libxml_disable_entity_loader is not theadsafe

Bug #1509817 reported by Bernhard Posselt on 2015-10-25
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

libxml's libxml_disable_entity_loader was not threadsafe on php-fpm prior to 5.5.22 and 5.6.6. This allowed attackers to perform an XXE attack even though the entity loader was disabled in your code.

Zend came up with a separate library for this: https://github.com/zendframework/ZendXml however I don't think it is that widely used and the fix itself is hard: the library itself had to be patched again ([ZF2015-06])

AFAIK the patch to fix this issue has not yet been backported. I think it would be a much needed security enhancement, given that the workaround is hard and as history has shown prone to complicated unicode encoding attacks.

For more information, please see:
* https://bugs.php.net/bug.php?id=64938 (fixed in 5.5.22)
* https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

information type: Private Security → Public Security
Changed in php5 (Ubuntu):
status: New → Confirmed
Robie Basak (racb) on 2015-10-30
description: updated
summary: - Please backport PHP fix #64938 (fixed in 5.5.22) on 14.04
+ libxml_disable_entity_loader is not theadsafe
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php5 (Ubuntu Trusty):
status: New → Confirmed
Robie Basak (racb) wrote :

This is fixed in 5.6.14+dfsg-1ubuntu1 based on the NEWS file in there reporting upstream 64938 fixed so I'm marking this Fix Released in Xenial.

It looks like this does still affect Trusty and was committed to 5.5.22 upstream and can be cherry-picked from http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9

Changed in php5 (Ubuntu):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Trusty):
status: Confirmed → Triaged
Robie Basak (racb) wrote :

Oh, it's a security bug. Un-triaging as I don't want to step on the security team triaging this.

Changed in php5 (Ubuntu Trusty):
status: Triaged → New
Marc Deslauriers (mdeslaur) wrote :

I'll include this in the next php5 security update.

Marc Deslauriers (mdeslaur) wrote :
Download full text (3.3 KiB)

This was fixed in:

php5 (5.5.9+dfsg-1ubuntu4.16) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal in ZipArchive::extractTo
    - debian/patches/CVE-2014-9767.patch: use proper path in
      ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
    - CVE-2014-9767
  * SECURITY UPDATE: type confusion issue in SoapClient
    - debian/patches/CVE-2015-8835.patch: check types in
      ext/soap/php_http.c.
    - CVE-2015-8835
    - CVE-2016-3185
  * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM
    - debian/patches/CVE-2015-8838.patch: fix ssl handling in
      ext/mysqlnd/mysqlnd.c.
    - CVE-2015-8838
  * SECURITY UPDATE: denial of service or memory disclosure in gd via large
    bgd_color argument to imagerotate
    - debian/patches/CVE-2016-1903.patch: check bgcolor in
      ext/gd/libgd/gd_interpolation.c, added test to
      ext/gd/tests/bug70976.phpt.
    - CVE-2016-1903
  * SECURITY UPDATE: stack overflow when decompressing tar archives
    - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
      in ext/phar/tar.c.
    - CVE-2016-2554
  * SECURITY UPDATE: use-after-free in WDDX
    - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
      added test to ext/wddx/tests/bug71587.phpt.
    - CVE-2016-3141
  * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
    - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
    - CVE-2016-3142
  * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between
    threads
    - debian/patches/bug64938.patch: enable entity loader in
      ext/libxml/libxml.c.
    - No CVE number
  * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
    secure
    - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
      RAND_pseudo_bytes in ext/openssl/openssl.c.
    - No CVE number
  * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
    file
    - debian/patches/bug71527.patch: properly calculate length in
      ext/fileinfo/libmagic/funcs.c, added test to
      ext/fileinfo/tests/bug71527.magic.
    - CVE number pending
  * SECURITY UPDATE: php_snmp_error() format string Vulnerability
    - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c.
    - CVE number pending
  * SECURITY UPDATE: integer overflow in php_raw_url_encode
    - debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
    - CVE number pending
  * SECURITY UPDATE: invalid memory write in phar on filename containing
    NULL
    - debian/patches/bug71860.patch: require valid paths in
      ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
      ext/phar/tests/badparameters.phpt,
      ext/phar/tests/create_path_error.phpt,
      ext/phar/tests/phar_extract.phpt,
      ext/phar/tests/phar_isvalidpharfilename.phpt,
      ext/phar/tests/phar_unlinkarchive.phpt,
      ext/phar/tests/pharfileinfo_construct.phpt.
    - CVE number pending
  * SECURITY UPDATE: invalid negative size in mbfl_strcut
    - debian/patches/bug71906.patch: fix length checks in
      ext/mbstring/libmbfl/mbfl/mbfilter.c.
    - CVE number pending
  * This package does _NOT_ contain the chan...

Read more...

Changed in php5 (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers