Fixed
Created: Aug 1, 2017
Updated: Dec 3, 2018
Resolved Date: Aug 8, 2017
Found In Version: 8.0
Fix Version: 8.0.0.21
Severity: Severe
Applicable for: Wind River Linux 8
Component/s: Userspace
Patch revert from OpenEmbedded
https://patches.openembedded.org/patch/140888/
Since the patch has been reverted as it brought in more trouble, I suppose we should also remove it from the product
The libxml2 fix for CVE-2016-9318 which is included in WRL6 RCPL34 is unfortunately broken. It actually makes the CVE-2016-9318 vulnerability worse in that now the XML_PARSE_NONET does no longer prevent network resources to be loaded.
The fix introduces a new flag XML_PARSE_NOXXE, and corresponding --noxxe xmllint option, but also modifies how the XML_PARSE_NONET option behaves. The fix has actually been reverted from upstream libxml2, see https://git.gnome.org/browse/libxml2/commit/?id=030b1f7a27c22f9237eddca49ec5e620b6258d7d, https://people.canonical.com/%7Eubuntu-security/cve/2016/CVE-2016-9318.html).
As a test case consider a xxe-net.xml file with the following content
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://www.robotstxt.org/robots.txt" >]><foo>&xxe;</foo>
Running "xmllint --noent --nonet --load-trace xxe-net.xml" in RCPL34 now happily loads the external entity via http. In RCPL33 it fails with an error, as expected.
Note also that adding the "--noxxe" option does nothing, the external entity is still being loaded.
As for local external entities the new XML_PARSE_NOXXE flag does not prevent them from being loaded. Consider the xxe.xml document with the following content
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
Running "xmllint --noent --nonet --noxxe --load-trace xxe.xml" shows that the /etc/passwd file is loaded. Adding or removing the --noxxe flag changes nothing. Note that in RCPL33 there is no way to prevent the file from being loaded while still expanding entities.