Ubuntu
php5 package

libxml_disable_entity_loader is not theadsafe

Bug #1509817 reported by Bernhard Posselt on 2015-10-25

266

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	php5 (Ubuntu)	Fix Released	Undecided	Unassigned
	Trusty	Fix Released	Undecided	Unassigned

Bug Description

libxml's libxml_disable_entity_loader was not threadsafe on php-fpm prior to 5.5.22 and 5.6.6. This allowed attackers to perform an XXE attack even though the entity loader was disabled in your code.

Zend came up with a separate library for this: https://github.com/zendframework/ZendXml however I don't think it is that widely used and the fix itself is hard: the library itself had to be patched again ([ZF2015-06])

AFAIK the patch to fix this issue has not yet been backported. I think it would be a much needed security enhancement, given that the workaround is hard and as history has shown prone to complicated unicode encoding attacks.

For more information, please see:
* https://bugs.php.net/bug.php?id=64938 (fixed in 5.5.22)
* https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

See original description

Tags:

CVE References

Marc Deslauriers (mdeslaur) on 2015-10-29

information type:	Private Security → Public Security
Changed in php5 (Ubuntu):
status:	New → Confirmed

Robie Basak (racb) on 2015-10-30

description:	updated
summary:	- Please backport PHP fix #64938 (fixed in 5.5.22) on 14.04 + libxml_disable_entity_loader is not theadsafe

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-05:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php5 (Ubuntu Trusty):
status:	New → Confirmed

Revision history for this message

Robie Basak (racb) wrote on 2015-11-05:

#2

This is fixed in 5.6.14+dfsg-1ubuntu1 based on the NEWS file in there reporting upstream 64938 fixed so I'm marking this Fix Released in Xenial.

It looks like this does still affect Trusty and was committed to 5.5.22 upstream and can be cherry-picked from http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9

Changed in php5 (Ubuntu):
status:	Confirmed → Fix Released
Changed in php5 (Ubuntu Trusty):
status:	Confirmed → Triaged

Revision history for this message

Robie Basak (racb) wrote on 2015-11-05:

#3

Oh, it's a security bug. Un-triaging as I don't want to step on the security team triaging this.

Changed in php5 (Ubuntu Trusty):
status:	Triaged → New

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-11-05:

#4

I'll include this in the next php5 security update.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-04-12:

#5

Related:
http://framework.zend.com/security/advisory/ZF2015-06

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-04-21:

#6

Download full text (3.3 KiB)

This was fixed in:

php5 (5.5.9+dfsg-1ubuntu4.16) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal in ZipArchive::extractTo
    - debian/patches/CVE-2014-9767.patch: use proper path in
      ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
    - CVE-2014-9767
  * SECURITY UPDATE: type confusion issue in SoapClient
    - debian/patches/CVE-2015-8835.patch: check types in
      ext/soap/php_http.c.
    - CVE-2015-8835
    - CVE-2016-3185
  * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM
    - debian/patches/CVE-2015-8838.patch: fix ssl handling in
      ext/mysqlnd/mysqlnd.c.
    - CVE-2015-8838
  * SECURITY UPDATE: denial of service or memory disclosure in gd via large
    bgd_color argument to imagerotate
    - debian/patches/CVE-2016-1903.patch: check bgcolor in
      ext/gd/libgd/gd_interpolation.c, added test to
      ext/gd/tests/bug70976.phpt.
    - CVE-2016-1903
  * SECURITY UPDATE: stack overflow when decompressing tar archives
    - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
      in ext/phar/tar.c.
    - CVE-2016-2554
  * SECURITY UPDATE: use-after-free in WDDX
    - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
      added test to ext/wddx/tests/bug71587.phpt.
    - CVE-2016-3141
  * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
    - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
    - CVE-2016-3142
  * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between
    threads
    - debian/patches/bug64938.patch: enable entity loader in
      ext/libxml/libxml.c.
    - No CVE number
  * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
    secure
    - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
      RAND_pseudo_bytes in ext/openssl/openssl.c.
    - No CVE number
  * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
    file
    - debian/patches/bug71527.patch: properly calculate length in
      ext/fileinfo/libmagic/funcs.c, added test to
      ext/fileinfo/tests/bug71527.magic.
    - CVE number pending
  * SECURITY UPDATE: php_snmp_error() format string Vulnerability
    - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c.
    - CVE number pending
  * SECURITY UPDATE: integer overflow in php_raw_url_encode
    - debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
    - CVE number pending
  * SECURITY UPDATE: invalid memory write in phar on filename containing
    NULL
    - debian/patches/bug71860.patch: require valid paths in
      ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
      ext/phar/tests/badparameters.phpt,
      ext/phar/tests/create_path_error.phpt,
      ext/phar/tests/phar_extract.phpt,
      ext/phar/tests/phar_isvalidpharfilename.phpt,
      ext/phar/tests/phar_unlinkarchive.phpt,
      ext/phar/tests/pharfileinfo_construct.phpt.
    - CVE number pending
  * SECURITY UPDATE: invalid negative size in mbfl_strcut
    - debian/patches/bug71906.patch: fix length checks in
      ext/mbstring/libmbfl/mbfl/mbfilter.c.
    - CVE number pending
  * This package does _NOT_ contain the chan...

This was fixed in:

php5 (5.5.9+dfsg-1ubuntu4.16) trusty-security; urgency=medium

* SECURITY UPDATE: directory traversal in ZipArchive::extractTo
    - debian/patches/CVE-2014-9767.patch: use proper path in
      ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
    - CVE-2014-9767
  * SECURITY UPDATE: type confusion issue in SoapClient
    - debian/patches/CVE-2015-8835.patch: check types in
      ext/soap/php_http.c.
    - CVE-2015-8835
    - CVE-2016-3185
  * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM
    - debian/patches/CVE-2015-8838.patch: fix ssl handling in
      ext/mysqlnd/mysqlnd.c.
    - CVE-2015-8838
  * SECURITY UPDATE: denial of service or memory disclosure in gd via large
    bgd_color argument to imagerotate
    - debian/patches/CVE-2016-1903.patch: check bgcolor in
      ext/gd/libgd/gd_interpolation.c, added test to
      ext/gd/tests/bug70976.phpt.
    - CVE-2016-1903
  * SECURITY UPDATE: stack overflow when decompressing tar archives
    - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
      in ext/phar/tar.c.
    - CVE-2016-2554
  * SECURITY UPDATE: use-after-free in WDDX
    - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
      added test to ext/wddx/tests/bug71587.phpt.
    - CVE-2016-3141
  * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
    - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
    - CVE-2016-3142
  * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between
    threads
    - debian/patches/bug64938.patch: enable entity loader in
      ext/libxml/libxml.c.
    - No CVE number
  * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
    secure
    - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
      RAND_pseudo_bytes in ext/openssl/openssl.c.
    - No CVE number
  * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
    file
    - debian/patches/bug71527.patch: properly calculate length in
      ext/fileinfo/libmagic/funcs.c, added test to
      ext/fileinfo/tests/bug71527.magic.
    - CVE number pending
  * SECURITY UPDATE: php_snmp_error() format string Vulnerability
    - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c.
    - CVE number pending
  * SECURITY UPDATE: integer overflow in php_raw_url_encode
    - debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
    - CVE number pending
  * SECURITY UPDATE: invalid memory write in phar on filename containing
    NULL
    - debian/patches/bug71860.patch: require valid paths in
      ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
      ext/phar/tests/badparameters.phpt,
      ext/phar/tests/create_path_error.phpt,
      ext/phar/tests/phar_extract.phpt,
      ext/phar/tests/phar_isvalidpharfilename.phpt,
      ext/phar/tests/phar_unlinkarchive.phpt,
      ext/phar/tests/pharfileinfo_construct.phpt.
    - CVE number pending
  * SECURITY UPDATE: invalid negative size in mbfl_strcut
    - debian/patches/bug71906.patch: fix length checks in
      ext/mbstring/libmbfl/mbfl/mbfilter.c.
    - CVE number pending
  * This package does _NOT_ contain the changes from php5
    (5.5.9+dfsg-1ubuntu4.15) in trusty-proposed.

-- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 20 Apr 2016 09:52:09 -0400

Changed in php5 (Ubuntu Trusty):
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.