Bugzilla – Bug 1008644
VUL-1: CVE-2016-9180: perl-XML-Twig: expand_external_ents option fails to work as documented
Last modified: 2022-09-16 11:41:49 UTC
rh#1379553 The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. External entities are always expanded, regardless of the option's setting. Upstream bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097 References: https://bugzilla.redhat.com/show_bug.cgi?id=1379553 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9180 http://seclists.org/oss-sec/2016/q4/329
bugbot adjusting priority
VUL-0? There is no patch and I would rather wait for one or delete it from distro :)
Created attachment 702435 [details] CVE-2016-9180.pl QA REPRODUCER (part 1/3): perl CVE-2016-9180.pl 1 should print <root>Boom! perl CVE-2016-9180.pl 0 should not print <root>Boom!
Created attachment 702436 [details] CVE-2016-9180.xml QA REPRODUCER (part 2/3): CVE-2016-9180.xml for previous perl reproducer
Created attachment 702437 [details] boom.txt QA REPRODUCER (part 3/3) boom.txt for inclusion in testcase
currently cannot see a possible fix yet. the package is everywhere, you will find it hard to remove :/
A WONTFIX by RH: https://bugzilla.redhat.com/show_bug.cgi?id=1379553#c2
Setting to VUL-1 (dont need immediate update)
(In reply to Alexander Bergmann from comment #0) > https://rt.cpan.org/Public/Bug/Display.html?id=118097 Reading the description of the bug, do I understand correctly that this is just about a missing option do disable 'expand external entities'? Upstream resolved it by adding no_xxe option between 2.48 and 2.49 and then documented between 2.49 and 2.50. When the CVE-2016-9180.pl from comment 3 is changed to: use XML::Twig; my $twig = XML::Twig->new( no_xxe => $ARGV[0] ); $twig->parsefile( "CVE-2016-9180.xml"); $twig->print; then $ perl CVE-2016-9180.pl 1 cannot expand &xxe; - cannot load 'boom.txt' at /usr/lib/perl5/vendor_perl/5.24.0/x86_64-linux-thread-multi/XML/Parser/Expat.pm line 474. $ perl CVE-2016-9180.pl 0 <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe PUBLIC "bar" "boom.txt"> ]> <root>Boom! $ This would be acceptable?
Yes, an extra option would be acceptable.
Created attachment 839642 [details] Patch fix from Debian documenting the security issue https://salsa.debian.org/perl-team/modules/packages/libxml-twig-perl/-/blob/master/debian/patches/CVE-2016-9180.patch
Extra option and a warning is now documented. Also, a new test for both expand_external_ents and no_xxe has been added. Patch from Debian in comment#12. Factory submission: https://build.opensuse.org/request/show/821138
(In reply to Marcus Meissner from comment #3) > Created attachment 702435 [details] > CVE-2016-9180.pl > > QA REPRODUCER (part 1/3): > > perl CVE-2016-9180.pl 1 > should print <root>Boom! > > perl CVE-2016-9180.pl 0 > > should not print <root>Boom! Hi, the bug reproducer has the same result on both sles12sp5 and sles15sp2, is the bug fixed? s15sp2:~/Documents # perl CVE-2016-9180.pl 1 <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe PUBLIC "bar" "boom.txt"> ]> <root>Boom! </root>s15sp2:~/Documents # perl CVE-2016-9180.pl 0 <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe PUBLIC "bar" "boom.txt"> ]> <root>Boom! </root>
> Hi, the bug reproducer has the same result on both sles12sp5 and sles15sp2, > is the bug fixed? > > s15sp2:~/Documents # perl CVE-2016-9180.pl 1 > <?xml version="1.0"?> > <!DOCTYPE foo [ > <!ENTITY xxe PUBLIC "bar" "boom.txt"> > ]> > <root>Boom! > </root>s15sp2:~/Documents # perl CVE-2016-9180.pl 0 > <?xml version="1.0"?> > <!DOCTYPE foo [ > <!ENTITY xxe PUBLIC "bar" "boom.txt"> > ]> > <root>Boom! > </root> i.e. there is no difference between "before" and "after" updating.
Created attachment 840385 [details] Downloads/CVE-2016-9180.pl QA REPRODUCER: - download also xml echo BOOM > boom.txt perl CVE-2016-9180.pl 0 should show BOOM perl CVE-2016-9180.pl 1 should show: cannot expand &xxe; - cannot load 'boom.txt' at /usr/lib/perl5/vendor_perl/5.30.1/x86_64-linux-thread-multi/XML/Parser/Expat.pm line 480.
(In reply to Marcus Meissner from comment #20) > Created attachment 840385 [details] > Downloads/CVE-2016-9180.pl > > QA REPRODUCER: > > - download also xml > > echo BOOM > boom.txt > > perl CVE-2016-9180.pl 0 > > should show BOOM > > perl CVE-2016-9180.pl 1 > > should show: cannot expand &xxe; - cannot load 'boom.txt' at > /usr/lib/perl5/vendor_perl/5.30.1/x86_64-linux-thread-multi/XML/Parser/Expat. > pm line 480. same result whether updating or not. s15sp2:~/Documents # cat CVE-2016-9180.pl use XML::Twig; my $twig = XML::Twig->new( no_xxe => $ARGV[0] ); $twig->parsefile( "CVE-2016-9180.xml"); $twig->print; s15sp2:~/Documents # perl CVE-2016-9180.pl 0 <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe PUBLIC "bar" "boom.txt"> ]> <root>BOOM </root>s15sp2:~/Documents # perl CVE-2016-9180.pl 1 cannot expand &xxe; - cannot load 'boom.txt' at /usr/lib/perl5/vendor_perl/5.26.1/x86_64-linux-thread-multi/XML/Parser/Expat.pm line 474. at CVE-2016-9180.pl line 1. at CVE-2016-9180.pl line 1.
this output means it was fixed befiore... in changes it shows perl-XML-Twig 3.50 has the fix already. Our SLE15 update has as diff only testsuite changes and no functional changes.
SUSE-SU-2020:2173-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1008644 CVE References: CVE-2016-9180 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): perl-XML-Twig-3.44-5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2172-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1008644 CVE References: CVE-2016-9180 JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): perl-XML-Twig-3.52-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): perl-XML-Twig-3.52-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1177-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1008644 CVE References: CVE-2016-9180 JIRA References: Sources used: openSUSE Leap 15.1 (src): perl-XML-Twig-3.52-lp151.3.3.1
openSUSE-SU-2020:1204-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1008644 CVE References: CVE-2016-9180 JIRA References: Sources used: openSUSE Leap 15.2 (src): perl-XML-Twig-3.52-lp152.4.3.1
SUSE-SU-2020:2173-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1008644 CVE References: CVE-2016-9180 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): perl-XML-Twig-3.44-5.3.1 SUSE OpenStack Cloud Crowbar 8 (src): perl-XML-Twig-3.44-5.3.1 SUSE OpenStack Cloud 9 (src): perl-XML-Twig-3.44-5.3.1 SUSE OpenStack Cloud 8 (src): perl-XML-Twig-3.44-5.3.1 SUSE OpenStack Cloud 7 (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): perl-XML-Twig-3.44-5.3.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): perl-XML-Twig-3.44-5.3.1 HPE Helion Openstack 8 (src): perl-XML-Twig-3.44-5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Released, closing.