Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
libplist.27937
libplist-CVE-2015-10082.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libplist-CVE-2015-10082.patch of Package libplist.27937
From c086cb139af7c82845f6d565e636073ff4b37440 Mon Sep 17 00:00:00 2001 From: Martin Szulecki <m.szulecki@libimobiledevice.org> Date: Fri, 23 Jan 2015 14:56:59 +0100 Subject: [PATCH] xplist: Fix limited but possible XXE security vulnerability with XML plists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By using a specifically crafted XML file an attacker could use plistutil to issue a GET request to an arbitrary URL or disclose a local file. The crafted XML file would be using a custom DTD with an external entity reference pointing to the file. Practical abuse is limited but let's still fix it nevertheless. Related to CVE-2013-0339 for libxml2 and CWE-827. Reported by Loïc Bénis from calypt.com. Thanks! --- src/xplist.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/xplist.c b/src/xplist.c index 4c106aa..2e86ee5 100644 --- a/src/xplist.c +++ b/src/xplist.c @@ -29,6 +29,7 @@ #include <inttypes.h> #include <locale.h> +#include <libxml/xmlIO.h> #include <libxml/parser.h> #include <libxml/tree.h> @@ -555,11 +556,22 @@ PLIST_API void plist_to_xml(plist_t plist, char **plist_xml, uint32_t * length) } } +static xmlParserInputPtr plist_xml_external_entity_loader(const char *URL, const char *ID, xmlParserCtxtPtr ctxt) +{ + return NULL; +} + PLIST_API void plist_from_xml(const char *plist_xml, uint32_t length, plist_t * plist) { - xmlDocPtr plist_doc = xmlParseMemory(plist_xml, length); - xmlNodePtr root_node = xmlDocGetRootElement(plist_doc); + /* CVE-2013-0339: disable external entity loading to prevent XXE vulnerability */ + xmlSetExternalEntityLoader(plist_xml_external_entity_loader); - xml_to_node(root_node, plist); - xmlFreeDoc(plist_doc); + /* read XML from memory and disable network access for security reasons */ + xmlDocPtr plist_doc = xmlReadMemory(plist_xml, length, "plist_from_xml:memory", NULL, XML_PARSE_NONET); + if (plist_doc) { + xmlNodePtr root_node = xmlDocGetRootElement(plist_doc); + + xml_to_node(root_node, plist); + xmlFreeDoc(plist_doc); + } } -- 2.39.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor