Bug 1186015 (CVE-2021-3541) - VUL-0: CVE-2021-3541: python-libxml2,libxml2-python,libxml2,python-libxml2-python: libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms
Summary: VUL-0: CVE-2021-3541: python-libxml2,libxml2-python,libxml2,python-libxml2-py...
Status: RESOLVED FIXED
Alias: CVE-2021-3541
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/284196/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3541:6.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-13 10:29 UTC by Gianluca Gabrielli
Modified: 2023-04-06 15:29 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-13 10:29:42 UTC
CVE-2021-3541

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1950515
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3541
Comment 1 Gianluca Gabrielli 2021-05-13 10:33:13 UTC
This flaw is essentially a variant of the billion laughs attack (CVE-2003-1564) which can DoS libxml2 even with the set of safe flags.

Technical information has not been made public yet. Let's keep this bug open and update it as soon as more information will be available.
Comment 2 Gianluca Gabrielli 2021-05-19 11:01:45 UTC
Affected package:

- SUSE:Carwos:1/libxml2                           2.9.7
- SUSE:SLE-11-SP1:Update/libxml2                  2.7.6
- SUSE:SLE-12-SP2:Update/libxml2                  2.9.4
- SUSE:SLE-15:Update/libxml2                      2.9.7
- SUSE:SLE-11-SP1:Update/libxml2-python           2.7.6
- SUSE:SLE-12-SP2:Update/python-libxml2           2.9.4
- SUSE:SLE-15:Update/python-libxml2-python        2.9.7
- openSUSE:Factory/libxml2                        2.9.10

Upstream patch [0].

[0] https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e.patch
Comment 3 Pedro Monreal Gonzalez 2021-05-19 11:57:19 UTC
Thanks, Gianluca!

Here is the Factory submission: https://build.opensuse.org/request/show/894327

I'll submit to SLE in a moment.
Comment 4 Pedro Monreal Gonzalez 2021-05-19 12:36:18 UTC
Upstream bug (private): https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
Comment 7 Gianluca Gabrielli 2021-05-19 14:07:59 UTC
Thanks for the submissions Pedro. I see you as bugowner of the following packages:

- SUSE:SLE-11-SP1:Update/libxml2-python           2.7.6
- SUSE:SLE-12-SP2:Update/python-libxml2           2.9.4
- SUSE:SLE-15:Update/python-libxml2-python        2.9.7

What is the reason why you have not submitted the patch to them as well?
Comment 8 Pedro Monreal Gonzalez 2021-05-19 14:14:16 UTC
(In reply to Gianluca Gabrielli from comment #7)
> Thanks for the submissions Pedro. I see you as bugowner of the following
> packages:
> 
> - SUSE:SLE-11-SP1:Update/libxml2-python           2.7.6
> - SUSE:SLE-12-SP2:Update/python-libxml2           2.9.4
> - SUSE:SLE-15:Update/python-libxml2-python        2.9.7
> 
> What is the reason why you have not submitted the patch to them as well?

Thanks for checking. The libxml2 submissions contain the python variants.
Comment 9 Gianluca Gabrielli 2021-05-19 14:32:42 UTC
Thanks Pedro, I didn't notice.
Comment 14 Swamp Workflow Management 2021-06-09 16:17:40 UTC
SUSE-SU-2021:1917-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1186015
CVE References: CVE-2021-3541
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    libxml2-2.9.7-3.37.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-libxml2-python-2.9.7-3.37.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-libxml2-python-2.9.7-3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libxml2-2.9.7-3.37.1, python-libxml2-python-2.9.7-3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libxml2-2.9.7-3.37.1, python-libxml2-python-2.9.7-3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-06-16 19:54:16 UTC
openSUSE-SU-2021:0886-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1186015
CVE References: CVE-2021-3541
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libxml2-2.9.7-lp152.10.15.1, python-libxml2-python-2.9.7-lp152.10.15.1
Comment 16 Swamp Workflow Management 2021-06-18 13:28:13 UTC
SUSE-SU-2021:2016-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1186015
CVE References: CVE-2021-3541
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libxml2-2.9.4-46.46.1
SUSE Linux Enterprise Server 12-SP5 (src):    libxml2-2.9.4-46.46.1, python-libxml2-2.9.4-46.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-07-11 14:09:42 UTC
openSUSE-SU-2021:1917-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1186015
CVE References: CVE-2021-3541
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libxml2-2.9.7-3.37.1, python-libxml2-python-2.9.7-3.37.1