm7rFhRrjD4ozGw1ji1pe1hnf3E=
=O5qm
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.