Wind River Support Network


LIN6-13190 : libxml2 fix for CVE-2016-9318 in RCPL34 is broken

Created: Jul 11, 2017    Updated: Dec 3, 2018
Resolved Date: Aug 21, 2017
Found In Version:
Fix Version:
Severity: Severe
Applicable for: Wind River Linux 6
Component/s: Userspace


Patch revert from OpenEmbedded
Since the patch has been reverted as it brought in more trouble, I suppose we should also remove it from the product

The libxml2 fix for CVE-2016-9318 which is included in WRL6 RCPL34 is unfortunately broken. It actually makes the CVE-2016-9318 vulnerability worse in that now the XML_PARSE_NONET does no longer prevent network resources to be loaded.

The fix introduces a new flag XML_PARSE_NOXXE, and corresponding --noxxe xmllint option, but also modifies how the XML_PARSE_NONET option behaves. The fix has actually been reverted from upstream libxml2, see,

As a test case consider a xxe-net.xml file with the following content

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "" >]><foo>&xxe;</foo>

Running "xmllint --noent --nonet --load-trace xxe-net.xml" in RCPL34 now happily loads the external entity via http. In RCPL33 it fails with an error, as expected.

Note also that adding the "--noxxe" option does nothing, the external entity is still being loaded.

As for local external entities the new XML_PARSE_NOXXE flag does not prevent them from being loaded. Consider the xxe.xml document with the following content

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Running "xmllint --noent --nonet --noxxe --load-trace xxe.xml" shows that the /etc/passwd file is loaded. Adding or removing the --noxxe flag changes nothing. Note that in RCPL33 there is no way to prevent the file from being loaded while still expanding entities.

Other Downloads

Live chat