libxml_disable_entity_loader is not theadsafe

Bug #1509817 reported by Bernhard Posselt
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
Fix Released

Bug Description

libxml's libxml_disable_entity_loader was not threadsafe on php-fpm prior to 5.5.22 and 5.6.6. This allowed attackers to perform an XXE attack even though the entity loader was disabled in your code.

Zend came up with a separate library for this: however I don't think it is that widely used and the fix itself is hard: the library itself had to be patched again ([ZF2015-06])

AFAIK the patch to fix this issue has not yet been backported. I think it would be a much needed security enhancement, given that the workaround is hard and as history has shown prone to complicated unicode encoding attacks.

For more information, please see:
* (fixed in 5.5.22)

Tags: xml xxe
information type: Private Security → Public Security
Changed in php5 (Ubuntu):
status: New → Confirmed
Robie Basak (racb)
description: updated
summary: - Please backport PHP fix #64938 (fixed in 5.5.22) on 14.04
+ libxml_disable_entity_loader is not theadsafe
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php5 (Ubuntu Trusty):
status: New → Confirmed
Revision history for this message
Robie Basak (racb) wrote :

This is fixed in 5.6.14+dfsg-1ubuntu1 based on the NEWS file in there reporting upstream 64938 fixed so I'm marking this Fix Released in Xenial.

It looks like this does still affect Trusty and was committed to 5.5.22 upstream and can be cherry-picked from;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9

Changed in php5 (Ubuntu):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Trusty):
status: Confirmed → Triaged
Revision history for this message
Robie Basak (racb) wrote :

Oh, it's a security bug. Un-triaging as I don't want to step on the security team triaging this.

Changed in php5 (Ubuntu Trusty):
status: Triaged → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'll include this in the next php5 security update.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Download full text (3.3 KiB)

This was fixed in:

php5 (5.5.9+dfsg-1ubuntu4.16) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal in ZipArchive::extractTo
    - debian/patches/CVE-2014-9767.patch: use proper path in
      ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
    - CVE-2014-9767
  * SECURITY UPDATE: type confusion issue in SoapClient
    - debian/patches/CVE-2015-8835.patch: check types in
    - CVE-2015-8835
    - CVE-2016-3185
  * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM
    - debian/patches/CVE-2015-8838.patch: fix ssl handling in
    - CVE-2015-8838
  * SECURITY UPDATE: denial of service or memory disclosure in gd via large
    bgd_color argument to imagerotate
    - debian/patches/CVE-2016-1903.patch: check bgcolor in
      ext/gd/libgd/gd_interpolation.c, added test to
    - CVE-2016-1903
  * SECURITY UPDATE: stack overflow when decompressing tar archives
    - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
      in ext/phar/tar.c.
    - CVE-2016-2554
  * SECURITY UPDATE: use-after-free in WDDX
    - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
      added test to ext/wddx/tests/bug71587.phpt.
    - CVE-2016-3141
  * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
    - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
    - CVE-2016-3142
  * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between
    - debian/patches/bug64938.patch: enable entity loader in
    - No CVE number
  * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
    - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
      RAND_pseudo_bytes in ext/openssl/openssl.c.
    - No CVE number
  * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
    - debian/patches/bug71527.patch: properly calculate length in
      ext/fileinfo/libmagic/funcs.c, added test to
    - CVE number pending
  * SECURITY UPDATE: php_snmp_error() format string Vulnerability
    - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c.
    - CVE number pending
  * SECURITY UPDATE: integer overflow in php_raw_url_encode
    - debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
    - CVE number pending
  * SECURITY UPDATE: invalid memory write in phar on filename containing
    - debian/patches/bug71860.patch: require valid paths in
      ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
    - CVE number pending
  * SECURITY UPDATE: invalid negative size in mbfl_strcut
    - debian/patches/bug71906.patch: fix length checks in
    - CVE number pending
  * This package does _NOT_ contain the chan...


Changed in php5 (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers