Wind River Support Network

Description

Patch revert from OpenEmbedded
https://patches.openembedded.org/patch/140888/
Since the patch has been reverted as it brought in more trouble, I suppose we should also remove it from the product

The libxml2 fix for CVE-2016-9318 which is included in WRL6 RCPL34 is unfortunately broken. It actually makes the CVE-2016-9318 vulnerability worse in that now the XML_PARSE_NONET does no longer prevent network resources to be loaded.

The fix introduces a new flag XML_PARSE_NOXXE, and corresponding --noxxe xmllint option, but also modifies how the XML_PARSE_NONET option behaves. The fix has actually been reverted from upstream libxml2, see https://git.gnome.org/browse/libxml2/commit/?id=030b1f7a27c22f9237eddca49ec5e620b6258d7d, https://people.canonical.com/%7Eubuntu-security/cve/2016/CVE-2016-9318.html).

As a test case consider a xxe-net.xml file with the following content

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://www.robotstxt.org/robots.txt" >]><foo>&xxe;</foo>

Running "xmllint --noent --nonet --load-trace xxe-net.xml" in RCPL34 now happily loads the external entity via http. In RCPL33 it fails with an error, as expected.

Note also that adding the "--noxxe" option does nothing, the external entity is still being loaded.

As for local external entities the new XML_PARSE_NOXXE flag does not prevent them from being loaded. Consider the xxe.xml document with the following content

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Running "xmllint --noent --nonet --noxxe --load-trace xxe.xml" shows that the /etc/passwd file is loaded. Adding or removing the --noxxe flag changes nothing. Note that in RCPL33 there is no way to prevent the file from being loaded while still expanding entities.

Other Downloads

• Wind River Linux 6.0.0.35
• Wind River Linux 6.0.0.36
• Wind River Linux 6.0.0.37
• Wind River Linux 6.0.0.38