Bug 1126613 - VUL-0: libxslt: xsltproc accesses Internet even when --nonet is given
VUL-0: libxslt: xsltproc accesses Internet even when --nonet is given
Status: RESOLVED FIXED
: 1110146 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
x86-64 openSUSE 42.3
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/225344/
maint:released:sle10-sp3:64221 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-24 09:18 UTC by Thomas König
Modified: 2020-07-10 13:20 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas König 2019-02-24 09:18:00 UTC
xsltproc accesses the Internet even though --nonet has been specified.

Test case: 

echo '<title/>' | strace xsltproc --noout --nonet --xinclude http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docbook.xsl -

Among other risks and privacy concerns, this causes Internet access from
a gcc configure script, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89466

Output of xsltproc -V is
xsltproc was compiled against libxml 20904, libxslt 10128 and libexslt 817
libxslt 10128 was compiled against libxml 20904
libexslt 817 was compiled against libxml 20904
Comment 1 Pedro Monreal Gonzalez 2019-02-28 17:09:32 UTC
Possibly related to the patch [0] for CVE-2016-9318 that was reverted as it breaks XML_PARSE_NONET, see [1]. Updated patch in [2].

[0] https://git.gnome.org/browse/libxml2/commit/?id=030b1f7a27c22f9237eddca49ec5e620b6258d7d
[1] https://bugzilla.gnome.org/show_bug.cgi?id=772726
[2] https://gitlab.gnome.org/GNOME/libxml2/commit/ad88b54f1a28a8565964a370b5d387927b633c0d
Comment 2 Pedro Monreal Gonzalez 2019-03-04 16:25:59 UTC
I have updated the patch for CVE-2016-9318 with the one modified upstream that fixes the issue.

Thomas, could you double check? You can find the packages for 42.3 here:

https://download.opensuse.org/repositories/home:/pmonrealgonzalez:/branches:/openSUSE:/Leap:/42.3:/Update/standard/
Comment 3 Thomas König 2019-03-05 22:28:56 UTC
(In reply to Pedro Monreal Gonzalez from comment #2)
> I have updated the patch for CVE-2016-9318 with the one modified upstream
> that fixes the issue.
> 
> Thomas, could you double check? You can find the packages for 42.3 here:
> 
> https://download.opensuse.org/repositories/home:/pmonrealgonzalez:/branches:/
> openSUSE:/Leap:/42.3:/Update/standard/

Direcly installing the RPMs fails for me with a public key failure,
so I guess I would have to install something in addition to really test.

However, if the strace of the original test case shows no network
activity, I am confindent that this works. I would not have done any
other testing anyway :-)

Thanks a lot for your work on this!
Comment 4 Pedro Monreal Gonzalez 2019-03-06 08:54:38 UTC
Before (tries to load from the internet):

(gdb) b __xmlIOErr
Breakpoint 3 at 0x7ffff7e44690: file xmlIO.c, line 250.
(gdb) run
Starting program: /usr/bin/xsltproc --noout --nonet --xinclude http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docboo\
k.xsl title
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Breakpoint 3, __xmlIOErr (domain=domain@entry=8, code=code@entry=1543,
    extra=extra@entry=0x55555556c470 "http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docbook.xsl") at xmlIO.c:250
250         if (code == 0) {
(gdb) bt
#0  __xmlIOErr (domain=domain@entry=8, code=code@entry=1543,
    extra=extra@entry=0x55555556c470 "http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docbook.xsl") at xmlIO.c:250
#1  0x00007ffff7e47a1d in xmlIOErr (
    extra=0x55555556c470 "http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docbook.xsl", code=1543) at xmlIO.c:4072
#2  xmlNoNetExternalEntityLoader__internal_alias (
    URL=0x555555562040 "http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docbook.xsl", ID=<optimized out>,
    ctxt=0x555555560ab0) at xmlIO.c:4072
#3  0x0000555555557faf in ?? ()
#4  0x00007ffff7e4793f in xmlLoadExternalEntity__internal_alias (URL=<optimized out>, ID=0x0, ctxt=0x555555560ab0) at xmlIO.c:4032
#5  0x00007ffff7e2dfa5 in xmlCreateURLParserCtxt__internal_alias (
    filename=0x7fffffffe30a "http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docbook.xsl", options=16398)
    at parser.c:14097
#6  0x00007ffff7e347bb in xmlReadFile__internal_alias (filename=<optimized out>, encoding=0x0, options=16398) at parser.c:15255
#7  0x00005555555569c9 in ?? ()
#8  0x00007ffff7c3eb7b in __libc_start_main (main=0x555555556370, argc=6, argv=0x7fffffffde58, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde48) at ../csu/libc-start.c:308
#9  0x0000555555557bfa in ?? ()

After (fails when trying to load from the internet):

xsltproc --noout --xinclude http://docbook.sourceforge.net/release/xsl-ns/current/xhtml-1_1/docbook.xsl title
Note: namesp. add : added namespace before processing
No template for "/title" (or any of its leaves) exists in the context named "title" in the "en" localization.
Element title in namespace 'http://docbook.org/ns/docbook' encountered, but no template matches.

I'll submit the packages now.
Comment 5 Pedro Monreal Gonzalez 2019-03-06 10:39:17 UTC
Packages submitted:

openSUSE:Factory                2.9.9  Not affected
openSUSE:Leap:15.0:Update       2.9.7  Not affected
SUSE:SLE-12-SP2:Update          2.9.4  sr#186288
SUSE:SLE-11-SP1:Update          2.7.6  sr#186290
SUSE:SLE-10-SP4:Test:Update     2.6.23 sr#186291
openSUSE:Leap:42.3:Update comes from SUSE:SLE-12-SP2:Update
Comment 7 Swamp Workflow Management 2019-03-06 16:45:21 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2019-03-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64220
Comment 8 Richard Biener 2019-03-07 13:40:59 UTC
*** Bug 1110146 has been marked as a duplicate of this bug. ***
Comment 9 Swamp Workflow Management 2019-03-21 23:12:10 UTC
SUSE-SU-2019:13985-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1010675,1102046,1110146,1126613
CVE References: CVE-2016-9318,CVE-2018-14404
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libxml2-2.7.6-0.77.15.1
SUSE Linux Enterprise Server 11-SP4 (src):    libxml2-2.7.6-0.77.15.1, libxml2-python-2.7.6-0.77.15.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libxml2-2.7.6-0.77.15.1, libxml2-python-2.7.6-0.77.15.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.77.15.1, libxml2-python-2.7.6-0.77.15.1
Comment 11 Swamp Workflow Management 2019-07-18 22:13:03 UTC
SUSE-SU-2019:1896-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1010675,1110146,1126613
CVE References: CVE-2016-9318
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libxml2-2.9.4-46.20.1
SUSE Linux Enterprise Server 12-SP4 (src):    libxml2-2.9.4-46.20.1, python-libxml2-2.9.4-46.20.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libxml2-2.9.4-46.20.1, python-libxml2-2.9.4-46.20.1
SUSE CaaS Platform 3.0 (src):    libxml2-2.9.4-46.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Alexandros Toptsoglou 2020-07-10 13:20:50 UTC
Done