Package: libxml-libxml-perl Version: 2.0207+dfsg-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
The recent change about load_ext_dtd introduced an unexpected issue, with possible security implications: when one sets validation to 1 without also setting load_ext_dtd to 1, the document is always regarded as valid. It is probable that existing scripts that set validation to 1 do not explicitly set load_ext_dtd to 1, because load_ext_dtd = 1 was the default and also because it is rather obvious that if the user wants validation, he also wants to load the DTD, which is needed for the validation. So this silently breaks validation. This may have security implications as validation can normally be used to check that input from untrusted source does not contain unexpected contents (e.g. contents that is likely to yield data injection). See for instance: https://cwe.mitre.org/data/definitions/112.html Example: ------------------------------------------------------------ #!/usr/bin/env perl # Update the xhtml directory. use strict; use XML::LibXML; my $s = <<EOF; <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root SYSTEM "does-not-exist.dtd"> <root/> EOF my $parser = XML::LibXML->new(); $parser->validation(1); my $doc = $parser->parse_string($s); ------------------------------------------------------------ With libxml-libxml-perl 2.0134+dfsg-2, the fact that the DTD could not be loaded was properly reported, with a fatal error: :2: I/O error : failed to load external entity "does-not-exist.dtd" <!DOCTYPE root SYSTEM "does-not-exist.dtd"> ^ :3: validity error : Validation failed: no DTD found ! <root/> ^ -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-1-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libxml-libxml-perl depends on: ii libc6 2.33-5 ii libxml-namespacesupport-perl 1.12-1.1 ii libxml-sax-perl 1.02+dfsg-3 ii libxml2 2.9.12+dfsg-5+b1 ii perl 5.32.1-6 ii perl-base [perlapi-5.32.1] 5.32.1-6 libxml-libxml-perl recommends no packages. libxml-libxml-perl suggests no packages. -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)