From 430364faa49750b33c07264f07956459b2d1d902 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 21 2017 02:52:56 +0000 Subject: import xmlsec1-1.2.20-7.el7_4 --- diff --git a/SOURCES/CVE-2017-1000061.patch b/SOURCES/CVE-2017-1000061.patch new file mode 100644 index 0000000..3d86f10 --- /dev/null +++ b/SOURCES/CVE-2017-1000061.patch @@ -0,0 +1,132 @@ +diff -uPr xmlsec1-1.2.20/apps/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c +--- xmlsec1-1.2.20/apps/xmlsec.c 2017-08-09 12:45:45.246669522 -0400 ++++ xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c 2017-07-18 12:21:59.554749331 -0400 +@@ -528,6 +528,19 @@ + NULL + }; + ++static xmlSecAppCmdLineParam xxeParam = { ++ xmlSecAppCmdLineTopicAll, ++ "--xxe", ++ NULL, ++ "--xxe" ++ "\n\tenable External Entity resolution." ++ "\n\tWARNING: this may allow the reading of arbitrary files and URLs," ++ "\n\tcontrolled by the input XML document. Use with caution!", ++ xmlSecAppCmdLineParamTypeFlag, ++ xmlSecAppCmdLineParamFlagNone, ++ NULL ++}; ++ + + /**************************************************************** + * +@@ -904,6 +917,7 @@ + &disableErrorMsgsParam, + &printCryptoErrorMsgsParam, + &helpParam, ++ &xxeParam, + + /* MUST be the last one */ + NULL +@@ -1087,6 +1101,11 @@ + goto fail; + } + ++ /* enable XXE? */ ++ if(xmlSecAppCmdLineParamIsSet(&xxeParam)) { ++ xmlSecSetExternalEntityLoader( NULL ); // reset to libxml2's default handler ++ } ++ + /* get the "repeats" number */ + if(xmlSecAppCmdLineParamIsSet(&repeatParam) && + (xmlSecAppCmdLineParamGetInt(&repeatParam, 1) > 0)) { +diff -uPr xmlsec1-1.2.20/include/xmlsec/xmlsec.h xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h +--- xmlsec1-1.2.20/include/xmlsec/xmlsec.h 2014-05-27 14:29:01.000000000 -0400 ++++ xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h 2017-07-18 12:21:59.555749324 -0400 +@@ -89,6 +89,7 @@ + + XMLSEC_EXPORT int xmlSecInit (void); + XMLSEC_EXPORT int xmlSecShutdown (void); ++XMLSEC_EXPORT void xmlSecSetExternalEntityLoader (xmlExternalEntityLoader); + + + +diff -uPr xmlsec1-1.2.20/src/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c +--- xmlsec1-1.2.20/src/xmlsec.c 2014-05-27 14:29:01.000000000 -0400 ++++ xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c 2017-08-09 12:44:03.386416274 -0400 +@@ -25,6 +25,56 @@ + #include + + /** ++ * Custom external entity handler, denies all files except the initial ++ * document we're parsing (input_id == 1) ++ */ ++/* default external entity loader, pointer saved during xmlInit */ ++static xmlExternalEntityLoader ++xmlSecDefaultExternalEntityLoader = NULL; ++ ++/* ++ * xmlSecNoXxeExternalEntityLoader: ++ * @URL: the URL for the entity to load ++ * @ID: public ID for the entity to load ++ * @ctxt: XML parser context, or NULL ++ * ++ * See libxml2's xmlLoadExternalEntity and xmlNoNetExternalEntityLoader. ++ * This function prevents any external (file or network) entities from being loaded. ++ */ ++static xmlParserInputPtr ++xmlSecNoXxeExternalEntityLoader(const char *URL, const char *ID, ++ xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) { ++ return(NULL); ++ } ++ if (ctxt->input_id == 1) { ++ return xmlSecDefaultExternalEntityLoader((const char *) URL, ID, ctxt); ++ } ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNoXxeExternalEntityLoader", ++ XMLSEC_ERRORS_R_XML_FAILED, ++ "illegal external entity='%s'", xmlSecErrorsSafeString(URL)); ++ return(NULL); ++} ++ ++/* ++ * xmlSecSetExternalEntityLoader: ++ * @entityLoader: the new entity resolver function, or NULL to restore ++ * libxml2's default handler ++ * ++ * Wrapper for xmlSetExternalEntityLoader. ++ */ ++void ++xmlSecSetExternalEntityLoader(xmlExternalEntityLoader entityLoader) { ++ if (entityLoader == NULL) { ++ entityLoader = xmlSecDefaultExternalEntityLoader; ++ } ++ xmlSetExternalEntityLoader(entityLoader); ++} ++ ++ ++/** + * xmlSecInit: + * + * Initializes XML Security Library. The depended libraries +@@ -85,6 +135,12 @@ + } + #endif /* XMLSEC_NO_XKMS */ + ++ /* initialise safe external entity loader */ ++ if (!xmlSecDefaultExternalEntityLoader) { ++ xmlSecDefaultExternalEntityLoader = xmlGetExternalEntityLoader(); ++ } ++ xmlSetExternalEntityLoader(xmlSecNoXxeExternalEntityLoader); ++ + /* we use rand() function to generate id attributes */ + srand(time(NULL)); + return(0); +@@ -182,4 +238,3 @@ + return(1); + } + +- diff --git a/SPECS/xmlsec1.spec b/SPECS/xmlsec1.spec index 1696256..6662cde 100644 --- a/SPECS/xmlsec1.spec +++ b/SPECS/xmlsec1.spec @@ -1,7 +1,7 @@ Summary: Library providing support for "XML Signature" and "XML Encryption" standards Name: xmlsec1 Version: 1.2.20 -Release: 5%{?dist}%{?extra_release} +Release: 7%{?dist}%{?extra_release} License: MIT Group: System Environment/Libraries Source0: http://www.aleksey.com/xmlsec/download/xmlsec1-%{version}.tar.gz @@ -23,6 +23,7 @@ BuildRequires: gettext-devel BuildRequires: libtool Patch3: xmlsec1-1.2.20-covscan-fixes.patch +Patch10: CVE-2017-1000061.patch %description XML Security Library is a C library based on LibXML2 and OpenSSL. @@ -126,6 +127,7 @@ Libraries, includes, etc. for developing XML Security applications with NSS. %prep %setup -q %patch3 -p1 -b .covscan +%patch10 -p1 -b .CVE-2017-1000061 %build autoreconf -if @@ -219,6 +221,15 @@ rm -fr ${RPM_BUILD_ROOT} %{_libdir}/pkgconfig/xmlsec1-nss.pc %changelog +* Wed Aug 9 2017 Simo Sorce - 1.2.20-7 +- CVE-2017-1000061 +- Related: #1472092 +- Fix mis-applied patch hunk + +* Tue Jul 18 2017 Simo Sorce - 1.2.20-6 +- CVE-2017-1000061 +- Resolves: #1472092 + * Fri Sep 5 2014 Simo Sorce - 1.2.20-5 - Add package to RHEL7 - Resolves: #1118038